Computer Crime Research Center

Experts: Internet Attack Hunt Difficult
The Associated Press

Experts Are Skeptical FBI, Other Investigators Can Track Down Source of Internet Attack

WASHINGTON (AP) Leading experts on Internet security are skeptical that the FBI and other investigators will be able to track down the person responsible for last weekend's attack on the Internet.

These experts, including many who provide technical advice to the FBI and other U.S. agencies, said exhaustive reviews of the blueprints for the attacking software are yielding few clues to its origin or the author's identity.

"The likelihood of being able to track down the specific source of this is very unlikely," said Ken Dunham, an analyst at iDefense Inc., an online security firm. "We don't have the smoking gun."

Many top experts believe the programming for the Internet worm was based on software code published on the Web months ago by a respected British computer researcher, David Litchfield, and later modified by a virus author known within the Chinese hacker community as "Lion."

That altered computer code was published in the online hangout for the Hacker Union of China, known as Honker, a group active in skirmishes between American and Chinese hackers that erupted in 2001 after the forced landing of a U.S. spy plane.

But experts said it was impossible to say whether members of that Chinese hackers organization unleashed the damaging worm.

"There are unmistakable similarities," said Neel Mehta, who studied the programming for Atlanta-based Internet Security Systems Inc. "It goes far beyond coincidence, but I'm certainly not going to say Honker did this."

Unlike attacking software used in some previous high-profile Internet disruptions, the latest code is exceedingly condensed and doesn't include references to hacker aliases or locations. It also used a transmission method that made it especially easy for its author to throw off investigators by falsifying his digital trail.

"It's as bare bones as it gets," said Marc Maiffret of eEye Digital Security Inc. "There was just enough to break in and make it propagate."

The blueprints for the destructive "Love Bug" virus, unleashed in May 2000 by a Filipino computer student, included references within the computer code to his classmates and the university he attended. Those mistakes helped U.S. investigators track him within 24 hours.

Experts said they found no distinctive programming techniques that the new worm's author employed that might help identify him. Investigators were comparing its blueprints to libraries of other malicious software.

Experts were skeptical. "It will be virtually impossible" for federal agents to trace the worm's author by studying blueprints or searching for the attack's origin, said Kevin Mandia, an investigator for Foundstone Inc. "It's not going to be easy at all."

Maiffret agreed: "They're easily going to get away with it," he predicted. "This is not an easy challenge for the FBI."

An FBI spokesman, Paul Bresson, acknowledged the challenges facing cyber investigators given the scarcity of clues tucked inside the computer code.

Miles McNamee, a top official with the U.S. technology industry's Internet early warning center, said this week the damage from the attack could approach several billion dollars.

Others said the FBI was confident Tuesday that the infection started in Korea and Japan, just before stunned U.S. computer administrators noticed massive outbreaks around 12:30 a.m. EST Saturday. That doesn't mean its author lived there, but that the first vulnerable computers were there.

All this doesn't mean investigators won't get lucky: Hackers routinely draw the FBI's attention by claiming credit for their online exploits in chat rooms. That's how the FBI traced attacks against major American e-commerce sites in February 2000 to a Canadian youth.

"The kind of people who do this, fame and notoriety are the primary motivation," said Marc Zwillinger of the Sonnenschein, Nath & Rosenthal law firm, who investigated those e-commerce attacks while at the Justice Department. "They don't derive financial benefit from unleashing a worm. If they can't claim credit, what's the point?"

Source: abcnews.go.com

Home | What's New | Articles | Links
Library | Staff | Contact Us

Copyright Computer Crime Research Center 2001, 2002 All Rights Reserved.
Contact the CCRC Office at +38 061 220 12 83