Cops take a bite, or maybe a nibble, out of cybercrime

Source: USA TODAY
By Jon Swartz
Date: September 02, 2003

cybercrimes Score one for the cybercops. But the game is far from over. The arrest Friday of a Minnesota high school student, who authorities say wrote a variation of the Blaster worm that has wreaked havoc with thousands of Microsoft Windows users and caused millions of dollars in damage, was a partial but rare victory in the emerging world of cybersleuths. Jeffrey Lee Parson was caught with gumshoe guile and a high-tech paper trail of his own doing. The 18-year-old, who is scheduled to begin his senior year at Hopkins High School in Hopkins today, was arrested last week by Secret Service and FBI agents tracking him for several weeks.

The swift investigation and hints from authorities that they are hot on the trail of the SoBig.F virus creator are encouraging signs for computer crime investigators after years of frustration and digital dead ends, security experts say. It could also have a chilling effect on the underground hacker community, which has long operated without fear of prosecution.

Code writers of a handful of about 225 viruses worldwide have been caught — and only because they made mistakes that exposed their identities. Businesses and consumers increasingly are victims of more virulent viruses and worms as the USA relies more on technology to power energy, travel systems and businesses. Blaster and other computer attacks in August caused an estimated $3.5 billion in damage to North American companies, the worst month ever, TruSecure says. The estimates do not include small businesses or consumers burned by Blaster, SoBig and other attacks.

Whether law enforcement is able to catch more cyberthieves could be crucial to the economy and infrastructure amid the threat of cyberterrorism, anti-virus experts warn. Last month, computer crashes ground freight train operator CSX Transportation to a halt, snarling commuter rail service near Washington, D.C. Air Canada delayed flights when the Nachi variant overwhelmed its reservation systems. In January, parts of FirstEnergy's computer network — including machines monitoring its Ohio Davis-Besse nuclear plant — were toppled by the Slammer computer worm. The plant has been shut down since February 2002. Do cybercops have the upper hand? Hardly, say experts, who note that investigations rarely result in arrests because the programs and their code-slinging authors are hard to trace. "Finding the creator of a virus is a rarity," says Matt Yarbrough, former head of the Cybercrimes Task Force in the Justice Department. "It's easier to profile a terrorist from the Middle East."

"Terrorists could cause a hell of a lot more damage taking out a power grid than blowing up a building," he says. "The next wave of terrorism could be blackouts tied to worms and viruses."

Stop Internet Fraud

Security experts are especially alarmed that hackers are evolving from thrill-seeking computer geeks to organized groups motivated by profit and political ideology. But the ease with which authorities say an apparent novice like Parson launched the "Blaster.B" worm, and the damage it inflicted, is sobering news to virus hunters.

Federal officials acknowledge that Parson has no connection to the creators of the original Blaster worm, which so far has infected over 500,000 PCs worldwide and cost North American companies $1.3 billion. Authorities are still searching for Blaster's authors.

Security experts dismiss Parson as a copycat, one of thousands of self-taught programmers who use normal PCs and simple software to copy the work of more creative hackers who remain at large. Although it appears he was more interested in bragging rights than financial gain, federal authorities say they'll prosecute Parson to deter others. "We have to demonstrate that what these guys do comes with a heavy price," said John McKay, the U.S. District Attorney in Seattle handling the case. Parson is scheduled for a Sept. 17 preliminary hearing. If convicted, he could face up to 10 years imprisonment and a $250,000 fine.

At least 7,000 computers were infected by Parson's program. Blaster is a self-replicating Internet worm that takes over poorly defended computers and harnesses them to launch concerted data attacks on a Microsoft technical service Web site. The two versions of the worm cause infected computers to close down and restart frequently.

The cybertrail

Federal investigators — working with Microsoft and computer-security companies — nabbed Parson by intentionally infecting a computer with the virus and tracing it to his Web site, www.t33kid.com. He also directed computers infected with his worm to send their Internet addresses there.

In the clandestine world of hackers, Parson did a poor job covering his tracks. He reportedly changed the name of a file to "teekid.exe," similar to a name he uses on Internet chat rooms and game Web sites, and may have boasted about his exploits on the Internet. Within days of discovering Parson's version of Blaster, FBI and Secret Service agents stormed the apartment he shares with his parents on Aug. 19, seizing seven computers. He confessed at the time, according to the government's complaint.

"He was freaking out," says 16-year-old pal Nina Bauernfeind. "I think he was surprised it got to the level it got to."

Calls to Parson's apartment, where he has lived since the mid-1990s, went unanswered. Neighbors described Parson as smart and quiet, with a penchant for driving his car fast through the neighborhood, which Hopkins Police Chief Craig Reid describes as an area largely of transient apartment dwellers. Parson has no prior adult arrest record in Hopkins or surrounding Hennepin County.

Parson's missteps led agents to him, but that shouldn't minimize the strides made hunting hackers. "The proficiency in law enforcement has developed from finding a needle in a haystack to catching up to the bad guys," says John Frazzini, vice president of intelligence operations at security firm iDefense and former head of the Secret Service's electronic-crimes task force.

Law enforcement is better armed with more sophisticated technology, computer-savvy agents and the assistance of anti-virus companies to hunt hackers, security experts say.

FBI agents who cut their teeth in drug and bank robbery investigations are being trained in cybercrime prevention and learning from previous cases. "With each successive investigation, agents develop keener eyes for evidence," Frazzini says.

A list of 20 compromised computers recently targeted by creators of the SoBig virus could offer authorities clues as to who unleashed the code. "You trace the trail backward, you get that much closer to the perpetrators," says Vincent Weafer, a senior director at Symantec. "Software code and techniques are sometimes the fingerprints of hackers."

Anti-virus companies like TruSecure, F-Secure and industry leader Symantec typically scour message boards and chat rooms for malicious code, suspicious activity and chatter among hackers. They have collected information on suspicious Internet addresses and nicknames for virus code over the last several years. When a virus erupts, they routinely forward the information to the FBI and local law enforcement.

"We act as moles," says Peter Tippett, chief technology officer of TruSecure. It has about a dozen technicians who collect and catalog data.

TruSecure helped the FBI catch the author of the Melissa virus in 1999. The company combed through Internet messages and fingered David L. Smith, who was later sentenced to 20 months in prison.

Computer-security companies routinely set up decoy PCs to collect viruses, which are analyzed to determine the best way to counter them.

Law enforcement, particularly the FBI, has also dropped its reluctance to share information with computer-security companies. "The private sector acts like a neighborhood crime watch," Frazzini says.

Two months ago, the Department of Homeland Security launched the National Cyber Security Division, a 60-person unit responsible for posting computer security alerts, which was done for Blaster in mid-July.

The FBI, Homeland Security, anti-virus companies and other federal agencies combined to thwart SoBig.F, an e-mail virus that uses infected machines to spread spam. Investigators are confident they have identified a suspect and are closing in.

To catch a hacker

Despite gains in cyberinvestigations, it may be harder to catch virus writers now than ever, computer experts say. There is no governing body to oversee more than 10,000 virus creators worldwide and the savviest have shunned chat rooms since Smith was arrested. What's more, there are 30,000 Web sites containing hacker and virus-writing tools. Only those familiar with the site's operator have access.

"These guys cover their digital trails well," says Chris Wraight, a consultant at anti-virus vendor Sophos. "Those who get caught are stupid or greedy."

More troubling: Viruses are spreading faster and are harder to trace as virus watchers use ever more sophisticated encryption. Even an unsophisticated programmer can cover his tracks by routing code through Internet servers scattered across the globe, says Mikko Hypponen, director of anti-virus research at F-Secure.

The creators of Code Red, Nimda and Slammer worms — which inflicted a combined $5 billion in damage the past two years — have not been caught.

Even when cybercops get their man, they're often hindered. When the FBI traced the Love Bug virus to a student in Manila in 2000, he was not prosecuted because the Philippines had no laws against spreading computer viruses.

"Challenges are everywhere. The cat-and-mouse game is growing exponentially because viruses are more frequent, complex and have greater impact," Weafer says. "That's the reflection of a wired society."

Original article at: http://www.usatoday.com/money/industries/technology/2003-09-01-blaster-cover_x.htm

^macro[showdigestcomments;^uri[];Cops take a bite, or maybe a nibble, out of cybercrime]