Web Worm Attack Clues Are Scarce
Leading experts on Internet security are skeptical that the FBI and other investigators will be able to track down whoever was responsible for last weekend's attack on the Internet.
The virus-like disruption crippled 911 and financial institution systems, and even Microsoft itself. South Korea's economy was hurt, and there's no measurement yet on the affects on the U.S. economy.
Experts, including many who provide technical advice to the FBI and other U.S. agencies, said exhaustive reviews of the blueprints for the attacking software are yielding few clues to its origin or the author's identity.
"The likelihood of being able to track down the specific source of this is very unlikely," said Ken Dunham, an analyst at iDefense Inc., an online security firm. "We don't have the smoking gun."
The worm's author could face up to life in prison under new U.S. anti-terror legislation passed two months ago, some legal experts said.
Under the Cyber-Security Enhancement Act, prosecutors can seek a life sentence against hackers caught launching attacks that cause or attempt to cause deaths. An attack aimed at causing "serious bodily injury" could result in 20 years behind bars.
"It would depend on the intent of the person who released this and the foreseeable harm it might cause," said Marc Zwillinger, a former top Justice Department cyber prosecutor. "It's not clear this is an act of terrorism."
Among the targets of the weekend attack were banking operations and 911 centers.
The nation's largest residential mortgage firm, Countrywide Financial Corp., told customers who called Monday that its systems were still suffering. Its Web site, where customers can make payments and check their loans, was closed most of the day.
American Express Co. confirmed that customers couldn't reach its Web site to check credit statements and account balances during parts of the weekend. The attack prevented many customers of Bank of America Corp., one of the largest U.S. banks, and some large Canadian banks from withdrawing money from automatic teller machines Saturday.
Police and fire dispatchers outside Seattle resorted to paper and pencil for hours after the attack disrupted operations for the 911 center that serves two suburban police departments and at least 14 fire departments.
Microsoft Corp. itself was exposed to the virus-like attack last weekend because it failed to install crucial fixes to its own software on many Microsoft computer servers, according to internal e-mails obtained by The Associated Press.
"It is scary to think that it affected police and fire dispatches, it affected 911 systems, it affected financial institutions," said CBS Radio News Tech Analyst Larry Magid. "Nobody died as far as we know as a result of the attack, but certainly a lot of people were inconvenienced. It had a huge impact on South Korea's economy, and we don't yet know what impact it had on the U.S. economy."
Many top experts believe the programming for the Internet worm was based on software code published on the Web months ago by a respected British computer researcher, David Litchfield, and later modified by a virus author known within the Chinese hacker community as "Lion."
Litchfield, who works for NGS Software Inc., said Wednesday that he now appreciates the dangers in publicly disclosing such computer code. He said he originally published those blueprints for computer administrators to understand how hackers might use the program to attack their systems.
"One has to question whether the benefits are outweighed by the disadvantages," Litchfield said in a telephone interview from his home in London. "I'm certainly going to be more careful about the way in which anything is disclosed."
The altered computer code was published in the online hangout for the Hacker Union of China, known as Honker, a group active in skirmishes between American and Chinese hackers that erupted in 2001 after the forced landing of a U.S. spy plane.
But experts said it was impossible to say whether members of that Chinese hackers organization unleashed the damaging worm.
"There are unmistakable similarities," said Neel Mehta, who studied the programming for Atlanta-based Internet Security Systems Inc. "It goes far beyond coincidence, but I'm certainly not going to say Honker did this."
ISS said that its own analysis identified at least 247,000 infected computers worldwide, far higher than earlier estimates.
Unlike attacking software used in some previous high-profile Internet disruptions, the latest code is exceedingly condensed and doesn't include references to hacker aliases or locations. It also used a transmission method that made it especially easy for its author to throw off investigators by falsifying his digital trail.
"It's as bare bones as it gets," said Marc Maiffret of eEye Digital Security Inc. "There was just enough to break in and make it propagate."
The blueprints for the destructive "Love Bug" virus, unleashed in May 2000 by a Filipino computer student, included references within the computer code to his classmates and the university he attended. Those mistakes helped U.S. investigators track him within 24 hours.
"It will be virtually impossible" for federal agents to trace the latest worm's author by studying blueprints or searching for the attack's origin, said Kevin Mandia, an investigator for Foundstone Inc. "It's not going to be easy at all."
An FBI spokesman, Paul Bresson, acknowledged the challenges facing cyber investigators given the scarcity of clues tucked inside the computer code.
All this doesn't mean investigators won't get lucky: Hackers routinely draw the FBI's attention by claiming credit for their online exploits in chat rooms. That's how the FBI traced attacks against major American e-commerce sites in February 2000 to a Canadian youth.
"The kind of people who do this, fame and notoriety are the primary motivation," said Zwillinger, now with the Sonnenschein, Nath & Rosenthal law firm. "They don't derive financial benefit from unleashing a worm. If they can't claim credit, what's the point?"