FBI Hunts Sobig Perpetrator

MSBlast, also called W32/Blaster, the worm that bogged down enterprise networks and had them racing to plug a vulnerability in Microsoft Windows, first struck on Aug. 11. A week and a day later, Sobig.F, a virus tucked inside an attachment to an e-mail message, flooded corporate and consumer inboxes with millions of spam-like messages. Together, the pair accounted for the year's most troublesome month for security professionals, enterprise IT managers and at-home users.

"We are working with the Department of Homeland Security and with state and local law enforcement on our Cyber Task Forces to track down the perpetrators of Sobig and the recent W32/Blaster worm," said Robert Mueller, the bureau's director. "We employ the latest technology and code analysis to direct us to potential sources, and I am confident that we will find the culprits."

Finding them won't be easy. Virus and worm writers are rarely caught, and when they are it's because they've talked up their exploits or because extortion or blackmail has come to light, said Vincent Weafer, senior director of Symantec's security response team.

Among the few successes that law enforcement has had in identifying and prosecuting malware writers, for instance, was the creator of the Melissa worm, David L. Smith, who was identified through a stolen America Online account. Smith, who wrote and distributed the worm in 1999, pled guilty and was sentenced in 2002 to 20 months in prison and fined $5,000.

id
unit-1659132512259
type
Sponsored post

"But of the 80,000-some viruses out there, only a small handful have been identified," said Chris Wraight, technology consultant at antivirus firm Sophos. And even fewer are prosecuted. For instance, the Filipino creator of 2000's Love Bug virus was found but never charged, Wraight said.

The problem lies in the anonymity of the Internet. "You can hide anywhere," Wraight said.

"It's not the worm or the virus that's traceable but the secondary evidence," Weafer said.

One thing that the FBI may have going for it is the serial nature of the Sobig viruses. Last week's Sobig.F was the sixth variation on the theme and evidence may reside on the 20 compromised PCs that were identified on Friday as the hosts for downloading additional components to infected systems. The downloads were successfully blocked after security firms and Internet providers identified the systems and took them offline.

"Sobig is like a serial crime," said Weafer, likening the miscreant to a bankrobber who leaves law enforcement with more clues as he hits each target. "Every time a variation's released, we learn a little more," he said.

He wasn't as confident that the 20 PCs set to distribute additional software to Sobig-infected systems would provide solid evidence, although that's certainly possible. It's likely that the machines , which were all consumer-owned PCs, were selected because it would have been easier for the intruder to disable logging than if the machines were part of an enterprise network. Even if logs do exist, it's probable that the path to those machines was disguised through numerous hops, or intermediary machines.

Wraight, however, disagreed that the expected continuation of Sobig--the current variant will stop propagating on Sept. 10, a trait it shares with the other Sobig viruses--means that law enforcement may be able to gather clues as they do in a serial crime. "We can't even say that they're written by the same author," Wraight said. "In many cases, new viruses are simply copy-cats of older ones." And with more than 20,000 Web sites offering downloadable virus-writing kits, it's all too easy for copy-cats to muddy the waters.

Other ways that law enforcement--in conjunction with security professionals, who are in frequent contact with the likes of the FBI--can use to pin down perpetrators include the language used in the code, the increased cooperation between businesses and law enforcement on cyber-security matters and the natural inclination of many virus and worm makers to boast of their exploits, Weafer said.

"But if, as seems to be the case, all the variations of Sobig have been written by one person or a tight group, finding him won't be easy," said Weafer.

Even so, both Weafer and Wraight are cautiously optimistic that the maker of Sobig, at the least, will eventually be found.

"It's the serial nature of Sobig that will give law enforcement new opportunities to identify him," Weafer said. "If he continues to release variants--yes, I think they'll catch him."

Added Wraight: "Let's just say that we share [the FBI Director's] optimism, but at the same time we're fairly pessimistic about their chances."

In its attempt to gather as many leads as possible, the FBI has urged anyone with information about the origins of Sobig.F or MSBlast to contact their local FBI office, said Jana Monroe, assistant director of the FBI's Cyber Division.

This story courtesy of Techweb.com.