The Multi-National Love Bug Team

[William Knowles <wk () C4I ORG>]

http://www.wired.com/news/technology/0,1282,36246,00.html

by Lynn Burke
12:05 p.m. May. 10, 2000 PDT

While authorities in the Philippines are busy homing in on Onel de
Guzman as the prime suspect in the Love Bug case, self-styled computer
sleuths across the globe say there is much more to this story.

Jean Franois Gagn, 31, a now-unemployed computer technician-consultant
from Montreal, has spent hours investigating the Love Bug trail by
tracking logs of ICQ, an instant-messaging client.

His theory: It originated in Brisbane, Australia. It was then launched
from Manila and re-launched from Dar es Salaam, the capital city of
East African nation Tanzania.

The Australia angle has another backer: Swedish researcher Fredrik
Bjorck, a computer virus expert at the University of Stockholm.

Bjorck, who helped track down the creator of the infamous Melissa
worm, says a 23-year-old German student named Michael created the
virus in Australia, where he lives.

But he said Michael may not have meant for things to go this far.
"(He) is the creator of the virus, but remember that it might not be
his intent to distribute it," Bjorck said.

That's where the de Guzmans come in. Based on information contained in
the source code of the worm, the accounts used to launch the virus
were based in Manila, and were located at an apartment building where
Irene de Guzman lives with her boyfriend, Reomel Ramones, her brother,
Onel, and sister, Jocelyn.

Ramones was the first person to be fingered as a suspect, but was
subsequently let go for lack of evidence.

Now the authorities think the person behind the worm is Onel, a
student at AMA Computer College in Manila who submitted a thesis in
February detailing how passwords could be stolen from the Internet.

This part of the story has its share of backers.

"Onel was launch pad No. 1, that seems very certain now. And (he was)
probably helped with his sister, Jocelyn," said Gagn.

So far, details on Jocelyn de Guzman have not been forthcoming, and
her involvement is unknown.

But more than one researcher has found a link to a 15-year-old girl
from Tanzania named Anjabi.

Anjabi was identified on Monday by James M. Atkinson, a technical
counterintelligence engineer with technical surveillance firm Granite
Island Group.

Atkinson, who says he has been analyzing this case for the pure sport
of it, believes Anjabi is involved with someone named Michael who
lives in a Manila suburb, and believes they both belong to a
Manila-based hacking group called the Acolytes. He says Anjabi moved
from Tanzania to live with her boyfriend in the Philippines about 18
months ago.

Atkinson found the couple through analyzing the executable file that
was found in the four directories listed in the source code. Those
directories have since been taken down by Philippines ISP Supernet.

"This is a matter of taking big sheets of graph paper and drawing
pretty pictures on it," he said. "You know when you track a bear out
in the woods? I just followed the footprints."

After digging through Usenet archives dating back eight years, ICQ
registrations, ICQ logs, and IRC logs, Atkinson concluded that the
virus traces back to Anjabi and her boyfriend, Michael, 23.

He pointed out that their accounts may have been stolen, and said the
truth won't come out until officials "sit down and have a long, hard
chat with them."

Gagn used similar methods to reach his conclusion, which places Anjabi
back in Tanzania.

"(The Love Bug) was localized in East Asia, and suddenly, it struck
Africa, then Europe, and America. This could explain Anjabi's link in
Tanzania -- she was launch pad No. 2," he said.

"One thing is for sure, this was not a single launch," said Gagn.
"Just like a fire, the spread was too quick."


*-------------------------------------------------*
"Communications without intelligence is noise;
Intelligence without communications is irrelevant."
Gen. Alfred. M. Gray, USMC
---------------------------------------------------
C4I Secure Solutions             http://www.c4i.org
*-------------------------------------------------*

ISN is sponsored by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".