TechWeb

Skepticism About Tracking Down Internet Attackers

Jan 28, 2003 (07:01 PM EST)

Read the Original Article at http://www.informationweek.com/news/showArticle.jhtml?articleID=6500309


WASHINGTON (AP)--Leading experts on Internet security are skeptical that the FBI and other investigators will be able to track down whoever was responsible for last weekend's attack on the Internet.

These experts, including many who provide technical advice to the FBI and other U.S. agencies, said exhaustive reviews of the blueprints for the attacking software are yielding few clues to its origin or the author's identity.

"The likelihood of being able to track down the specific source of this is very unlikely," said Ken Dunham, an analyst at iDefense Inc., an online security firm. "We don't have the smoking gun."

The worm's author could face up to life in prison under new U.S. anti-terror legislation passed two months ago, some legal experts said.

Under the Cyber-Security Enhancement Act, prosecutors can seek a life sentence against hackers caught launching attacks that cause or attempt to cause deaths. An attack aimed at causing "serious bodily injury" could result in 20 years behind bars.

"It would depend on the intent of the person who released this and the foreseeable harm it might cause," said Marc Zwillinger, a former top Justice Department cyber prosecutor. "It's not clear this is an act of terrorism."

Many top experts believe the programming for the Internet worm was based on software code published on the Web months ago by a respected British computer researcher, David Litchfield, and later modified by a virus author known within the Chinese hacker community as "Lion."

Litchfield, who works for NGS Software Inc., said Wednesday that he now appreciates the dangers in publicly disclosing such computer code. He said he originally published those blueprints for computer administrators to understand how hackers might use the program to attack their systems.

"One has to question whether the benefits are outweighed by the disadvantages," Litchfield said in a telephone interview from his home in London. "I'm certainly going to be more careful about the way in which anything is disclosed."

The altered computer code was published in the online hangout for the Hacker Union of China, known as Honker, a group active in skirmishes between American and Chinese hackers that erupted in 2001 after the forced landing of a U.S. spy plane.

But experts said it was impossible to say whether members of that Chinese hackers organization unleashed the damaging worm.

"There are unmistakable similarities," said Neel Mehta, who studied the programming for Atlanta-based Internet Security Systems Inc. "It goes far beyond coincidence, but I'm certainly not going to say Honker did this."

ISS said that its own analysis identified at least 247,000 infected computers worldwide, far higher than earlier estimates.

Unlike attacking software used in some previous high-profile Internet disruptions, the latest code is exceedingly condensed and doesn't include references to hacker aliases or locations. It also used a transmission method that made it especially easy for its author to throw off investigators by falsifying his digital trail.

"It's as bare bones as it gets," said Marc Maiffret of eEye Digital Security Inc. "There was just enough to break in and make it propagate."

The blueprints for the destructive "Love Bug" virus, unleashed in May 2000 by a Filipino computer student, included references within the computer code to his classmates and the university he attended. Those mistakes helped U.S. investigators track him within 24 hours.

"It will be virtually impossible" for federal agents to trace the latest worm's author by studying blueprints or searching for the attack's origin, said Kevin Mandia, an investigator for Foundstone Inc. "It's not going to be easy at all."

An FBI spokesman, Paul Bresson, acknowledged the challenges facing cyber investigators given the scarcity of clues tucked inside the computer code.

All this doesn't mean investigators won't get lucky: Hackers routinely draw the FBI's attention by claiming credit for their online exploits in chat rooms. That's how the FBI traced attacks against major American e-commerce sites in February 2000 to a Canadian youth.

"The kind of people who do this, fame and notoriety are the primary motivation," said Zwillinger, now with the Sonnenschein, Nath & Rosenthal law firm. "They don't derive financial benefit from unleashing a worm. If they can't claim credit, what's the point?"