FC: FBI hit with Sircam virus that distributes files on your HD

[Declan McCullagh <declan () well com>]

CERT has (ahem, finally) released a Sircam advisory this afternoon:
http://www.cert.org/advisories/CA-2001-22.html

Sircam is an amazingly noxious critter. I'll give you an example. At Wired 
News, like other news organizations, we have feedback addresses so people 
can send us thoughts on articles. Those have been the same for at least 
three years, so they're well-known and available to programs like Sircam 
that scan hard drives for email addresses.

Since 1 am ET Tuesday, we've received about 150 MB of mail directed at 
those addresses, the vast bulk of it Sircam output. A quick scroll through 
the messages says about 90 percent of it by message and probably 99 percent 
of it by size is due to Sircam.

Dave Farber wrote on his Interesting People list:

> The person/group who launched the SirCam virus should get the first 
> Cyberspace death-- namely permanent banishment from any network access any 
> place in the world. We yell endlessly about spam mail but one mess like 
> this makes spam mail almost interesting

Which I heartily endorse.

-Declan

*********

From: "Bridis, Ted" <Ted.Bridis () dowjones com>
To: "'declan () well com'" <declan () well com>
Subject: fbi, fyi
Date: Wed, 25 Jul 2001 08:53:19 -0400

http://interactive.wsj.com/articles/SB99601609210000000.htm

FBI Cyber Researcher Unleashes Virus
That E-Mails Private Agency Documents

By TED BRIDIS
Staff Reporter of THE WALL STREET JOURNAL

WASHINGTON -- A researcher in the Federal Bureau of Investigation's
cyber-protection unit unleashed a fast-spreading Internet virus that
e-mailed private FBI documents to outsiders -- all on the eve of a Senate
hearing into troubles at the unit.

Although the Sircam virus didn't spread to other computers at the FBI's
National Infrastructure Protection Center, it did send at least eight
documents to a number of outsiders. One, about the investigation into an
unrelated virus, was marked "official use only." The Sircam virus has
infected thousands of computers since its discovery last week.

FBI spokeswoman Deb Weierman said that no sensitive or classified
information about continuing investigations was disclosed Tuesday. The
"official use" designation protects documents from disclosure under the U.S.
Freedom of Information Act.

It isn't uncommon for virus researchers to accidentally infect their own
computers, but the mistake was particularly embarrassing because it occurred
ahead of a Senate Judiciary panel's oversight hearing about the FBI cyber
unit's effectiveness. Lawmakers were expected to focus on other agencies'
failure to cooperate fully with the FBI center, and on a perceived lack of
trust between the FBI and private-sector groups.

The unit generally gets high remarks for its criminal investigations, and
even critics say the unit is more effective than it was a year ago. "The
effort here is not to embarrass anybody but to stress that a lot of work has
to be done," said Republican Sen. Jon Kyl of Arizona.

Meanwhile, the White House has begun organizing a new early-warning network
for Internet threats. But unlike the current system, it will be coordinated
by the Pentagon, not the FBI. The mechanism for warning all U.S. military
and civilian agencies -- and ultimately corporations -- will be dubbed the
Cyber-Warning and Information Network, or "c-win." Organizers envision
dozens of computer centers that could sound an alert when a threat is
identified.

The network is expected to begin operating in October. The FBI unit, which
currently relays these warnings, came under sharp criticism from
congressional auditors for issuing tardy alerts. Ms. Weierman, the FBI
spokeswoman, called the new network a "useful mechanism" to offer the
government a "technical capability that doesn't currently exist." The FBI,
she said, wasn't concerned it would lose its warning responsibilities.

Tuesday, at least three people said they received some of the FBI documents,
including a 23-year-old Internet-security expert in Belgium, Niels Heinen.
He operates a Web site that reports on Internet break-ins and speculated
that the analyst, Vince Rowe, visited the site on the infected computer. Mr.
Rowe didn't respond to a request for comment.

Write to Ted Bridis at ted.bridis () wsj com




-------------------------------------------------------------------------
POLITECH -- Declan McCullagh's politics and technology mailing list
You may redistribute this message freely if you include this notice.
To subscribe, visit http://www.politechbot.com/info/subscribe.html
This message is archived at http://www.politechbot.com/
-------------------------------------------------------------------------