Information Security News mailing list archives
The Multi-National Love Bug Team
From: William Knowles <wk () C4I ORG>
Date: Wed, 10 May 2000 17:13:05 -0500
http://www.wired.com/news/technology/0,1282,36246,00.html by Lynn Burke 12:05 p.m. May. 10, 2000 PDT While authorities in the Philippines are busy homing in on Onel de Guzman as the prime suspect in the Love Bug case, self-styled computer sleuths across the globe say there is much more to this story. Jean Franois Gagn, 31, a now-unemployed computer technician-consultant from Montreal, has spent hours investigating the Love Bug trail by tracking logs of ICQ, an instant-messaging client. His theory: It originated in Brisbane, Australia. It was then launched from Manila and re-launched from Dar es Salaam, the capital city of East African nation Tanzania. The Australia angle has another backer: Swedish researcher Fredrik Bjorck, a computer virus expert at the University of Stockholm. Bjorck, who helped track down the creator of the infamous Melissa worm, says a 23-year-old German student named Michael created the virus in Australia, where he lives. But he said Michael may not have meant for things to go this far. "(He) is the creator of the virus, but remember that it might not be his intent to distribute it," Bjorck said. That's where the de Guzmans come in. Based on information contained in the source code of the worm, the accounts used to launch the virus were based in Manila, and were located at an apartment building where Irene de Guzman lives with her boyfriend, Reomel Ramones, her brother, Onel, and sister, Jocelyn. Ramones was the first person to be fingered as a suspect, but was subsequently let go for lack of evidence. Now the authorities think the person behind the worm is Onel, a student at AMA Computer College in Manila who submitted a thesis in February detailing how passwords could be stolen from the Internet. This part of the story has its share of backers. "Onel was launch pad No. 1, that seems very certain now. And (he was) probably helped with his sister, Jocelyn," said Gagn. So far, details on Jocelyn de Guzman have not been forthcoming, and her involvement is unknown. But more than one researcher has found a link to a 15-year-old girl from Tanzania named Anjabi. Anjabi was identified on Monday by James M. Atkinson, a technical counterintelligence engineer with technical surveillance firm Granite Island Group. Atkinson, who says he has been analyzing this case for the pure sport of it, believes Anjabi is involved with someone named Michael who lives in a Manila suburb, and believes they both belong to a Manila-based hacking group called the Acolytes. He says Anjabi moved from Tanzania to live with her boyfriend in the Philippines about 18 months ago. Atkinson found the couple through analyzing the executable file that was found in the four directories listed in the source code. Those directories have since been taken down by Philippines ISP Supernet. "This is a matter of taking big sheets of graph paper and drawing pretty pictures on it," he said. "You know when you track a bear out in the woods? I just followed the footprints." After digging through Usenet archives dating back eight years, ICQ registrations, ICQ logs, and IRC logs, Atkinson concluded that the virus traces back to Anjabi and her boyfriend, Michael, 23. He pointed out that their accounts may have been stolen, and said the truth won't come out until officials "sit down and have a long, hard chat with them." Gagn used similar methods to reach his conclusion, which places Anjabi back in Tanzania. "(The Love Bug) was localized in East Asia, and suddenly, it struck Africa, then Europe, and America. This could explain Anjabi's link in Tanzania -- she was launch pad No. 2," he said. "One thing is for sure, this was not a single launch," said Gagn. "Just like a fire, the spread was too quick." *-------------------------------------------------* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen. Alfred. M. Gray, USMC --------------------------------------------------- C4I Secure Solutions http://www.c4i.org *-------------------------------------------------* ISN is sponsored by SecurityFocus.com --- To unsubscribe email LISTSERV () SecurityFocus com with a message body of "SIGNOFF ISN".
Current thread:
- The Multi-National Love Bug Team William Knowles (May 10)