Authorities Investigate Romanian Virus Writer
Sep 4, 2003 2:05 PM PT
Authorities in Romania are investigating another suspected writer of a Blaster variant, according to Bucharest-based BitDefender, which reported similarities between the 24-year-old suspect and Jeffrey Lee Parson, the Minnesota teenager accused of authoring a different Blaster variant.
The U.S. arrest and European investigation involve copycat versions of the original Blaster worm, which pounced on hundreds of thousands of vulnerable Windows PCs last month.
While law enforcement agencies, including the FBI, have vowed to use the latest technology and code analysis to track the writers of Blaster and the more troublesome SoBig.F worm, security experts said the authors of more potent, sophisticated viruses often manage to remain anonymous by covering their digital tracks.
"The amazing side of this peculiar situation is that two people are to stand trial for having modified original code of MSBlast.A (the first Blaster worm), but the creator of the worm is still out there," said a BitDefender statement. "Antivirus specialists concur in saying that such altered versions are not as difficult to create as the original."
The Romanian suspect is the second Blaster variant writer alleged to have unleashed a modification of the original Blaster worm, which took advantage of a widespread Microsoft Windows vulnerability.
U.S. authorities last week announced the arrest of Jeffrey Lee Parson, an 18-year-old Minnesota man accused of releasing another Blaster variant. Parson has since claimed that law enforcement officials, knowing he released the variant, have asked for his help in tracking down the original Blaster author.
While the FBI would not comment on current investigations, a senior official at the bureau told TechNewsWorld that there is concern about variants and the implications of additional virus writers.
Finding the Virus
Despite concerns that the major virus writers are going unidentified and unpunished, McAfee Avert vice president Vincent Gullotto told TechNewsWorld that an opportunity to find and stop any virus writer, even if he or she only created a variant, is better than finding no one.
Gullotto, who referred to the prosecution of original virus writers in the Melissa and Kournikova cases, said the arrest of a suspect in one case might lead investigators to other viruses released by the same person.
"Most virus writers are what you might call habitual offenders," he said. "This is an ongoing process for them, so they may be responsible for more. It's not clearly a case of a small fry."
Extending the Code
MessageLabs chief information security analyst Paul Wood told TechNewsWorld that variants of different computer viruses and worms typically come from one of two sources -- either the same person who wrote the first version of the virus or a new person who does additional work to extend the malicious code.
"You may find a variant appear because someone has reverse engineered and enhanced it," Wood said. "Quite often, it's usually the same people or person involved."
Referring to the "weird community" of virus writers, Wood said they often collaborate in virtual groups where one person has power over the others and acts as an administrator of the project.
Forrester industry analyst Jan Sundgren told TechNewsWorld that the spamming elements of the SoBig.F worm -- a variant that hit far more victims than the original SoBig worm discovered last year -- illustrates a technological evolution of virus writers.
"I think over time they might become more subtle and more clever," Sundgren said. "It could spell a new era of viruses that are used for specific purposes."
Sundgren referred to the difficulty of tracking down virus writers, particularly when they are skilled enough to cover their digital tracks, and said few offenders are caught.
Because of law enforcement's limited success in apprehending and prosecuting major virus writers -- last year's 20-month prison sentence for Melissa writer David Smith, 34, was among the most prominent achievements -- security experts doubt legal recourse will be a hindrance to many would-be attackers.
"It certainly sends a message," Sundgren said. "But if it's only a few people here and there, the idea of an inhibiting effect goes away."
Virus fighters, many of whom were disappointed by the relatively light sentence and the amount of time it took to prosecute Smith, said they actively work with law enforcement to provide code analysis as well as likely sources of viruses.
Caught Releasing Code
Wood, who blamed "old protocols" of the Internet and service providers' struggle to log traffic for contributing to virus outbreaks, said the use of infected or otherwise compromised computers often allows virus writers to remain undetected.
However, Wood added that seeding a virus -- launching it onto the Internet -- is a typical weak point and often leaves a trail back to the author.
In the cases of the Romanian and Minnesotan suspects, use of nicknames in materials they wrote appears to have led to their apprehension. Both face penalties of as many as 10 to 15 years in prison and US$250,000 in fines, based on U.S. and Romanian law.