NetWorm- the Aftermath and the Question of Justice

[Squeek]

Does this not show you the unreadiness of our system?  If an 18-year old kid can take out millions of computers... What can a terrorist do.  

Personally, I think this kid did us all a big favor.  When Microsoft says "CRITICAL SECURITY UPDATE!!!" you may want to pay attention.  Everybody infected are those who could care less.

This worm has not affected me in any way []

~Squeek

PS - Try not to open emails that say...  "Topic"  (Date sent) 108kb.

Emails should be less than 10kb.  Anything more I would consider unsafe.  Besides...I just delete all my emails as soon as I get them.

[Adrian]

Greetings everyone,

I have blocked thousands of this virus over the last week or two at my mail server, none got through, never seen anything like it before!

I still amazes me how so few people have learned their lessons from previous virii! ISP's still don't filter email, and users still open suspicious attachments from people they have never even heard of before.

My advice to people is straightforward; if you receive an attachment to an email always delete it unless you know what it is and who it is from. When exchanging emails with people, never send executable files, always zip them first or alter the file extension.

With best regards,

Adrian.

[PeacefulWarrior]

Sobig Damage Estimate Increased

by Scott Bekker

8/28/03 — Two days after issuing an initial estimate of the Sobig worm damages, a U.K-based digital security firm has revised the damage estimate upward by nearly $1.5 billion and broken out the amount of damage resulting from the Sobig.F variant.
"In just under two days, the economic damage attributable to Sobig has risen from $5.59 billion to $7.05 billion as millions of businesses and households worldwide continue to be flooded with infected e-mail," U.K.-based mi2g said in a statement Thursday.

"Sobig has risen to become the third most damaging virus ever according to the mi2g Intelligence Unit as it continues to choke bandwidth even for users with clean machines who are receiving 'returned e-mail messages' non-stop," the group said. The mi2g finding contradicts statements from some other firms that the worm's activity has been slowing.

-- advertisement --



Sobig has overtaken the Yaha virus in the mi2g's ranking of the most damaging malware over time. It currently trails Klez ($13.94 billion) and Love Bug ($8.75 billion).

The group also estimates that the economic damage from the latest variant, Sobig.F, launched in mid-August, exceeds the damages caused by all previous variants of Sobig. The Sobig.F variant has caused $4.2 billion in damages since Aug. 18, according to the group.

The Mi2g damage estimate is built from sampled productivity loss data, estimates of the number of machines infected and estimates of bandwidth lost.

Sobig.F is scheduled to stop propagating on Sept. 10, when security experts believe the worm's author will launch a new, potentially more potent, variant.

You can contact Scott about "Sobig Damage Estimate Increased" at sbekker@entmag.com.

Teenager arrested in Blaster worm case
Paul Roberts, IDG News Service

01/09/2003 11:09:03

A Minnesota teenager will appear in US federal court on Friday to face charges stemming from the release of a variant of the virulent W32.Blaster Internet worm that ravaged computer systems worldwide earlier this month.

Jeffrey Lee Parson, 18, of Hopkins, Minnesota, was arrested by federal law enforcement Friday morning, according to U.S. Federal Bureau of Investigation (FBI) spokesman Bill Murray.

He will appear before federal magistrate Judge Susan Richard Nelson at the James R. Dougan Federal Building in St. Paul, Minnesota, according to Deputy Clerk Mike Chutich.

Parson was tracked down by a joint federal task force that involved members of the FBI and U.S. Secret Service, Murray said.

According to a complaint filed at the court, Parson will face one count of intentionally causing or attempting to cause damage to a protected computer in connection with the release of W32.Blaster-B, a variant of the original W32.Blaster-A worm.

That variant appeared on August 14, three days after Blaster-A first appeared, and was nearly identical to the original blaster worm. However, Blaster-B used a different file name, teekids.exe, as opposed to msblast.exe, according to antivirus company Sophos.

Teekid was also an online handle used by Parson, according to the complaint, which was filed in the Western District of Washington in Seattle, according to Chutich.

The 10-page complaint lays out Parson's role in modifying the original Blaster worm and releasing the Blaster-B variant, as well as the process law enforcement used to track the virus back to Parson.

The FBI and the U.S. Attorney's Office scheduled a press conference for Friday afternoon regarding the worm, according to U.S. Attorney John Hartingh in the U.S. Attorney's Office for the Western District of Washington in Seattle.

Further details about the case will be presented then, Hartingh said.

A copy of the complaint obtained by IDG News Service indicates that federal law enforcement first got on the trail of Blaster-B's author by tracking down ownership of an Internet domain, www.t33kid.com, that the Blaster-B worm used to download instructions and report on infected hosts.

That chase led from a San Diego, California, Web wholesale Internet services provider, California Regional Internet, to a small Web hosting provider in Watauga, Texas and, from there, to ISP Time Warner Cable, which provided Parson's father's home broadband account in Minnesota.

Time Warner provided the FBI with the location of Parson's home in Hopkins and federal agents raided that home on August 19, seizing seven computers from the house, according to the complaint.

The results of a forensic analysis of those computers are still pending, but the complaint says that during an interview that day, Parson admitted to modifying the Blaster worm and creating the Blaster-B worm variant, naming it "teekids.exe" after his online name.

Parson further admitted to outfitting the new worm with a backdoor Trojan program, named "Lithium" so that he could reconnect to infected computers.

Blaster-A first appeared on August 11 and exploited a widespread vulnerability in Microsoft's Windows operating system.

The worm takes advantage of a known vulnerability in a Windows component called the DCOM (Distributed Component Object Model) interface, which handles messages sent using the RPC (Remote Procedure Call) protocol.

Vulnerable systems can be compromised without any interaction from a user, which helped Blaster spread quickly on machines running the Windows XP and Windows 2000 operating systems.

At the height of the Blaster outbreak, the worm was credited with shutting down the Maryland Motor Vehicle Administration.

Virus experts were surprised that an arrest was pending, citing the difficulty in tracing computer viruses back to their author.

"I think it gets back to how they caught him," said Chris Wraight, a technology consultant at Sophos. "It wasn't digital forensics, but the human intelligence. They did it the old fashioned way, with human intelligence."

However, Wraight was not surprised to learn that the suspect in the Blaster-B case was a teenager.

He and others long maintained that Blaster's blatant copying of proof-of-concept code for using the RPC vulnerability, known as the DCOM exploit, meant that Blaster was the work of a novice virus writer, rather than a pro.

The alleged modification of that code by Parson is typical, Wraight said.

"This clearly shows what happens in the virus world -- people take and modify other people's code and try to one up each other. But most of these guys are not too swift and they get caught because of an error," Wraight said.

While most worm authors are careful to cover their tracks and escape capture, those who are caught face toughened computer crime laws in the U.S. and Europe, he said.

In July, for example, a U.K. court rejected an appeal by 22 year-old Simon Vallor, who was sentenced to two years in prison for writing and releasing three e-mail worms.

In less developed countries, however, there are few laws governing cyber crimes, Wraight said.

The author of one of the most destructive viruses, LoveBug, never faced charges because the Philippines lacked laws on its books to prosecute him, he said.

Parsons will be charged with violating U.S. Title 18, section 1030. If found guilty, he could face between five and 20 years in prison and be asked to pay "thousands of dollars" in damages, Murray said.

No specific damages figures were available for the Blaster-B variant, but the complaint refers to more than 7,000 computers being infected with the Blaster-B variant.

In addition, the complaint includes statements by Microsoft representatives that the company "expended significant internal and external (contracted) resources to respond to the distributed denial of service (DDoS) attack launched by Parson's worm against the www.windowsupdate.com site, far in excess of US$5,000.


Second worm suspect investigated


Suspect could face jail time if convicted
A second person is being investigated in connection with the MSBlast worm that caused havoc online last month.
Romanian police confirmed they have a suspect, believed to have released a modified version of the virus.

They have declined to name him, although a computer security company has identified him as 24-year-old Dan Dumitru Ciobanu.

Newly passed Romanian laws mean Mr Ciobanu could face up to 15 years in jail if convicted.


Milder version

Mr Ciobanu is thought to be responsible for creating the "F" version of the MSBlast web worm.

Unlike the original version of the virus, Mr Ciobanu's version is said to have only attacked computers at the Technical University of Iasi, in northeastern Romania.

Text within the virus insulted one of the lecturers at the university and called for him to retire.

Also inside the virus was Mr Ciobanu's online nickname "Enbiei" which helped Romanian police and anti-virus firm BitDefender to track him down.


Suspected virus Jeffrey Lee Parson writer avoids photographers  
"We tracked him using the bulletin boards," said Patrick Vicol from BitDefender. "He actually gave his name, not a very smart thing to do."

The "F" version is not thought to have travelled far beyond Romania and was much less virulent than the original MSBlast virus which infected more than 300,000 systems in mid-August.

A police spokesman confirmed they were investigating a suspect but would not reveal his identity.

Two computers that he regularly uses have been confiscated and will soon be analysed for evidence that he unleashed the modified version of the virus.

Copycat arrest

Last week another programmer was arrested for creating and releasing another version of the MSBlast worm.

Jeffrey Lee Parson is thought to be behind the "B" version of MSBlast that infected a few thousand machines.

Mr Parson was tracked down because he too left his online nickname, teekid, in the version of the virus he modified.

If convicted Mr Parson faces up to 10 years in jail and a fine of $250,000. His next court appearance is on 17 September.

Despite the two arrests the creator of the original MSBlast worm remains at large.



Romanian Net Worm Suspect Faces Stiff Charges
Thu September 4, 2003 12:44 PM ET
By Bernhard Warner and Antonia Oprita
BUCHAREST/LONDON (Reuters) - Fifteen years behind bars for a crime that took but 15 minutes to execute.

This is the maximum prison sentence facing 24-year-old Romanian Dan Dumitru Ciobanu, suspected by authorities of developing the low-grade Internet worm "Blaster.F" that security experts suspect took him maybe a quarter of an hour to write.

The penalty once again has stoked the debate about appropriate sentencing for a crime that until recently was dismissed by law enforcement officers as a relatively benign prank by tuned-in teenagers trying to prove a point.

But with a wave of increasingly strong Internet bugs, including last month's original Blaster worm and the Sobig.F virus, inflicting billions of dollars in damage, a zero-tolerance sentiment has begun to emerge.

In Romania, a person found guilty of the new cybercrime law, which covers online fraud, hacking and virus-writing, faces a sentence of three to 15 years, more than twice the maximum sentence for rape.

"We have had this debate that maybe the Romanian law is too tough. But it's alright to be like this," Romanian MP Varujan Pambuccian, who co-wrote the law, told Reuters. "We intended to make it tough."

The Romanian law may be the toughest anywhere. Britain's Computer Misuse Act, for example, carries a maximum sentence of five years if convicted of releasing a virus that infects other computers.

American teenager Jeffrey Lee Parson was arrested last week for creating and distributing the "Blaster.B" variant, a program that infected at least 7,000 computers. He faces imprisonment of 10 years and a $250,000 fine if convicted.

Meanwhile, the mastermind behind the original Blaster worm, which is believed to have infected over 500,000 computers running Microsoft Windows, remains at large.

LITTLE DAMAGE

Anti-virus experts said Blaster.F has done little damage, infecting roughly 1,000 computers since it emerged on Monday. "It looks like it took him no more than fifteen minutes to write," said Mikko Hypponen, manager of anti-virus research at Finland's F-Secure.

Police have not charged Ciobanu. On Thursday, Gheorghi Plai, chief commissioner at the Regional Center for Combating Organized Crime in the suspect's home city of Iasi, confirmed to Reuters the investigation is continuing.

Ciobanu was identified in a statement issued on Wednesday by BitDefender, a division of Romanian software firm Softwin SRL, which helped police track down the suspect. The firm said on Thursday the suspect's computers would be examined on Friday or early next week, after which charges could be filed.

The Ciobanu case has stirred some mixed feelings about the potential severity of new cybercrime laws, even among security specialists who helped collar the man.

"Among the programmers in our company, I have been confronted by a wave of sympathy for him. They want to know why we identified him and gave him up to the police," said Mihai Radu, a spokesman for BitDefender.

Others in Romania's IT industry, which has become a recruitment hotbed for Western European and American software developers, are pushing for tough justice. They say a few bad seeds could spoil Romania's reputation as an emerging software development hub.

"Romanians are excellent IT programmers, but unfortunately they haven't learned to focus their efforts in the right direction," said Marius Ursachi, creative officer at Web design firm Grapefruit Design in Iasi, in northeastern Romania.

Romania is known for exporting young talent to Western IT companies, but in the ex-communist Balkan country just 13 percent of the country's 22 million population use the Internet. Romania, where monthly salaries average $130, and neighboring Bulgaria are the least wired Eastern European nations.

Time To Update Your Microsoft Software Again

September 4, 2003


SEATTLE - Those of you using Mac OS or Linux can relax, but those using MS Office on Windows, take note: Microsoft has issued some more security alerts.

Microsoft is reporting five new flaws in its software, including one of "critical" severity that affects nearly all programs in its Office suite of software.

The critical vulnerability could allow an attacker to read files on a victim's computer or run programs. To be successful a person would have to open a tainted email attachment.

The flaw appears in nearly all programs included in Microsoft Office 97, 2000 and XP (Word, Excel, PowerPoint and Access).

It also affects Visio 2000, 2002 and Project 2000 and 2002.

The other four vulnerabilities affect Microsoft Office, Access, Word and Windows, and include flaws of lower severity.

Microsoft has disclosed 38 security flaws so far this year.