Parson not dumbest virus writer ever, shock!
Published Monday 1st September 2003 20:04 GMT
Security experts are expressing caution about the FBI's confident prediction that it will catch all the culprits behind the two viral epidemics which ravaged the Internet last month.
Although quick to praise to authorities for nabbing Jeffrey Lee Parson, 18, on suspicion of writing a copycat version of
the Blaster worm last Friday, AV specialists warn that other suspects in the Blaster and Sobig-F outbreaks may be much more
difficult to track down.
Alex Shipp, anti-virus technologist at MessageLabs, drew a distinction between script kiddie-style virus authors such as Parson,
who often brag about their exploits, and the unknown creators of the Sobig mass mailer series, who cover their tracks.
"There's a big difference between virus authors like Simon Vallor, who was caught after he boasted about creating a series
of viruses in a chatroom, who are crying out for attention and whoever wrote the Sobig series," Shipp told The Register.
"Virus writers put their name inside viruses or leave a trail from where a virus is first posted on the Net back to them.
The people behind Sobig have left no such clues. It'll be difficult to track them down but with more variants coming out over
time this may help the authorities, especially if the people behind the virus make a mistake," he added.
Graham Cluley, senior technology consultant for Sophos Anti-Virus, agrees that there are "no obvious clues" in the code
of the Sobig mass mailers.
However Sobig-F did attempt to contact 20 computers just over a week ago in a failed attempt to download a 'second-phase'
payload. Analysing these computers might be a useful line of inquiry, Cluley suggests.
Investigators think the original Blaster worm was posted onto a pornographic newsgroup via Arizona ISP Easynews.com using
an account purchased with a stolen credit card.
Meanwhile the variant of the worm allegedly created by Parson contained a Trojan horse component, which communicated with
a virus-writing Web site owned by the teenager. For good measure Parsons' online nickname teekid is coded into Blaster-B.
Sometimes, as in the case Jan de Wit, author of the Anna Kournikova worm, virus authors turn themselves into the authorities
out of remorse for their actions. but virus writers are seldom discreet.
Cluley comments: "What pleasure can you get in creating a virus if you don't tell anyone?"
Vanity isn't the only factor that gives virus authors away. Stupidity often plays a decisive role. Although this charge
has been levelled at Parsons, Cluley reckons Michael Buen
- a virus writer who included his CV in the malicious code he produced - is easily the dumbest he has ever come across.
The unlikely lads: virus writers in the dock
In November 1988, Cornell graduate student Robert Morris wrote the first worm to propagate over the Internet. The Morris Worm exploited a Unix-related vulnerability to spread. Morris, the son of a security expert at the National Security Agency, was
convicted of computer abuse offences and sentenced to three years probation, 400 hours of community service and a $10,000
In November 1995, Christopher Pile (alias "The Black Baron") appeared for sentencing for eleven offences under the
Sections two and three of the Computer Misuse Act at Exeter Crown Court. Pile, who had earlier pleaded guilty to all charges
against him, was sentenced to eighteen months in prison.
Cheng Ing-hau, a sergeant in the Taiwanese Army, wrote the destructive Chernobyl (CIH) virus in 1998, reportedly out of a grievance he harboured against AV companies. The virus was programmed to erase the contents
of infected hard disks on April 26, the anniversary of the Chernobyl nuclear disaster of 1986. He was detained by the Taiwanese
military authorities in April 1999 but later released without charge because (scarcely believably) no Taiwanese firms came
forward to admit they had been affected by the virus. He was re-arrested in September 2000 after a complaint by a Taiwanese
student but again managed to escape serious punishment.
David L Smith of New Jersey wrote the Melissa mass mailing virus, which he released in March 1999, reportedly as a 'tribute' to a Florida lap dancer he was fixated upon.
The worm created a message storm which forced major IT companies including Microsoft, Intel and Lucent Technologies to shut
down their email gateways and left a trail of destruction in its wake. Smith pleaded guilty to releasing the virus in December
1999 but the authorities left him waiting for sentencing until May 2002, when he was sent to jail for 20 months and fined
$5,000. Smith, who's in his 30s, launched the prolific Melissa mass mailing worm by posting infected documents to an alt.sex
Usenet newsgroup using a stolen AOL account. Investigators eventually traced Smith from this illicit posting.
Filipino computer studies student Onel de Guzman was prime suspect in the release of the LoveBug computer virus in 2000. A lack of relevant computer crime laws in the Philippines meant he was never prosecuted. Guzman was
mates with Michael Buen, who somehow reckoned bundling his CV with a computer virus might inprove his chances of geting a job.
Jan de Wit (AKA On the Fly), of The Netherlands, wrote the Anna Kournikova virus in 2001 using virus creation toolkit. Shocked at the success of his creation, de Wit turned himself into the authorities
and pleaded guilty to releasing the prolific mass mailing worm. He claimed he released the virus as an experiment after reading
a survey which suggested users hadn't learnt any lessons from the spread of the LoveBug.
At de Wit's September 2001 trial, US investigators were only able to list 55 incidents of infection, causing just $166,827
worth of damage (independent commentators believe this figure grossly underestimated the damage caused by the virus). After
pleading guilty, de Wit was sentenced to 150 hours of community service for computer crime offences. Many thought this sentence
unduly lenient but de Wit appealed anyway. His punishment was upheld on appeal.
Last year, 22 year-old Welsh Web designer Simon Vallor admitted creating the Gokar, Redesi and Admirer mass mailers. In January 2003, he was sentenced to two years imprisonment.
Jeffrey Lee Parson, 18, arrested for releasing a copycat version of the Blaster worm. The original authors of the worm remain at large.
The ones that got away...
Dark Avenger, the author of one of the first polymorphic virus (i.e. a virus that changes its characteristics in an attempt
to fool AV scanners,) was one of the most prolific virus authors of the late 1980s. However his viruses had no major impact.
He was never charged with any criminal offence but frequently commented on the virus writing scene and was largely responsible
for earning his home country, Bulgaria, and the wider Balkan region, the reputation as the world centre for virus writing
up until the mid 1990s.
The threat of the Code Red IIS infecting worm was arguably overhyped, but after the FBI and Microsoft made the unprecedented step of staging a joint press conference to warn about its spread you might think its author(s) would soon be apprehended. Think again.
Although more prolific than Code Red, Nimda spread by exploiting the same underlying flaw in Microsoft IIS Web Server software to even more devastating effect. Nada
on any arrests.
SirCam the bandwidth-hogging, privacy-threatening worm has also failed to generate any arrests.
Slammer, arguably the most destructive worm ever, knocked South Korean ISPs offline and rendered some bank automatic teller machines
temporarily inoperable back in January. The worm even took out the PC network of a Ohio nuclear power plant. There's no sign of any progress towards identifying the perpetrators
in the release of the worm.
The author of Klez, the most prolific virus of 2002, which remains a nuisance even now, likewise remains at large.
The Sobig virus series, linked to spammers, the author(s) of the prolific mass-mailer remains free to create yet more mischief.
Jeffrey Lee Parsons has been arrested but the authors of the original Blaster worm, which floored home PCs and small business networks last month, remain out of reach of the authorities. Authors of the
Blaster 'clean-up' worm, Nachi, which caused almost as many problems as the worm it was meant to eradicate, have also avoided having their collar felt.
The worm has turned
May 13, 2004
The thrill of releasing
a computer virus has outweighed the threat of small penalties. But the latest arrest might have vandal programmers turning
on each other. Sue Lowe reports.
Sven Jaschan, the
18-year-old German student named on Monday as the author of the Sasser worm which caused havoc to computers worldwide, is
an introvert who managed only a B for computer science at high school. Yet he fits exactly the ego-driven psychological profile
of the typical virus writer.
Ajoy Ghosh, a lecturer in the faculty of
law at the University of Technology, Sydney, states in his continuing PhD thesis that there are two primary motives for most
virus writers: malice and "masturbatory gratification".
"He definitely fits into the masturbatory
category," says Ghosh. "It's a power-based thing." Jaschan, pictured, lives with his parents in a small village near Hamburg,
northern Germany, and according to local media reports told police he was trying to write an antidote to the Netsky virus
to help his mother, who runs a small PC support business.
He apparently succumbed to peer pressure,
writing and releasing at least four different versions of the virus to impress schoolmates. A fifth, released just hours before
his arrest, is still being investigated.
Reports said he was released without bail
after quickly confessing. He told police he didn't think of the consequences of releasing the viruses and was amazed at the
As with almost every other case before it,
estimates of the spread of infections and the financial damage caused vary widely. Sasser doesn't rely on email attachments,
but instead installs itself on a computer's hard drive before seeking out other internet-connected Windows computers with
the same vulnerability. Computers could be infected within 30 seconds of logging on to the internet, experts said.
Microsoft has estimated up to 1.5 million
machines might have been infected since May 1 - a figure based on the number of downloads of a free software tool it offered
to erase the bug.
Others, including security firm Symantec,
put the number of infections "in the hundreds of thousands".
One of the few firms to ever attempt to
put a hard dollar figure on virus outbreaks is the British intelligence firm Mi2g. While the firm's estimates are ritually,
widely criticised, Mi2g has gamely estimated the damage from Sasser at between $US14.8 billion ($21.2 billion) and $US18.1
billion, making it, in just two weeks, the fifth most damaging piece of malware in almost a decade.
While the Sasser case has gained global
headlines due in part to the speed of the arrest, victims of computer viruses looking for a break in the unrelenting cycle
will find most of this depressingly familiar.
The author's psychological profile is "classic",
the estimated damages are routinely massive, even the chance of this leading to a conviction that might deter future virus
writers is conventionally slim. As Jaschan only turned 18 at the end of April, it is expected German authorities will treat
him as a juvenile and hand out a far lighter penalty than the five years in prison he could otherwise have faced.
According to Paul Ducklin, the head of the
security firm Sophos, it is just one more example of a case against a virus writer being dashed by either his youth or lack
of hard evidence.
Ducklin cited the case of Jan de Wit, the
Dutchman responsible for the Anna Kournikova email virus in 1999. The email, which promised a photo of the tennis player,
bogged networks worldwide by copying itself to every name in users' address books. However, de Wit got off with 150 hours
of community service after prosecutors failed to raise the damages bill above $US166,827. All they could muster was evidence
from 55 infections.
Ducklin says the heaviest sentence handed
down so far was in January last year, when 22-year-old Simon Vallor was sentenced by British courts to two years in jail.
The Welsh virus writer was found guilty
of a "calculated and disruptive" crime when he wrote and released the Redesi worm. The virus posed as a message from Microsoft
warning of cyber-terrorists following the September 11 attacks and attempted to delete data from infected users' hard drives.
His Gokar worm also attempted to overwrite the main page on the websites of infected companies.
Even after receiving one of the toughest
sentences for a virus author, a survey of Sophos customers found that 46 per cent felt the sentence was not harsh enough.
There is, however, one issue that experts
believe could make the Sasser case different and which could have a more radical impact on the underground culture of the
virus writing community than any threat of jail. That's the way Jaschan was caught. The teenager is believed to have been
dobbed in by an acquaintance, possibly even another member of his own gang, intent on picking up a $US250,000 reward from
"It seems he was part of a well-known group
of virus writers and one of the others got greedy and nominated [Jaschan] for some reason," says Ghosh.
Microsoft first offered the hefty reward
for information leading to a successful conviction in relation to the MsBlaster virus last year. Microsoft has admitted it
did not hesitate to re-offer the reward when it was contacted in relation to Sasser.
"Aware of this program, certain individuals
in Germany approached Microsoft investigators last week, offered to provide information about the creator of the Sasser virus
and inquired about their eligibility for a reward," a Microsoft statement said.
Ducklin says the "ludicrously large" size
of the reward - he compares it to the $250,000 reward offered for information leading to the conviction of Peter Falconio's
killer - will likely prove effective and cause a great deal of distrust within the community.
"Going to prison for virus dissemination
in the mistaken belief that it will make you a hero among your peers is one thing. Going to prison whilst those young peers
'pass go' and collect $US250,000 is quite another," he says. "The counterculture guys are going to stop trusting each other
quite so much."
For the many who have cursed Microsoft for
its stream of vulnerability alerts and patches over the past few years, watching it pay out in cash will at least be some
form of natural justice.
Looking into the mind of a virus writer
Expert: Computer virus writers mostly obsessed males
March 19, 2003 Posted: 9:28 AM EST (1428 GMT)
SINGAPORE (Reuters) -- Male. Obsessed with computers. Lacking a girlfriend. Aged 14 to 34. Capable
of sowing chaos worldwide.
That is the profile of the average computer-virus
writer, an anti-virus expert said on Tuesday.
About 1,000 viruses are created every month
by virus writers increasingly intent on targeting new operating systems, said Jan Hruska, the chief executive of British-based
Sophos PLC, the world's fourth-largest anti-virus solutions provider. "So far, we've seen no indication of decreased interest
in virus writing," Hruska told Reuters in an interview.
"Virus writers are constantly looking for
new vectors of infection, targeting the vulnerabilities of operating systems to exploit them for their creations," he said.
Hruska said the number of viruses created
would continue to climb in the coming years.
In almost all cases, virus writers were
computer-obsessed males between the ages of 14 to 34 years, he said.
"They have a chronic lack of girlfriends,
are usually socially inadequate and are drawn compulsively to write self-replicating codes. It's a form of digital graffiti
to them," Hruska said.
In January, Welsh virus writer and web designer
Simon Vallor, 22, was sentenced to two years' jail for spreading three mass-mailing computer viruses that allegedly infected
more than 27,000 computers in 42 countries.
Exploiting bugs and flaws
To create and spread cyber infections, virus
writers explore known bugs in existing software, or look for vulnerabilities in new versions.
"With more and more new OS (operating system)
versions, there will be more new forms of viruses, as every single software or OS will carry new features, and new executables
that can be carriers of the infection," Hruska said.
Executables are files that launch applications
in a computer's operating system, and feature more prominently in new platforms like Microsoft's Windows 2000 and Windows
XP than they did in the older DOS or Windows 3.1, he added.
Earlier last month, the malicious Slammer
worm spread across the globe in 10 minutes, nearly cutting off Web access in South Korea and shutting down some U.S. bank
The virus, which exploited a flaw in Microsoft's
SQL Server database software, caused damage by rapidly replicating itself and clogging the pipelines of the global data network.
The next target for the virus writing community
could be Microsoft's .NET platform for Web Services, which involves connecting different computer systems to do business seamlessly
over the Internet, Hruska noted.
Virus writers also share information to
create variants of the same infection, such as the Klez worm, which has been among the world's most prolific viruses in the
last 13 months, he said.
The Klez, a mass-mailing worm that originated
in November 2001, propagates via e-mail using a wide variety of messages and destroys files on local and network drives.
"The source code for the Klez could have
been made widely available on the Net, and budding virus writers would download the source code, modify, and relaunch it as
a different variant. It's one of those viruses that refuse to go away," he said.
For Immediate Release
August 26, 2003
FBI National Press Office
FBI Encourages Computer Users To Protect Themselves From
“Sobig” and “Blaster” Computer Viruses
Washington, DC – The FBI today announced that it is working to identify the person or persons responsible
for creating and spreading the so-called “Sobig” virus and “W32/Blaster” worm, and encouraged computer
users to take steps to protect themselves.
Director Mueller said, “Protecting the nation’s cyber infrastructure is a top priority for the FBI,
and we are working with the Department of Homeland Security and with state and local law enforcement on our Cyber Task Forces
to track down the perpetrators of Sobig and the recent W32/Blaster worm. We employ the latest technology and code analysis
to direct us to potential sources, and I am confident that we will find the culprits.”
Jana Monroe, Assistant Director of the FBI’s Cyber Division said, “We are constantly facing new
malicious computer codes including worms, viruses, Trojan Horses, and their variants. Unfortunately, such exposure has become
a part of being in cyberspace, but there are steps that individuals and businesses can take to protect themselves.”
To protect against Sobig, W32/Blaster, and other worms and viruses, all computer users who connect to the Internet,
including home users, and all computer systems administrators must remain vigilant by updating their anti-virus software on
a regular basis. Patches are available for Sobig and Blaster, but those who have not downloaded a patch remain vulnerable.
Computer users should also exercise caution in opening any e-mails or attachments from unknown persons or companies.
Users with a computer already affected by Sobig, W32/Blaster, or other malicious code, should contact his or
her Internet Service Provider or computer manufacturer for assistance.
Jana Monroe said, “Anyone with information
about the origins or Sobig, W32/Blaster, or other malicious code should contact their local FBI office.”