Security News

Virus Writers, Senders Rarely Face Jail

Martha Mendoza

A Minnesota teenager was arrested Friday, accused of disseminating a version of "Blaster." But investigators scrambling to trace that infection, along with "Sobig" and other computer viruses face a daunting challenge: an incredibly hard-to-track international crime set in an obscure and anonymous environment.

They also say they are hampered by antiquated laws and, for many years, a winking or even admiring attitude toward virus creators.

One person has been sent to prison in the United States and just two in Britain, authorities say. But the low numbers are "not reflective of how seriously we take these cases, but more reflective of the fact that these are very hard cases," said Chris Painter, the deputy chief of computer crimes at the U.S. Department of Justice.

Beginning Nov. 1, the consequences will be harsher; the U.S. Sentencing Commission has written tough new punishments for certain types of computer crimes. A virus sender who intends to cause death - by tying up 911 emergency telephone lines, for example - could face a life sentence.

But the senders have to be caught first, and that, say prosecutors and computer security experts, can be almost impossible.

"If the perpetrator is semi-sophisticated, they can easily mask their trail," said Elliot Turrini, former federal prosecutor in Newark, N.J.

He prosecuted David Smith, currently serving a 20-month sentence for sending a virus - "Melissa," named after a stripper Smith knew. Smith, then 30, was captured with the help of AOL technicians, but not before his virus caused more than $80 million in damage.

"I did not expect or anticipate the amount of damage that took place. When I posted the virus, I expected that any financial injury would be minor and incidental," Smith told the judge while pleading guilty. "In fact, I included features designed to prevent substantial damage."

Arrested in another case was Onel De Guzman, author of the "Lovebug" virus that caused $7 billion in damage in 2000. But he was released because at the time there was no law in his native Philippines banning what he had done.

One year earlier, Chen Ing-hau of Taiwan was arrested for writing the "Chernobyl" virus, but was released because nobody filed an official complaint about damage. He has since been rearrested.

In England, two virus senders have done prison time - Simon Vallor, convicted this year, and Christopher Pile in 1995.

Virus senders are also almost always young, leading some to argue for restraint in punishments.

On Friday, federal agents arrested Jeffrey Lee Parson, 18, of Hopkins, Minn. The FBI said he admitted modifying the original "Blaster" infection and creating a version called "Blaster.B." At least 7,000 computers were infected, agents said.

"Kids just need to realize this isn't a game anymore," said Matthew Tanase, president of Qaddisin, a network security company in St. Louis.

He noted that the Sobig virus clogged inboxes and ground e-mail to a halt for several clients, as well as a local hospital.

"This did a lot of damage, lost time, lost money, lost productivity," Tanase said, "but I don't know if jail is the answer, especially if this ends up being a kid."

Computer viruses have been around almost as long as the Internet.

In 1988, Cornell University graduate student Robert Morris set off a worm program that quickly spread through 6,000 hosts and almost halted the entire network. Morris was arrested and eventually was placed on three years' probation, ordered to perform 400 hours of community service and fined $10,000.

That case set a precedent of dealing gently with virus senders, critics say.

"The lack of a credible criminal penalty is a problem," said Eugene H. Spafford, director of the Center for Education and Research in Information Assurance at Purdue University.

But Spafford said stiffer penalties alone are not going to end viruses.

Computer users need to "put bars on the windows" and use more antivirus software and technical guards, he said.

Social attitudes also need to be changed - "creating the idea that hacking is not romantic, it's not clever, it's not an appropriate thing to do," he said.

Online business owners need no convincing. Facing damage to their equipment and lost profits, many are demanding tougher enforcement.

"If a virus wrecks my computer, it's just as though someone came and destroyed my house. That person should be prosecuted," said Peggy Howell, who runs an online art gallery and gift shop in Windsor, Calif.

But what becomes tricky in the legal world is that the vast majority of computer viruses don't do major damage.

Although security firm Symantec has developed protection against 62,904 computer viruses to date, Mark McManus, vice president for technology and research at Computer Economics in Carlsbad, Calif., said that fewer than 30 of those have had a financial impact exceeding $500 million.

The financial impact of viruses is measured in three pieces - the labor required to counteract the virus, the price of hardware and software to disinfect a system and the loss of revenue due to denial of service, he said.

Ross Nadel, who heads criminal prosecutions for the Justice Department in the Silicon Valley, said prolific viruses are much more difficult to track than individual computer attacks.

"It's one thing to trace a hacker one or two steps back," he said, "but in these cases it could be 20 or 30 or 40 steps back, through multiple servers, and with each step it's not twice as hard, it's logarithmically more difficult."

Under federal law, prosecutors also must find evidence showing the virus writer intentionally, not just recklessly, caused more than $5,000 worth of damage.

It was that legal nuance that prompted a federal judge in Miami last year to erase a conviction against computer technician Herberg Pierre-Louis for knowingly transmitting a computer virus to his employer, a grocery wholesaler. His lawyers successfully argued that the only loss allowed under the law was repair costs, which didn't meet the $5,000 threshold.

Congress has since broadened the meaning of damage to include lost revenue, repair costs and related damage from interrupted service.

Ken Dunham, an analyst at iDefense Inc., an online security company, said the government's role in investigating and prosecuting cybercrime is evolving. "I think we're going to see improvements," he said.

Copyright © 2003 The Associated Press. All rights reserved. The information contained in the AP News report may not be published, broadcast, rewritten or redistributed without the prior written authority of The Associated Press.

Sponsored Post