script kiddie

A person, normally someone who is not technologically sophisticated, who randomly seeks out a specific weakness over the Internet in order to gain root access to a system without really understanding what it is s/he is exploiting because the weakness was discovered by someone else. A script kiddie is not looking to target specific information or a specific company but rather uses knowledge of a vulnerability to scan the entire Internet for a victim that possesses that vulnerability.


Parson not dumbest virus writer ever, shock!

Published Monday 1st September 2003 20:04 GMT

Security experts are expressing caution about the FBI's confident prediction that it will catch all the culprits behind the two viral epidemics which ravaged the Internet last month.

Although quick to praise to authorities for nabbing Jeffrey Lee Parson, 18, on suspicion of writing a copycat version of the Blaster worm last Friday, AV specialists warn that other suspects in the Blaster and Sobig-F outbreaks may be much more difficult to track down.

Alex Shipp, anti-virus technologist at MessageLabs, drew a distinction between script kiddie-style virus authors such as Parson, who often brag about their exploits, and the unknown creators of the Sobig mass mailer series, who cover their tracks.

"There's a big difference between virus authors like Simon Vallor, who was caught after he boasted about creating a series of viruses in a chatroom, who are crying out for attention and whoever wrote the Sobig series," Shipp told The Register.

"Virus writers put their name inside viruses or leave a trail from where a virus is first posted on the Net back to them. The people behind Sobig have left no such clues. It'll be difficult to track them down but with more variants coming out over time this may help the authorities, especially if the people behind the virus make a mistake," he added.

Graham Cluley, senior technology consultant for Sophos Anti-Virus, agrees that there are "no obvious clues" in the code of the Sobig mass mailers.

However Sobig-F did attempt to contact 20 computers just over a week ago in a failed attempt to download a 'second-phase' payload. Analysing these computers might be a useful line of inquiry, Cluley suggests.

Investigators think the original Blaster worm was posted onto a pornographic newsgroup via Arizona ISP Easynews.com using an account purchased with a stolen credit card.

Meanwhile the variant of the worm allegedly created by Parson contained a Trojan horse component, which communicated with a virus-writing Web site owned by the teenager. For good measure Parsons' online nickname teekid is coded into Blaster-B.

Sometimes, as in the case Jan de Wit, author of the Anna Kournikova worm, virus authors turn themselves into the authorities out of remorse for their actions. but virus writers are seldom discreet.

Cluley comments: "What pleasure can you get in creating a virus if you don't tell anyone?"

Vanity isn't the only factor that gives virus authors away. Stupidity often plays a decisive role. Although this charge has been levelled at Parsons, Cluley reckons Michael Buen
- a virus writer who included his CV in the malicious code he produced - is easily the dumbest he has ever come across.

The unlikely lads: virus writers in the dock

In November 1988, Cornell graduate student Robert Morris wrote the first worm to propagate over the Internet. The Morris Worm exploited a Unix-related vulnerability to spread. Morris, the son of a security expert at the National Security Agency, was convicted of computer abuse offences and sentenced to three years probation, 400 hours of community service and a $10,000 fine.

In November 1995, Christopher Pile (alias "The Black Baron") appeared for sentencing for eleven offences under the Sections two and three of the Computer Misuse Act at Exeter Crown Court. Pile, who had earlier pleaded guilty to all charges against him, was sentenced to eighteen months in prison.

Cheng Ing-hau, a sergeant in the Taiwanese Army, wrote the destructive Chernobyl (CIH) virus in 1998, reportedly out of a grievance he harboured against AV companies. The virus was programmed to erase the contents of infected hard disks on April 26, the anniversary of the Chernobyl nuclear disaster of 1986. He was detained by the Taiwanese military authorities in April 1999 but later released without charge because (scarcely believably) no Taiwanese firms came forward to admit they had been affected by the virus. He was re-arrested in September 2000 after a complaint by a Taiwanese student but again managed to escape serious punishment.

David L Smith of New Jersey wrote the Melissa mass mailing virus, which he released in March 1999, reportedly as a 'tribute' to a Florida lap dancer he was fixated upon. The worm created a message storm which forced major IT companies including Microsoft, Intel and Lucent Technologies to shut down their email gateways and left a trail of destruction in its wake. Smith pleaded guilty to releasing the virus in December 1999 but the authorities left him waiting for sentencing until May 2002, when he was sent to jail for 20 months and fined $5,000. Smith, who's in his 30s, launched the prolific Melissa mass mailing worm by posting infected documents to an alt.sex Usenet newsgroup using a stolen AOL account. Investigators eventually traced Smith from this illicit posting.

Filipino computer studies student Onel de Guzman was prime suspect in the release of the LoveBug computer virus in 2000. A lack of relevant computer crime laws in the Philippines meant he was never prosecuted. Guzman was mates with Michael Buen, who somehow reckoned bundling his CV with a computer virus might inprove his chances of geting a job.

Jan de Wit (AKA On the Fly), of The Netherlands, wrote the Anna Kournikova virus in 2001 using virus creation toolkit. Shocked at the success of his creation, de Wit turned himself into the authorities and pleaded guilty to releasing the prolific mass mailing worm. He claimed he released the virus as an experiment after reading a survey which suggested users hadn't learnt any lessons from the spread of the LoveBug.

At de Wit's September 2001 trial, US investigators were only able to list 55 incidents of infection, causing just $166,827 worth of damage (independent commentators believe this figure grossly underestimated the damage caused by the virus). After pleading guilty, de Wit was sentenced to 150 hours of community service for computer crime offences. Many thought this sentence unduly lenient but de Wit appealed anyway. His punishment was upheld on appeal.

Last year, 22 year-old Welsh Web designer Simon Vallor admitted creating the Gokar, Redesi and Admirer mass mailers. In January 2003, he was sentenced to two years imprisonment.

Jeffrey Lee Parson, 18, arrested for releasing a copycat version of the Blaster worm. The original authors of the worm remain at large.

The ones that got away...

Dark Avenger, the author of one of the first polymorphic virus (i.e. a virus that changes its characteristics in an attempt to fool AV scanners,) was one of the most prolific virus authors of the late 1980s. However his viruses had no major impact. He was never charged with any criminal offence but frequently commented on the virus writing scene and was largely responsible for earning his home country, Bulgaria, and the wider Balkan region, the reputation as the world centre for virus writing up until the mid 1990s.

The threat of the Code Red IIS infecting worm was arguably overhyped, but after the FBI and Microsoft made the unprecedented step of staging a joint press conference to warn about its spread you might think its author(s) would soon be apprehended. Think again.

Although more prolific than Code Red, Nimda spread by exploiting the same underlying flaw in Microsoft IIS Web Server software to even more devastating effect. Nada on any arrests.

SirCam the bandwidth-hogging, privacy-threatening worm has also failed to generate any arrests.

Slammer, arguably the most destructive worm ever, knocked South Korean ISPs offline and rendered some bank automatic teller machines temporarily inoperable back in January. The worm even took out the PC network of a Ohio nuclear power plant. There's no sign of any progress towards identifying the perpetrators in the release of the worm.

The author of Klez, the most prolific virus of 2002, which remains a nuisance even now, likewise remains at large.

The Sobig virus series, linked to spammers, the author(s) of the prolific mass-mailer remains free to create yet more mischief.

Jeffrey Lee Parsons has been arrested but the authors of the original Blaster worm, which floored home PCs and small business networks last month, remain out of reach of the authorities. Authors of the Blaster 'clean-up' worm, Nachi, which caused almost as many problems as the worm it was meant to eradicate, have also avoided having their collar felt.



The worm has turned

May 13, 2004


The thrill of releasing a computer virus has outweighed the threat of small penalties. But the latest arrest might have vandal programmers turning on each other. Sue Lowe reports.


Sven Jaschan, the 18-year-old German student named on Monday as the author of the Sasser worm which caused havoc to computers worldwide, is an introvert who managed only a B for computer science at high school. Yet he fits exactly the ego-driven psychological profile of the typical virus writer.


Ajoy Ghosh, a lecturer in the faculty of law at the University of Technology, Sydney, states in his continuing PhD thesis that there are two primary motives for most virus writers: malice and "masturbatory gratification".


"He definitely fits into the masturbatory category," says Ghosh. "It's a power-based thing." Jaschan, pictured, lives with his parents in a small village near Hamburg, northern Germany, and according to local media reports told police he was trying to write an antidote to the Netsky virus to help his mother, who runs a small PC support business.


He apparently succumbed to peer pressure, writing and releasing at least four different versions of the virus to impress schoolmates. A fifth, released just hours before his arrest, is still being investigated.


Reports said he was released without bail after quickly confessing. He told police he didn't think of the consequences of releasing the viruses and was amazed at the damage caused.


As with almost every other case before it, estimates of the spread of infections and the financial damage caused vary widely. Sasser doesn't rely on email attachments, but instead installs itself on a computer's hard drive before seeking out other internet-connected Windows computers with the same vulnerability. Computers could be infected within 30 seconds of logging on to the internet, experts said.


Microsoft has estimated up to 1.5 million machines might have been infected since May 1 - a figure based on the number of downloads of a free software tool it offered to erase the bug.


Others, including security firm Symantec, put the number of infections "in the hundreds of thousands".


One of the few firms to ever attempt to put a hard dollar figure on virus outbreaks is the British intelligence firm Mi2g. While the firm's estimates are ritually, widely criticised, Mi2g has gamely estimated the damage from Sasser at between $US14.8 billion ($21.2 billion) and $US18.1 billion, making it, in just two weeks, the fifth most damaging piece of malware in almost a decade.

While the Sasser case has gained global headlines due in part to the speed of the arrest, victims of computer viruses looking for a break in the unrelenting cycle will find most of this depressingly familiar.

The author's psychological profile is "classic", the estimated damages are routinely massive, even the chance of this leading to a conviction that might deter future virus writers is conventionally slim. As Jaschan only turned 18 at the end of April, it is expected German authorities will treat him as a juvenile and hand out a far lighter penalty than the five years in prison he could otherwise have faced.

According to Paul Ducklin, the head of the security firm Sophos, it is just one more example of a case against a virus writer being dashed by either his youth or lack of hard evidence.

Ducklin cited the case of Jan de Wit, the Dutchman responsible for the Anna Kournikova email virus in 1999. The email, which promised a photo of the tennis player, bogged networks worldwide by copying itself to every name in users' address books. However, de Wit got off with 150 hours of community service after prosecutors failed to raise the damages bill above $US166,827. All they could muster was evidence from 55 infections.

Ducklin says the heaviest sentence handed down so far was in January last year, when 22-year-old Simon Vallor was sentenced by British courts to two years in jail.

The Welsh virus writer was found guilty of a "calculated and disruptive" crime when he wrote and released the Redesi worm. The virus posed as a message from Microsoft warning of cyber-terrorists following the September 11 attacks and attempted to delete data from infected users' hard drives. His Gokar worm also attempted to overwrite the main page on the websites of infected companies.

Even after receiving one of the toughest sentences for a virus author, a survey of Sophos customers found that 46 per cent felt the sentence was not harsh enough.

There is, however, one issue that experts believe could make the Sasser case different and which could have a more radical impact on the underground culture of the virus writing community than any threat of jail. That's the way Jaschan was caught. The teenager is believed to have been dobbed in by an acquaintance, possibly even another member of his own gang, intent on picking up a $US250,000 reward from Microsoft.

"It seems he was part of a well-known group of virus writers and one of the others got greedy and nominated [Jaschan] for some reason," says Ghosh.

Microsoft first offered the hefty reward for information leading to a successful conviction in relation to the MsBlaster virus last year. Microsoft has admitted it did not hesitate to re-offer the reward when it was contacted in relation to Sasser.

"Aware of this program, certain individuals in Germany approached Microsoft investigators last week, offered to provide information about the creator of the Sasser virus and inquired about their eligibility for a reward," a Microsoft statement said.

Ducklin says the "ludicrously large" size of the reward - he compares it to the $250,000 reward offered for information leading to the conviction of Peter Falconio's killer - will likely prove effective and cause a great deal of distrust within the community.

"Going to prison for virus dissemination in the mistaken belief that it will make you a hero among your peers is one thing. Going to prison whilst those young peers 'pass go' and collect $US250,000 is quite another," he says. "The counterculture guys are going to stop trusting each other quite so much."

For the many who have cursed Microsoft for its stream of vulnerability alerts and patches over the past few years, watching it pay out in cash will at least be some form of natural justice.


Looking into the mind of a virus writer

Expert: Computer virus writers mostly obsessed males

Wednesday, March 19, 2003 Posted: 9:28 AM EST (1428 GMT)
SINGAPORE (Reuters) -- Male. Obsessed with computers. Lacking a girlfriend. Aged 14 to 34. Capable of sowing chaos worldwide.

That is the profile of the average computer-virus writer, an anti-virus expert said on Tuesday.

About 1,000 viruses are created every month by virus writers increasingly intent on targeting new operating systems, said Jan Hruska, the chief executive of British-based Sophos PLC, the world's fourth-largest anti-virus solutions provider. "So far, we've seen no indication of decreased interest in virus writing," Hruska told Reuters in an interview.

"Virus writers are constantly looking for new vectors of infection, targeting the vulnerabilities of operating systems to exploit them for their creations," he said.

Hruska said the number of viruses created would continue to climb in the coming years.

In almost all cases, virus writers were computer-obsessed males between the ages of 14 to 34 years, he said.

"They have a chronic lack of girlfriends, are usually socially inadequate and are drawn compulsively to write self-replicating codes. It's a form of digital graffiti to them," Hruska said.

In January, Welsh virus writer and web designer Simon Vallor, 22, was sentenced to two years' jail for spreading three mass-mailing computer viruses that allegedly infected more than 27,000 computers in 42 countries.

Exploiting bugs and flaws

To create and spread cyber infections, virus writers explore known bugs in existing software, or look for vulnerabilities in new versions.

"With more and more new OS (operating system) versions, there will be more new forms of viruses, as every single software or OS will carry new features, and new executables that can be carriers of the infection," Hruska said.

Executables are files that launch applications in a computer's operating system, and feature more prominently in new platforms like Microsoft's Windows 2000 and Windows XP than they did in the older DOS or Windows 3.1, he added.

Earlier last month, the malicious Slammer worm spread across the globe in 10 minutes, nearly cutting off Web access in South Korea and shutting down some U.S. bank teller machines.

The virus, which exploited a flaw in Microsoft's SQL Server database software, caused damage by rapidly replicating itself and clogging the pipelines of the global data network.

The next target for the virus writing community could be Microsoft's .NET platform for Web Services, which involves connecting different computer systems to do business seamlessly over the Internet, Hruska noted.

Virus writers also share information to create variants of the same infection, such as the Klez worm, which has been among the world's most prolific viruses in the last 13 months, he said.

The Klez, a mass-mailing worm that originated in November 2001, propagates via e-mail using a wide variety of messages and destroys files on local and network drives.

"The source code for the Klez could have been made widely available on the Net, and budding virus writers would download the source code, modify, and relaunch it as a different variant. It's one of those viruses that refuse to go away," he said.





U.S. Department of Justice, Federal Bureau of Investigation
For Immediate Release
August 26, 2003
Washington D.C.
FBI National Press Office

FBI Encourages Computer Users To Protect Themselves From “Sobig” and “Blaster” Computer Viruses

Washington, DC – The FBI today announced that it is working to identify the person or persons responsible for creating and spreading the so-called “Sobig” virus and “W32/Blaster” worm, and encouraged computer users to take steps to protect themselves.

Director Mueller said, “Protecting the nation’s cyber infrastructure is a top priority for the FBI, and we are working with the Department of Homeland Security and with state and local law enforcement on our Cyber Task Forces to track down the perpetrators of Sobig and the recent W32/Blaster worm. We employ the latest technology and code analysis to direct us to potential sources, and I am confident that we will find the culprits.”

Jana Monroe, Assistant Director of the FBI’s Cyber Division said, “We are constantly facing new malicious computer codes including worms, viruses, Trojan Horses, and their variants. Unfortunately, such exposure has become a part of being in cyberspace, but there are steps that individuals and businesses can take to protect themselves.”

To protect against Sobig, W32/Blaster, and other worms and viruses, all computer users who connect to the Internet, including home users, and all computer systems administrators must remain vigilant by updating their anti-virus software on a regular basis. Patches are available for Sobig and Blaster, but those who have not downloaded a patch remain vulnerable. Computer users should also exercise caution in opening any e-mails or attachments from unknown persons or companies.

Users with a computer already affected by Sobig, W32/Blaster, or other malicious code, should contact his or her Internet Service Provider or computer manufacturer for assistance.

Jana Monroe said, “Anyone with information about the origins or Sobig, W32/Blaster, or other malicious code should contact their local FBI office.”