Fearing PC Havoc, Gumshoes Hunt Down a Virus

[Dave Farber <dave () farber net>]

> Fearing PC Havoc, Gumshoes Hunt Down a Virus
>
> August 23, 2003
>  By KATIE HAFNER and KIRK SEMPLE
>
>
>
>
>
>
> It is common wisdom in the computer security world that the
> criminals are separated from their pursuers by only a few
> lines of cleverly written software.
>
> Yesterday was a case in point.
>
> As a computer virus named
> SoBig.F swamped e-mail inboxes, wreaking havoc on
> individual PC's and corporate computer systems, computer
> security experts around the world spent a tense day trying
> to stop a more potentially serious electronic time bomb
> from going off: SoBig carries an attachment that, if
> opened, instructs the infected computer to communicate with
> one of 20 host PC's that, most likely unknown to their
> owners, were planted with a mystery program.
>
> But the experts did not know what would then happen to the
> infected machines, or what instructions they would be
> given. And so the race was on to find the 20 computers and
> isolate them from the rest of the Internet before they
> could potentially send out more malicious instructions to
> millions of computers. The time of the first attack was to
> be 3 p.m. Eastern time.
>
> By late afternoon, computer experts, in collaboration with
> Internet service providers and law enforcement agencies
> around the world, declared a partial victory: they were
> able to decrypt the virus's software, find the 20 computers
> and take at least 17 offline. The Federal Bureau of
> Investigation also served a subpoena to an Internet service
> provider in Phoenix that the authorities say could be the
> source of the virus.
>
> And though the experts feared the host computers might give
> out catastrophic instructions, like telling the infected
> machines to erase their hard drives or begin new attacks,
> Symantec Security Response, a team within the Symantec
> Corporation, the Internet security company, said the
> remaining three host machines had simply redirected
> computers to a pornographic Web site. It is not known
> whether the other 17 would have performed similarly.
>
> "The people who are in charge have sidestepped another
> attack or the potential for bad things to happen," said
> Jimmy Kuo, a research fellow at Network Associates, another
> Internet security company.
>
> SoBig is one in a series of computer viruses to threaten
> personal and corporate computers recently. Earlier this
> month, a program called Blaster and another called Nachi or
> Welchia were infecting hundreds of thousands of computers,
> although they appeared not to do severe damage. SoBig began
> showing up on Monday in e-mail inboxes with subject lines
> like "Thank you!" or "Re: Details" and "Re: Wicked
> screensaver." But the computer could be infected only if
> the recipient opened the attachment to the message.
>
> Although commonly referred to as a computer virus, SoBig is
> considered a worm, because it operates independently.
> Unlike a virus, a worm does not attach itself to an
> existing computer file.
>
> SoBig was written to run on Windows machines, and computers
> running the Macintosh and Linux operating systems were not
> affected.
>
> Although SoBig had been around since last January, it has
> been modified continually. This, its sixth incarnation,
> included the electronic time bomb.
>
> Yet from the moment this version first cropped up, a team
> of security sleuths with F-Secure, a computer security
> company in Helsinki, Finland, that sells antivirus
> software, had already begun taking it apart.
>
> Before long, a group of eight engineers had homed in on a
> string of cleverly written code that the designers of SoBig
> had encrypted, and the engineers decided that was the nut
> they needed to crack.
>
> By 3 p.m. on Thursday, after working around the clock, the
> engineers in Helsinki had decrypted the computer code. What
> they found was a list of 20 Internet Protocol, or I.P.,
> addresses, linked to home computers in the United States,
> Canada and South Korea.
>
> Further, they discovered a new twist. At 3 p.m. yesterday,
> tens of thousands of computers already infected with SoBig
> were supposed to connect to those 20 computers, using them
> as mere go-betweens, to retrieve a list of Web addresses.
> Once they were obtained, the machines infected with SoBig
> were supposed to download a program from those addresses.
>
> What was supposed to happen after that no one knew, because
> "we stopped it," said Tony Magallanez, a systems engineer
> at F-Secure in San Jose.
>
> To mitigate the threat, F-Secure engineers notified both
> the F.B.I. and the Internet service providers connected to
> the 20 computers. The addresses were then removed from the
> network by the Internet companies. In addition, the large
> telecommunications companies that provide the backbone for
> the Internet could have interceded and blocked all
> communication to those specific Internet addresses, Mr. Kuo
> said.
>
> By 3 p.m., F-Secure had confirmed that 18 of the 20 target
> computers had been isolated and taken offline. (According
> to several security companies, the precise number
> fluctuated through the afternoon as they rechecked the
> computers.) Of the remaining computers, one had already
> been taken offline.
>
> The host computers are most likely home PC's whose owners
> had no idea that their systems had been commandeered,
> experts said.
>
> "I highly doubt the author of the virus owns these
> machines," said Johannes Ullrich, chief technology officer
> of SANS Internet Storm Center, a company in Bethesda, Md.,
> that monitors Internet traffic.
>
> Vincent Weafer, senior director of Symantec Security
> Response, said that when computer security technicians
> pretended to have an infected machine and sent messages to
> the host computers, they found that one of the host
> computers that was still on line was redirecting them to a
> pornography Web site. That allayed fears that the program
> could install a more virulent program on the infected
> computers, or send out more malicious worms.
>
> Computer security experts said today that SoBig could be
> the largest virus yet in terms of the amount of e-mail it
> has generated. Other viruses have spread more quickly or
> have done more damage to systems and hardware, they said.
>
> "The volume of this one is high," said Sharon Ruckman,
> senior director of Symantec Security Response in a
> telephone interview.
>
> Although few companies reported wholesale computer
> shutdowns, the SoBig virus proved an enormous nuisance.
> Like gum on a shoe, it stuck around. By the end of the
> week, the virus had sent out tens of millions of
> unsolicited messages.
>
> The F.B.I. is investigating the case under federal laws
> that prohibit computer intrusions, but no specific
> violations have been named.
>
> "We don't know right now what violations have occurred
> until we've gathered all the facts," said Paul Bresson, an
> F.B.I. spokesman. "There might be something additional,
> like wire fraud."
>
> Mr. Bresson said the F.B.I. was working closely with other
> agencies, including Homeland Security and private computer
> security firms.
>
> Jeff Minor, chief executive of Easynews, an Internet
> service provider in Phoenix, said the F.B.I. served a
> subpoena to the company late yesterday morning.
>
> Mr. Minor said he thought that a stolen credit card number
> was used to open an account on Easynews, and the SoBig worm
> was sent from that account. Mr. Minor said the account was
> opened seven minutes before the rogue program was sent out.
> He said it was embedded in an image and sent to an Internet
> news group devoted to pornography.
>
> "Anyone trying to download that particular image in that
> news group would have been infected," Mr. Minor said.
>
> Mr. Minor said the worm was posted to the network from a
> computer in Vancouver, British Columbia. "To the best of my
> knowledge it was at somebody's home," Mr. Minor said.
>
> Although a broad cyberdisaster appeared to have been
> averted yesterday, computer security experts said computer
> users were not yet out of the woods. Infected computers
> will still be trying to connect to the master computers,
> they said, and will deluge the Internet with viral spam.
>
> "We're still going to have millions of messages that the
> virus generates," Mr. Kuo said, adding that America Online
> has been blocking some 11 million SoBig e-mail messages a
> day.
>
> To guard against infection, recipients should continue to
> delete e-mail messages containing suspicious attachments.
> The virus program is blocked by updated versions of most
> antivirus utility programs. "The No. 1 thing is, don't
> click on these attachments," Mr. Ullrich said.
>
> Several Internet security sites are offering free software
> tools and step-by-step instructions on identifying and
> cleaning an infected computer.
>
> SoBig, Mr. Ullrich said, is "just another pain in the neck
> for system administrators to deal with."
>
> http://www.nytimes.com/2003/08/23/technology/23VIRU.html?ex=1062620625&ei=1&en=67258d007498c8e4
>
>
> ---------------------------------
>
> Get Home Delivery of The New York Times Newspaper. Imagine
> reading The New York Times any time & anywhere you like!
> Leisurely catch up on events & expand your horizons. Enjoy
> now for 50% off Home Delivery! Click here:
>
> http://www.nytimes.com/ads/nytcirc/index.html
>
>
>
> HOW TO ADVERTISE
> ---------------------------------
> For information on advertising in e-mail newsletters
> or other creative advertising opportunities with The
> New York Times on the Web, please contact
> onlinesales () nytimes com or visit our online media
> kit at http://www.nytimes.com/adinfo
>
> For general information about NYTimes.com, write to
> help () nytimes com.
>
> Copyright 2003 The New York Times Company

-------------------------------------
You are subscribed as interesting-people () lists elistx com
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/