The Hunt for the Worm Writers

[InfoSec News <isn () c4i org>]

http://www.wired.com/news/technology/0,1282,45956,00.html

By Michelle Delio 
6:14 a.m. Aug. 9, 2001 PDT 

Internet users have become all too familiar with SirCam and Code Red,
but the creators of the two worms that have plagued the Internet this
summer remain a mystery.

If the FBI's National Infrastructure Protection Center has its way,
the identities of those who wrote and released the malicious little
bundles of code into the world will be known soon.

"We are very serious about finding the authors of Code Red and
SirCam," the NIPC's Debra Weierman said. "Intentional transmission of
worms or viruses across the Internet is a felony. This is a major
offense, not some inconsequential lark."

Weierman acknowledged that finding a worm's author is often akin to
assembling a complex jigsaw puzzle whose pieces are scattered all
around the globe, but she said that the NIPC is confident that they
will be able to track both worms' creators.

"We have 4,000 security professionals around the world who are giving
us information," Weierman said. "It's only a matter of time."

Piecing together the puzzles of SirCam and Code Red requires a solid
knowledge of the people who code worms. Without knowing who's who in
the virus world, and why they do what they do, it's easy to miss
crucial clues -- and make mistakes.

On Wednesday, Frank Felzmann, the head of Germany's Federal Office for
Information Technology Security said that he had tracked down the
authors of Code Red.

Felzmann was quoted as saying that the worm had been authored by 29a,
"a hacking group from the Netherlands."

But members of 29a said they are not from the Netherlands and did not
have anything to do with Code Red.

According to news reports, Felzmann said that 29a had taken credit for
the worm in hacking newsgroups, but a search across Usenet on
Wednesday only turned up a discussion by several Russian programmers
who had momentarily confused a virus called "RedCode," whose code
contains a credit to "Wintermute/29a," with Code Red.

"Yes, Wintermute, a former member of 29a, coded a virus called
RedCode," said Mental Driller, a 29a member. "But it is a primitive
virus that only worked under DOS systems. It isn't in any way the Code
Red virus that media has been talking about."

Felzmann did not immediately reply to requests for comment.

Some virus writers like to tuck a reference to themselves into their
code, but so far no one has been able to discover any clues to the
writer's identity in any of the three versions of Code Red that have
spread across the Internet since the worm was first spotted in July.

SirCam does appear to contain some pointers to its writer. A text
string that fills the hard drives of some infected computers reads:
'[SirCam Version 1.0 Copyright 2001 2rP Made in / Hecho en - Cuitzeo,
Michoacan Mexico]'

The town of Cuitzeo holds a big festival on Oct. 16, the same day that
SirCam is programmed to virtually roll the dice on any infected
computers. That day, SirCam will generate a random number that has a
1-in-20 chance of forcing the infected machine to delete all the files
on its hard drive. Weierman could not comment on ongoing
investigations, but said the NIPC is studying all reports on both of
the worms' contents carefully.

"If the worm writer is not located in the U.S., the NIPC will alert
local law enforcement and work with them to make sure the writer is
held liable under local laws," Weierman said. "In the U.S., the
authors of Code Red and SirCam would face a five-year sentence, a fine
of up to $250,000 for each incident of damage, and perhaps civil suits
from companies and people whose networks or computers have been
damaged."

Weierman said the NIPC relies heavily on the expertise of people
around the world who are familiar with the computer underground "who
network with us and share information."

But most of the security firms that are working with the NIPC do not
try to find worm writers.

Internet Security Systems' X-Force team, which has been working
closely with the NIPC on Code Red and SirCam, has no plans to try to
track down the creators of the worms.

"We don't deal in law enforcement, we just pass along the technical
details as we discover them to the NIPC," said Dan Ingevaldson,
X-force team leader.

That sentiment was echoed by eEye Digital Security, the first security
firm to identify the hole that Code Red exploits, and first to fully
analyze all three versions of the Code Red worm.

Marc Maiffret, chief hacking officer at eEye said his team had worked
around the clock to provide their pieces of the puzzle to the NIPC.

"The coolest thing had to be when one of the head FBI investigators
called us and said they needed to know what the worm was going to
attempt to do against the whitehouse.gov website and what could they
do to stop it," said Maiffret. "They said they needed the information
in 10 minutes because they were going to be briefing the White House."

But Maiffret said the team is "not really focusing on trying to track
down who coded the worms or anything like that. We leave that to the
government guys."

Only a few security experts, like Richard Smith of the Privacy
Foundation, attempt to trace worm authors.

Smith said he enjoys tracking virus writers -- "putting together all
the puzzle pieces is fascinating," he said -- but hasn't had time to
take a close look at either Code Red or SirCam yet.

Smith thinks the NIPC could coordinate an effort to find Code Red's
author.

"Server and firewall logs indicate which machines are infected, so if
the NIPC requested that everyone submit their logs, and examined each
log for the first attack, they could probably figure out which machine
was the first to begin spreading the worm," Smith said. "It would be a
horrendous job, but I would bet the NIPC could do it."

Smith said that worm hunters need a lot of patience and have to be
willing to share clues with other hunters.

Smith found the author of the Melissa worm by locating a "digital
fingerprint," a distinctive piece of code, within the string of
commands.

Smith then posted some information about the fingerprint in a
newsgroup, and other posters pointed out similarities between
Melissa's code and some virus creation kits that "VicodinES" had
posted on the Web.

Smith found the same digital fingerprints in VicodinES's kits as he'd
discovered in Melissa, establishing a trail of virtual evidence that
helped lead the FBI to David L. Smith, Melissa's author.

"It's not too hard to locate one or two pieces of the puzzle," Smith
said. "But it can be hard to put it all together into one big
picture."

Looking at the whole picture may require the NIPC to go down some
highways that they might not choose to travel.

EEye's Maiffret was angry that his team wasn't included in the NIPC's
big July 29 press conference on the return of Code Red.

"We spent many, many hours holding NIPC's hand in private and they
basically shunned us in public," said Maiffret. "Yeah, the NIPC
screwed us. It's all political crap and the NIPC will never succeed
until they get a lot more technical and a lot less political."

"Maiffret's job title kept eEye out of the big press conference," said
Rob Rosenberger of vMyths. "No one wanted a 'chief hacking officer' in
the roundup so soon after (NIPC Director Ronald) Dick's senatorial
carpet-calling."

Weierman said that many people who had contributed information about
Code Red weren't included in the press conference, simply because of
"logistics."

But Maiffret said that eEye would still continue to help the NIPC.

"Actually, we're meeting with them again today to explain how Code Red
II works."

Meanwhile, to keep the spread of the Code Red worms from slowing down
its cable Internet network, AT&T is blocking access to port 80 Web
servers run by residential customers, a spokeswoman said Wednesday.

"We are trying to protect our greater user population as a whole,"
said AT&T spokeswoman Sarah Eder. The company provides cable Internet
access to 1.35 million residential customers, she said.

By blocking incoming traffic to Web servers, AT&T is effectively
shutting down the websites, which residential customers are not
supposed to be operating anyway, Eder said.

"According to our official use policy, customers are not permitted to
operate Web servers behind cable modems," she said.

Commercial customers of AT&T's cable Internet service are not
affected, she added.

Reuters contributed to this report.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.