the Internet was hit with a one-two-three punch. Two so-called direct Internet worms, MSBlast
, tied up Web traffic, while the fastest-spreading e-mail worm ever, Sobig
, slowed e-mail communications.
These worms cost each of us precious time; our lost productivity, in turn, costs our businesses money. Yet the chances of prosecuting, or even identifying, the person or people responsible for these worms are pretty low.
Some virus writers arrested
The first problem with bringing virus authors to justice is that they work very hard to remain anonymous. One way they hide their identities is to release a virus onto the Net from a public terminal at a university computer center or copy shop. While digital forensics could later establish which terminal sent the first copy of the worm, forensics alone cannot identify who sent the worm.
Many virus writers go to great lengths--including destroying their hard drives--to get rid of evidence.
Unless another person could identify the individual who sat at a particular computer at a particular time, it's virtually impossible to find someone to prosecute.
The second problem is that, even if you could place a person at the terminal, it would be difficult to prove in court that he or she was the one who wrote the code. Many virus writers go to great lengths--including destroying their hard drives--to get rid of evidence that might aid prosecution.
Nonetheless, some virus writers have been arrested and prosecuted. David L. Smith, who wrote the Melissa virus back in 1999, was identified
because Melissa contained a unique identifier from Microsoft Word that led the authorities to his computer. He is now serving 20 months in prison, with three years of supervised release to follow. Information from an ISP exposed the identity
of OnTheFly, the Norwegian author of the Anna virus. And the I Love You author, Onel de Guzman, was located
because he submitted an early version of the malicious code as a senior thesis at his college.
But more often than not, the authors who are found give themselves up by boasting about their feats. The four Israeli teenagers who wrote the Goner worm, for example, were discovered
because they bragged about their involvement with the worm in various IRC discussions. Finding MSBlast's author(s)
Unfortunately, the recent worms are much more sophisticated than Melissa, Anna, I Love You, or Goner--and thus their authors are even harder to find.
Worms such as MSBlast and Nachi harken back to 2001's Code Red. While virus researchers did find credible evidence
that the Code Red author or authors used Foshan University in Guangdong province, China, as their first target for the worm, they haven't been able to identify whether the authors were students or faculty at that university. No one's been arrested in connection with Code Red, Nimda, or even this year's Slammer, which managed to shut down Bank of America's ATM network. I suspect the same will be true with MSBlast.
What we do know about MSBlast is this: The virus is based on one of several exploits that take advantage of the DCOM RPC buffer overflow flaw in Windows 2000, NT, and XP, many of which appeared on the Internet shortly after Microsoft announced the flaw on July 16. Whoever wrote MSBlast drew largely from one of the known exploits, then threw in some off-the-shelf code that helped MSBlast make its way across the Internet.
Given early, circumstantial evidence that MSBlast may have indirectly contributed to
the recent New York blackout, the author of MSBlast (if found) could face life imprisonment under U.S. law. But I still think the likelihood of finding the MSBlast author is low, because he or she appears to have guarded anonymity well, and because the worm is so poorly designed, no one is likely to take credit for it.
Finding Sobig's author(s)
I believe, however, that the authorities have a reasonably good chance of finding Sobig's author, largely because there appears to be some financial motivation
behind this worm. Why does that matter? Since the worm's authors make money each time the worm appears, they want it to turn up again and again; Sobig tends to self-terminate and reappear in a slightly different form after a few days. The more examples we have of the worm, the more evidence we will have, and the more likely it is that some of that evidence will link back to the author or authors.
I believe that the authorities have a reasonably good chance of finding Sobig's author.
Though some virus writers have been caught in the past, a good number will continue to walk away scot-free. Given the relative sophistication of these most recent worms, I suspect their authors are particularly capable of avoiding detection.
It just goes to show that, for all the Web has developed over the past decade, in at least one way it still resembles the Wild West: Criminals wreak havoc, then disappear--and law enforcement ends up on wild goose chases trying to catch them.
Do you think the authors of either MSBlast or Sobig will be caught? Why or why not? Should law enforcement make a greater effort to track down virus writers? TalkBack to me.