Read Fatal System Error Online
Authors: Joseph Menn
Tags: #Business & Economics, #General, #Computers, #Security, #Viruses & Malware, #Online Safety & Privacy, #Law, #Computer & Internet, #Social Science, #Criminology
Fatal System Error (16 page)
SoBig stopped spreading quickly and began to fade from public awareness as 2003 came to a close. Then along came two similar uberviruses, Bagle and MyDoom. Like their inspiration, both were frequently updated with improvements. These too showed the sophistication that is a hallmark of organized criminal activity. And both created new legions of zombie computers for spam and other ends. In MyDoom’s case, the trimmings included a successful denial-of-service attack on the SCO Group, a software company that had outraged technologists by filing copyright suits against firms using the free operating system Linux. Like some earlier virus-enhanced denial-of-service attacks, MyDoom’s assault might have reflected personal taste but was more probably a red herring for investigators and a bid to win some points with technophiles angered by the infections. Prolexic defended against the SCO attack for about five hours. The firepower was so massive that the company told SCO it would cost $200,000 a month to fight off. The company decided to register a new Web address instead.
Bagle had the distinction of being the first truly commercial virus, according to Russia’s Kaspersky Labs. It opened a back door, and later downloads through that opening turned the captured computers into open relays for spam. Estimates of the damage from the three giant spam-driven viruses ran well into the billions of dollars. When no one was charged with their release, it underscored how powerless authorities were in fighting cybercrime. That failure prompted some ambitious responses by private citizens, in ways both good and bad.
The most notable case of vigilantism run amok was that of a German vocational computer student named Sven Jaschen. The seventeen-year-old was impressed by MyDoom’s technical merits and appreciative of its DDoS attack on SCO, which rendered the company’s main website unreachable. But he was horrified by the crass financial motivation he saw behind MyDoom. Jaschen asked a classmate if he thought they could build something together that would spread even more quickly and wipe out MyDoom. Sitting in the basement of his home in Rotenburg, across the desk from his computerrepairman stepfather, Jaschen wrote a total of twenty-nine versions of what came to be called NetSky. The virus used the same recently discovered Windows hole as MyDoom and Bagle to enter machines, but then removed the pernicious programs and all traces of the infections.
While the fight was deadly serious, the sides traded insults like children. Bagle.J contained the following text: “Hey Netsky, fuck off you bitch, don’t ruine
[sic]
our business, wanna start a war?” And a war is what it was. Each version of all three not only improved from the previous edition but also adapted to the latest moves by its opponents. In clandestine battles fought inside family rooms and dusty studies in homes across the world, each virus used the advances to roust foes from their lairs. In terms of sheer numbers of hosts infected, the underdog NetSky was the most successful of the three. As a result, said F-Secure’s Mikko Hypponen, it was more effective in cutting down on the flow of spam than anything that had happened in Congress or the federal courts. Jaschen “saw himself as some kind of Robin Hood.”
[sic]
our business, wanna start a war?” And a war is what it was. Each version of all three not only improved from the previous edition but also adapted to the latest moves by its opponents. In clandestine battles fought inside family rooms and dusty studies in homes across the world, each virus used the advances to roust foes from their lairs. In terms of sheer numbers of hosts infected, the underdog NetSky was the most successful of the three. As a result, said F-Secure’s Mikko Hypponen, it was more effective in cutting down on the flow of spam than anything that had happened in Congress or the federal courts. Jaschen “saw himself as some kind of Robin Hood.”
Most professionals would say that NetSky, like its forebears, was a bad idea to begin with. It tied up resources and complicated the efforts of security experts as they tried to plug holes and fix the damage. And though Jaschen produced the most effective antivirus virus to date, he took a questionable act and then made it indefensible. As he released new versions to keep up with better Bagles and MyDooms, Jaschen added functions that strayed farther and farther from his initial plan. First he included denial-of-service attacks against websites that offered hacking tools. Then he slid more, adding as targets some peer-to-peer sites for file traders and even some universities that had kicked Jaschen out.
Jaschen’s next project was a virus called Sasser, which had no redeeming qualities at all. It forced computers to reboot continuously. In May 2004 Sasser shut down most of the train traffic in Australia and knocked out X-ray equipment at two hospitals in Sweden. For several months, Hypponen said, Jaschen “was probably the most powerful seventeen-year-old in the world.” Not long after his eighteenth birthday, Jaschen was arrested. He had been betrayed by the classmate to whom he had turned for advice. Even though he was suspected of collaborating with Jaschen, the whistleblower-come-lately was hoping for a $250,000 bounty from Microsoft. Tired of criticism and lost sales due to its security issues—as well as the denial-of-service attacks against it—Microsoft had recently begun offering rewards for the capture of virus writers. For what may have been the most important company on the planet, it was a startling strategy—a lot less Harvard Business School and a lot more Wild West, and a potent indicator of how far the Net had moved beyond control.
SOBIG’S INTELLIGENCE AND POWER had overwhelmed law enforcement and the growing ranks of security professionals. It suggested that organized gangs working for or with spammers could take control of the Internet at any time. Out of official sight, a small group of researchers decided to dedicate themselves to figuring out who was behind the virus that changed the world.
The team took six months to thoroughly dissect the code underlying SoBig, the changes in each new version, and the timing of those shifts. The crew concluded that the stylistic tics in the program echoed those of one of the worst providers of spamming services in the world, a Russian company that made software called Send-Safe. Send-Safe not only provided the technology to deliver spam, it offered a list of open relays that could be used in the process for an additional fee. By creating relay zombies, SoBig directly benefited the makers of Send-Safe.
In addition, a major customer that routinely used pre-release versions of Send-Safe had started using computer ports that would be opened by new versions of SoBig a week later. That implied that the same people who had advance knowledge of Send-Safe had advance knowledge of SoBig. The researchers gave their findings to the FBI. When six months passed without any action, the team posted their work on the Net under the title “Who Wrote SoBig,” where it attracted attention from other security researchers—and the man the team named as the most likely suspect for leading the SoBig effort, Send-Safe executive Ruslan Ibragimov. The Russian denied involvement, calling it “bullshit” in an online interview.
But Ibragimov also sent an email to the anonymous address posted by the study’s authors. “Just read your doc. I’m very impressed
,” he wrote. The paper stirred up massive opposition to Send-Safe. After a concerted effort organized online, the company’s foes succeeded in getting telecom giant MCI to stop hosting Send-Safe’s website, an account that had been bringing in $5 million a year. Within days, Send-Safe had been evicted from two subsequent homes, forcing it out of the world of speedy Western technology hosts. It was a rare victory that showed how the concerted effort of professionals and volunteers could do something to blunt the growing clout of the criminals.
,” he wrote. The paper stirred up massive opposition to Send-Safe. After a concerted effort organized online, the company’s foes succeeded in getting telecom giant MCI to stop hosting Send-Safe’s website, an account that had been bringing in $5 million a year. Within days, Send-Safe had been evicted from two subsequent homes, forcing it out of the world of speedy Western technology hosts. It was a rare victory that showed how the concerted effort of professionals and volunteers could do something to blunt the growing clout of the criminals.In the first interview he granted on the subject, the lead author of the SoBig paper said the real force behind SoBig was not Send-Safe but the big Send-Safe customer. He declined to identify that customer explicitly, out of fear for his physical safety. But he said it was not an ordinary spammer, instead one with special needs. In the context of the conversation, the most reasonable interpretation of his comments is that he was talking about an agency of the Russian government.
The authors of “Who Wrote SoBig?” did more than silence the apparent writer of the first massive spam-financed virus. They inspired others to take up their methods. One of the best was Joe Stewart, who worked for a small South Carolina security firm that has since been bought by SecureWorks. At the least Stewart came up with a compelling lead for anyone investigating the Bagle family of viruses.
In early 2004, a couple of weeks after the first version of Bagle began spreading, Stewart got a tip from an industry colleague in Bulgaria that someone was offering to sell a program that would turn computers into open relays for sending spam. The advertisement, by someone calling himself Oboron, was posted on CarderPlanet, a notorious Russian-language forum for fraudsters. CarderPlanet was one-stop shopping for cybercriminals, offering everything from spam services to tools for computer break-ins.
The sale of an insidious spam program was no longer a startling offer. But out of professional curiosity, Stewart grabbed the demonstration version of the program and reverse-engineered it to get at the underlying code. Oboron’s Trojan horse for the computer takeovers turned out to be the same program left behind by Bagle when it broke into a machine.
Of course, Stewart realized, the Trojan could have been written by some third party and sold to both Oboron and Bagle’s author. So Stewart kept monitoring the salesman’s postings and collecting information on him. As Bagle spread further and further, Stewart saw the salesman’s business model change. Instead of just offering the Trojan for sale, the salesman began charging for access to a network of compromised machines, for as little as $200 a month. Oboron’s program invoked the same Web address that was used to control drone computers under Bagle’s spell, and it had the same ability to block IP addresses of spammers who abused the system or didn’t pay.
Stewart gave his research to the FBI. “I thought law enforcement should have enough to go on here to follow up and catch this guy. I know better now,” he said. His law enforcement contacts initially reacted with enthusiasm. That was followed by silence lasting weeks, then months, as evidence slipped away and the trail grew cold. “I’ve learned that law enforcement is pretty much unable to act unless you can hand them ‘actionable’ intelligence, showing a clear trail of evidence and the perp’s name and home address,” Stewart said at the time. “I doubt anyone will ever be arrested for writing Bagle.”
Still angry at “seeing a few jerks ruin a good thing for the rest of us,” Stewart decided to try to identify Oboron on his own. He believes he succeeded. After giving the full report to the FBI and seeing no action, Stewart agreed to have his findings spelled out here.
Oboron initially offered his Trojan for sale on a site called
Elitehackers.com
. His profile on that site gave the email address [email protected]. On another forum,
crack.ru
, one SprutNet listed his email address as [email protected]. Still elsewhere, a hacker accused an Oboron of not being SprutNet, who had built a good reputation selling malicious software. Oboron replied that he was, and noted that both had used the ICQ instant messaging address 353000. The profile directory maintained by ICQ showed that number was supposed to belong to a twenty-four-year-old woman named Yvonne. But the picture on Yvonne’s page was of a young man, who listed as his homepage
www.sprutznet.chat.ru/sprutnet.html
.
Elitehackers.com
. His profile on that site gave the email address [email protected]. On another forum,
crack.ru
, one SprutNet listed his email address as [email protected]. Still elsewhere, a hacker accused an Oboron of not being SprutNet, who had built a good reputation selling malicious software. Oboron replied that he was, and noted that both had used the ICQ instant messaging address 353000. The profile directory maintained by ICQ showed that number was supposed to belong to a twenty-four-year-old woman named Yvonne. But the picture on Yvonne’s page was of a young man, who listed as his homepage
www.sprutznet.chat.ru/sprutnet.html
.
More Internet searches turned up a Web page offering a Trojan claimed by a “Sprutnet” at ICQ number 353000. Checking the source code for that Web page revealed that it had been created in Microsoft Word, and the metadata listed the author of the Word file as “Pavel.” One last page contained the prize. On the Russian business-to-individual sales site
Plati.ru
, a company had registered as SprutNET, of Vladivostok, on Russia’s east coast. The company gave for its contacts ICQ number 353000 and email [email protected]. Finally, it gave a name for those who wanted to get in touch: Pavel Ramzinskiy. Perhaps he had taken the risk of combining those two identities to get credit in the
Plati.ru
feedback system from customers he served in each guise: SprutNET was listed as having fifty-five positive reviews and no negatives. Quality always shines through.
Plati.ru
, a company had registered as SprutNET, of Vladivostok, on Russia’s east coast. The company gave for its contacts ICQ number 353000 and email [email protected]. Finally, it gave a name for those who wanted to get in touch: Pavel Ramzinskiy. Perhaps he had taken the risk of combining those two identities to get credit in the
Plati.ru
feedback system from customers he served in each guise: SprutNET was listed as having fifty-five positive reviews and no negatives. Quality always shines through.
Other books
Mystery on the Train by Charles Tang, Charles Tang
Whispering Bones by Vetere, Rita
The Fourth Horseman by Sarah Woodbury
A Game of Universe by Eric Nylund
Paradise and Elsewhere by Kathy Page
In the Tall Grass by Stephen King and Joe Hill
Murder Out of Tune - A Libby Sarjeant Murder Mystery by Lesley Cookman
The Warlord's Concubine by Keep, J.E., Keep, M.
Miracles of Life by Ballard, J. G.
Blue Genes by Val McDermid
