* via http://theMezz.com/lists

* subscribe at http://techPolice.com

Why Worm Writers Stay Free
By Michelle Delio WIRED MAGAZINE
2:00 a.m. Dec. 27, 2001 PST

Virus writers often act as if the Internet, the most public forum in the world, is 
their very own private playground.

Law enforcement officials are amused and amazed by the many virus writers who 
carefully include identifying comments or credits in their code, and who often are 
found bragging about their skills and latest creations in newsgroups or on Internet 
Relay Chat channels.

"Cyber criminals are like idiot Hansel and Gretels, scattering electronic breadcrumbs 
that lead straight to them," said retired New York City detective Pete Angonasta. "You 
just don't see this sort of behavior in other criminals. I've never seen a burglar 
leaving cute notes crediting the crime to himself. And I've never run across a burglar 
who puts up a self-promotional website or goes into a chat room to discuss the night's 

But their high profiles seemingly do not make virus writers easier to apprehend. 
Virtually all captured coders either confessed or were arrested only after techies 
discovered their identities and informed authorities.

Overworked and under-funded law enforcement officials rely heavily on tips from 
computer security experts to identify virus writers. But many computer experts are now 
too busy scrambling to survive in a tight economy to play cybersleuth. Providing 
products that protect against security holes and viruses can be a profitable business, 
but discovering the identities of virus writers is always charity work.

So even though many viruses do contain laughably clear clues that could lead law 
enforcement agents directly to their writers, the authors of such electronic evils as 
Code Red, Nimda and SirCam probably won't be caught unless a curious geek with some 
spare time decides to do a good deed and track down the worm writers.

The latest busted worm writers are four Israeli teenagers who have confessed to 
creating the Goner worm.

According to credits in its code, Goner was called "Pentagone" by its creators. 
Israeli newspaper Ha'aretz Daily reported that DALnet IRC network administrators 
quickly discovered the virus writers chatting on a channel that the teenagers had 
cleverly named "Pentagone" and turned over the information to Israeli police.

"Security people often run a search on the clues in a virus' code. The Pentagone 
channel was pretty easy to find and people were soon in there calling these guys 
idiots and assholes," said Sam Silverman, a systems administrator who checked the 
channel to find out more about the worm. "They admitted they wrote the worm, but said 
they didn't expect it to spread so far and fast."

Jan de Wit, author of the Anna Kournikova worm, also said that he watched in growing 
alarm as the worm he released spread wildly on hard drives around the world. Hours 
after he released the worm, and shortly after releasing a PR statement on his website, 
de Wit turned himself in to local police.

Onel de Guzman, the suspected author of the Love Bug, was caught when a teacher at the 
AMA Computer College in Manila realized that the worm was remarkably similar to a 
thesis project submitted by a student who dropped out after the thesis was rejected.

The teacher contacted local authorities who, thanks to a tip from a group of 
cybersleuths, had already narrowed their search to AMA.

"I know it looks like the feds are slacking off and waiting for these guys to be 
delivered to them, but it's the same with any crime," detective Angonasta said. 
"Despite the popular image of detectives cleverly ferreting out suspects, most cases 
-- from murder to mugging -- are solved because someone was really stupid and someone 
else noticed and told us about it. Detectives don't discover information as much as we 
collate it."

Debra Weierman of the FBI's National Infrastructure Protection Center acknowledged 
that the NIPC works with thousands of computer security people around the world to 
track down worm writers, an activity she likens to "assembling a complex jigsaw 

Weierman also said the FBI and other law enforcement agencies specifically ask 
computer users to report incidences of viruses to them, so that agents can track the 
origin and spread of the code.

But few users report viruses to the NIPC, said Weierman, who assumes that businesses 
are afraid of bad publicity, and home users think that a single computer virus doesn't 
merit contacting the FBI.

Some law enforcement officers also said that while viruses aren't considered to be a 
trivial problem, they aren't highest on the list of crime concerns either.

"Essentially, unless someone hands the smoking gun to the police, they normally won't 
go out and try to find these (virus writers) unless they do a lot of damage," said Ian 
McCormick from the Canadian Police Information Centre. "Cybercrime squads are spread 
thin and are often mandated to follow up on issues like computer fraud crimes or 
kiddie porn traders rather then virus writers."

Some security experts feel that law enforcement needs to begin taking virus writing 
far more seriously.

"We need to do this, if for no other reason than to show it's possible (to track virus 
writers)," Russ Cooper, editor of security news list NTBugtraq, said.

"Forget that it may be problematic to extradite the individual, or that they may be 
young, or claim to be doing 'research.' We need to catch them, and place them in a 
position whereby they are seen for what they are -- a terrorist," Cooper said. "The 
cost to our businesses, not to mention our way of life, is simply too high to not 
pursue these individuals."

But even when writers are caught and brought to trial, the legal system often doesn't 
know what to do with them.

De Guzman was released because the Philippine government had no laws specifically 
dealing with computer crime, and was unable to develop a case against him.

De Wit was found guilty at his trial, and was ordered to serve 150 hours of community 
service. He was also offered a job managing his hometown's computer systems by the 

David Smith, author of the Melissa virus, pleaded guilty in December 1999 and still 
hasn't been sentenced. Six court dates have come and gone, and Smith remains out on 
$100,000 bail. His lawyer, Edward Borden, did not return calls requesting comment.

"We're sending a mixed message," Graham Cluley, senior technology consultant for 
Sophos Anti-Virus, said. "On the one hand, we say virus writing is a crime; on the 
other, we don't really pursue it. These guys get fame, and often even job offers, 
after releasing a virus. We have to send a consistent message that virus writing is 
not a good thing, before it totally spirals out of control."

Love Bug, AnnaK and Melissa were coded to spread quickly, but did no physical damage 
to systems. But over the past year, nastier worms like Nimda and Code Red have opened 
infected systems to attack by malicious hackers.

The coders of the more malicious worms rarely leave clear clues in their code. But 
security experts like Richard Smith, who was instrumental in tracking down the authors 
of the Love Bug and Melissa, said it's not impossible to track down more surreptitious 
worm writers.

"But it wouldn't be easy," said Smith. "For Code Red and Nimda, you'd probably need to 
examine the server logs of infected computers to track all the way back to where the 
worm started. You'd need to find out who got it first, and from where. It would be a 
horrendous job."

SirCam, the e-mail virus that clogged networks this summer, might be easier to track.

SirCam contains this text in its code: "SirCam Version 1.0 Copyright 2001 2rP Made in 
/ Hecho en - Cuitzeo, Michoacan Mexico."

Smith has a hunch that the author of SirCam is or was in Cuitzeo, and is probably a 
student. Cuitzeo is located 16 miles from Morelia City, which boasts a large 

The NIPC's Weierman said that all leads are being pursued.


Acquire, grow and retain valuable customers with our
premier online CRM service.  No software to buy or
install.  Visit Salesforce and sign up for our Free 30
Day Test Drive.

--via http://techPolice.com
archive: http://theMezz.com/cybercrime/archive
subscribe: [EMAIL PROTECTED]
--via http://theMezz.com

This email was sent to: archive@jab.org

EASY UNSUBSCRIBE click here: http://topica.com/u/?b1dhr0.b2EDp2
Or send an email to: [EMAIL PROTECTED]

T O P I C A -- Register now to manage your mail!

Reply via email to