[iwar] [fc:]

From: Fred Cohen (fc@all.net)
Date: 2001-12-29 13:13:53
Next message: Fred Cohen: "[iwar] [fc:Acts.of.cyberterrorism[FC.-.???]]"
Previous message: Fred Cohen: "[iwar] [fc:Fox.News.Reports:.Israel.is.spying.in.and.on.the.U.S.]"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Message-Id: <200112292113.fBTLDsO26919@red.all.net>
To: iwar@onelist.com (Information Warfare Mailing List)
Organization: I'm not allowed to say
From: Fred Cohen <fc@all.net>
Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com
Precedence: bulk
Date: Sat, 29 Dec 2001 13:13:53 -0800 (PST)
Subject: [iwar] [fc:]
Reply-To: iwar@yahoogroups.com
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit

Why Worm Writers Stay Free
By Michelle Delio WIRED MAGAZINE
2:00 a.m. Dec. 27, 2001 PST

Virus writers often act as if the Internet, the most public forum in the world, 
is their very own private playground.

Law enforcement officials are amused and amazed by the many virus writers who carefully 
include identifying comments or credits in their code, and who often are found bragging 
about their skills and latest creations in newsgroups or on Internet Relay Chat channels.

"Cyber criminals are like idiot Hansel and Gretels, scattering electronic breadcrumbs 
that lead straight to them," said retired New York City detective Pete Angonasta. 
"You just don't see this sort of behavior in other criminals. I've never seen a burglar 
leaving cute notes crediting the crime to himself. And I've never run across a burglar 
who puts up a self-promotional website or goes into a chat room to discuss the night's 
activities."

But their high profiles seemingly do not make virus writers easier to apprehend. 
Virtually all captured coders either confessed or were arrested only after techies 
discovered their identities and informed authorities.

Overworked and under-funded law enforcement officials rely heavily on tips from 
computer security experts to identify virus writers. But many computer experts are 
now too busy scrambling to survive in a tight economy to play cybersleuth. Providing 
products that protect against security holes and viruses can be a profitable business, 
but discovering the identities of virus writers is always charity work.

So even though many viruses do contain laughably clear clues that could lead law 
enforcement agents directly to their writers, the authors of such electronic evils 
as Code Red, Nimda and SirCam probably won't be caught unless a curious geek with 
some spare time decides to do a good deed and track down the worm writers.

The latest busted worm writers are four Israeli teenagers who have confessed to 
creating the Goner worm.

According to credits in its code, Goner was called "Pentagone" by its creators. 
Israeli newspaper Ha'aretz Daily reported that DALnet IRC network administrators 
quickly discovered the virus writers chatting on a channel that the teenagers had 
cleverly named "Pentagone" and turned over the information to Israeli police.

"Security people often run a search on the clues in a virus' code. The Pentagone 
channel was pretty easy to find and people were soon in there calling these guys 
idiots and assholes," said Sam Silverman, a systems administrator who checked the 
channel to find out more about the worm. "They admitted they wrote the worm, but 
said they didn't expect it to spread so far and fast."

Jan de Wit, author of the Anna Kournikova worm, also said that he watched in growing 
alarm as the worm he released spread wildly on hard drives around the world. Hours 
after he released the worm, and shortly after releasing a PR statement on his website, 
de Wit turned himself in to local police.

Onel de Guzman, the suspected author of the Love Bug, was caught when a teacher 
at the AMA Computer College in Manila realized that the worm was remarkably similar 
to a thesis project submitted by a student who dropped out after the thesis was rejected.

The teacher contacted local authorities who, thanks to a tip from a group of cybersleuths, 
had already narrowed their search to AMA.

"I know it looks like the feds are slacking off and waiting for these guys to be 
delivered to them, but it's the same with any crime," detective Angonasta said. "Despite 
the popular image of detectives cleverly ferreting out suspects, most cases -- from 
murder to mugging -- are solved because someone was really stupid and someone else 
noticed and told us about it. Detectives don't discover information as much as we 
collate it."

Debra Weierman of the FBI's National Infrastructure Protection Center acknowledged 
that the NIPC works with thousands of computer security people around the world to 
track down worm writers, an activity she likens to "assembling a complex jigsaw puzzle."

Weierman also said the FBI and other law enforcement agencies specifically ask computer 
users to report incidences of viruses to them, so that agents can track the origin 
and spread of the code.

But few users report viruses to the NIPC, said Weierman, who assumes that businesses 
are afraid of bad publicity, and home users think that a single computer virus doesn't 
merit contacting the FBI.

Some law enforcement officers also said that while viruses aren't considered to 
be a trivial problem, they aren't highest on the list of crime concerns either.

"Essentially, unless someone hands the smoking gun to the police, they normally 
won't go out and try to find these (virus writers) unless they do a lot of damage," 
said Ian McCormick from the Canadian Police Information Centre. "Cybercrime squads 
are spread thin and are often mandated to follow up on issues like computer fraud 
crimes or kiddie porn traders rather then virus writers."

Some security experts feel that law enforcement needs to begin taking virus writing 
far more seriously.

"We need to do this, if for no other reason than to show it's possible (to track 
virus writers)," Russ Cooper, editor of security news list NTBugtraq, said.

"Forget that it may be problematic to extradite the individual, or that they may 
be young, or claim to be doing 'research.' We need to catch them, and place them 
in a position whereby they are seen for what they are -- a terrorist," Cooper said. 
"The cost to our businesses, not to mention our way of life, is simply too high to 
not pursue these individuals."

But even when writers are caught and brought to trial, the legal system often doesn't 
know what to do with them.

De Guzman was released because the Philippine government had no laws specifically 
dealing with computer crime, and was unable to develop a case against him.

De Wit was found guilty at his trial, and was ordered to serve 150 hours of community 
service. He was also offered a job managing his hometown's computer systems by the 
mayor.

David Smith, author of the Melissa virus, pleaded guilty in December 1999 and still 
hasn't been sentenced. Six court dates have come and gone, and Smith remains out 
on $100,000 bail. His lawyer, Edward Borden, did not return calls requesting comment.

"We're sending a mixed message," Graham Cluley, senior technology consultant for 
Sophos Anti-Virus, said. "On the one hand, we say virus writing is a crime; on the 
other, we don't really pursue it. These guys get fame, and often even job offers, 
after releasing a virus. We have to send a consistent message that virus writing 
is not a good thing, before it totally spirals out of control."

Love Bug, AnnaK and Melissa were coded to spread quickly, but did no physical damage 
to systems. But over the past year, nastier worms like Nimda and Code Red have opened 
infected systems to attack by malicious hackers.

The coders of the more malicious worms rarely leave clear clues in their code. But 
security experts like Richard Smith, who was instrumental in tracking down the authors 
of the Love Bug and Melissa, said it's not impossible to track down more surreptitious 
worm writers.

"But it wouldn't be easy," said Smith. "For Code Red and Nimda, you'd probably need 
to examine the server logs of infected computers to track all the way back to where 
the worm started. You'd need to find out who got it first, and from where. It would 
be a horrendous job."

SirCam, the e-mail virus that clogged networks this summer, might be easier to track.

SirCam contains this text in its code: "SirCam Version 1.0 Copyright 2001 2rP Made 
in / Hecho en - Cuitzeo, Michoacan Mexico."

Smith has a hunch that the author of SirCam is or was in Cuitzeo, and is probably 
a student. Cuitzeo is located 16 miles from Morelia City, which boasts a large university.

The NIPC's Weierman said that all leads are being pursued.


<a href="http://www.wired.com/news/politics/0,1283,49313,00.html">http://www.wired.com/news/politics/0,1283,49313,00.html>

------------------------ Yahoo! Groups Sponsor ---------------------~-->
Tiny Wireless Camera under $80!
Order Now! FREE VCR Commander!
Click Here - Only 1 Day Left!
http://us.click.yahoo.com/WoOlbB/7.PDAA/ySSFAA/kgFolB/TM
---------------------------------------------------------------------~->

------------------
http://all.net/ 

Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
Next message: Fred Cohen: "[iwar] [fc:Acts.of.cyberterrorism[FC.-.???]]"
Previous message: Fred Cohen: "[iwar] [fc:Fox.News.Reports:.Israel.is.spying.in.and.on.the.U.S.]"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
This archive was generated by hypermail 2.1.2 : 2001-12-31 21:00:00 PST