This article appeared in the Toronto Star.
The stealth worm era
With the pace of virus development accelerating, experts fear even nastier
criminal attacks in future
CLIVE THOMPSON
SPECIAL TO THE STAR
Many people might wonder why virus writers aren't simply rounded up and
arrested for producing their creations. But in most countries, writing
viruses is not illegal.
Indeed, in the United States some legal scholars argue that it is protected as free speech. Software is a type of language, and writing a program is akin to writing a recipe for beef stew. It is merely a bunch of instructions for the computer to follow, in the same way that a recipe is a set of instructions for a cook to follow.
A virus or worm becomes illegal only when it is activated - when someone sends it to a victim and starts it spreading in the wild, and it does measurable damage to computer systems. The top malware authors are acutely aware of this distinction.
Most every virus-writer Web site includes a disclaimer stating that it exists purely for educational purposes, and that if a visitor downloads a virus to spread, the responsibility is entirely the visitor's.
Benny's main virus-writing computer at home has no Internet connection at all; he has walled it off like an airlocked biological-weapons lab, so that nothing can escape, even by accident.
Virus writers argue that they shouldn't be held accountable for other people's actions. They are merely pursuing an interest in writing self-replicating computer code. "I'm not responsible for people who do silly things and distribute them among their friends, Benny said defiantly. "I'm not responsible for those.
What I like to do is programming, and I like to show it to people - who may then do something with it.'' A young woman who goes by the handle Gigabyte told me in an online chat room that if the authorities wanted to arrest her and other virus writers, then "they should arrest the creators of guns as well.''
One of the youngest virus writers I visited was Stephen Mathieson, a 16-year-old in Detroit whose screen name is Kefi. He also belongs to Philet0ast3r's Ready Rangers Liberation Front. A year ago, Mathieson became annoyed when he found members of another virus-writers group called Catfish_VX plagiarizing his code. So he wrote Evion, a worm specifically designed to taunt the Catfish guys. He put it up on his Web site for everyone to see. Like most of Mathieson's work, the worm had no destructive intent. It merely popped up a few cocky messages, including: Catfish_VX are lamers. This virus was constructed for them to steal.
Someone did in fact steal it, because pretty soon Mathieson heard reports of it being spotted in the wild. To this day, he does not know who circulated Evion. But he suspects it was probably a random troublemaker, a script kiddie who swiped it from his site. "The kids, he said, shaking his head, "just cut and paste.'' Quite aside from the strangeness of listening to a 16-year-old complain about "the kids, Mathieson's rhetoric glosses over a charged ethical and legal debate. It is tempting to wonder if the leading malware authors are lying - whether they do in fact circulate their worms on the sly, obsessed with a desire to see whether they will really work.
While security officials say that may occasionally happen, they also say the top virus writers are quite likely telling the truth. "If you're writing important virus code, you're probably well trained, says David Perry, global director of education for Trend Micro, an antivirus firm. "You know a number of tricks to write good code, but you don't want to go to prison. You have an income and stuff. It takes someone unaware of the consequences to release a virus.'' But worm authors are hardly absolved of blame. By putting their code freely on the Web, virus writers essentially dangle temptation in front of every disgruntled teenager who goes online looking for a way to rebel. A cynic might say that malware authors rely on clueless script kiddies the same way that a drug dealer uses 13-year-olds to carry illegal goods - passing the liability off to a hapless mule.
"You've got several levels here, says Marc Rogers, a former police officer who now researches computer forensics at Purdue University. "You've got the guys who write it, and they know they shouldn't release it because it's illegal. So they put it out there knowing that some script kiddie who wants to feel like a big shot in the virus underground will put it out. "They know these neophytes will jump on it. So they're grinning ear to ear, because their baby, their creation, is out there. But they didn't officially release it, so they don't get in trouble.'' Rogers says he thinks that the original authors are just as blameworthy as the spreaders.
Symantec's Sarah Gordon also says the authors are ethically naive. "If you're going to say it's an artistic statement, there are more responsible ways to be artistic than to create code that costs people millions, she says.
Critics like Reitinger, the Microsoft security chief, are even harsher. "To me, it's online arson, he says. "Launching a virus is no different from burning down a building. There are people who would never toss a Molotov cocktail into a warehouse, but they wouldn't think for a second about launching a virus.'' What makes this issue particularly fuzzy is the nature of computer code. It skews the traditional intellectual question about studying dangerous topics.
Academics who research nuclear-fission techniques, for example, worry that their research could help a terrorist make a weapon. Many publish their findings anyway, believing that the mere knowledge of how fission works won't help Al-Qaeda get access to uranium or rocket parts.
But computer code is a different type of knowledge. The code for a virus is itself the weapon. You could read it in the same way you read a book, to help educate yourself about malware. Or you could set it running, turning it instantly into an active agent.
Computer code blurs the line between speech and action. "It's like taking a gun and sticking bullets in it and sitting it on the counter and saying, `Hey, free gun! Rogers says.
Some U.S. academics have pondered whether virus authors could be charged under conspiracy laws. Creating a virus, they theorize, might be considered a form of abetting a crime by providing materials.
Ken Dunham, the head of "malicious code intelligence'' for iDefense, a computer security company, notes that there are certainly many examples of virus authors assisting newcomers. He has been in chat rooms, he says, "where I can see people saying, `How can I find vulnerable hosts? And another guy says, `Oh, go here, you can use this tool.' They're helping each other out.'' There are virus writers who appreciate these complexities. But they are certain that the viruses they write count as protected speech. They insist they have a right to explore their interests. Indeed, a number of them say they are making the world a better place, because they openly expose the weaknesses of computer systems.
When Philet0ast3r or Mario or Mathieson finishes a new virus, they say, they will immediately e-mail a copy of it to antivirus companies. That way, they explained, the companies can program their software to recognize and delete the virus should some script kiddie ever release it into the wild. This is further proof that they mean no harm with their hobby, as Mathieson pointed out. On the contrary, he said, their virus-writing strengthens the "immune system'' of the Internet.
These moral nuances fall apart in the case of virus authors who are themselves willing to release worms into the wild. They're more rare, for obvious reasons. Usually they are overseas, in countries where the police are less concerned with software crimes.
One such author is Melhacker, a young man who reportedly lives in Malaysia and has expressed sympathy for Osama bin Laden. Antivirus companies have linked him to the development of several worms, including one that claims to come from the "Qaeda network.'' Before the Iraq war, he told a computer magazine he would release a virulent worm if the U.S. attacked Iraq - a threat that proved hollow.
Worms created for explicit criminal purposes began to emerge last year When I e-mailed him, he described his favourite type of worm payload: "Stolen information from other people.'' He won't say which of his viruses he has himself spread and refuses to comment on his connection to the Qaeda worm.
But in December on Indovirus.net, a discussion board for virus writers, Melhacker urged other writers to "try to make it in the wild'' and to release their viruses in cybercafes, presumably to avoid detection. He also told them to stop sending in their work to antivirus companies.
Mathieson wrote a critical post in response, arguing that a good virus writer shouldn't need to spread his work. Virus authors are, in fact, sometimes quite chagrined when someone puts a dangerous worm into circulation, because it can cause a public backlash that hurts the entire virus community.
When the Melissa virus raged out of control in 1999, many Internet service providers immediately shut down the Web sites of malware creators. Virus writers stormed online to pillory the Melissa author for turning his creation loose. "We don't need any more grief, one wrote.
If you ask cyberpolice and security experts about their greatest fears, they are not the traditional virus writers, like Mario or Philet0ast3r or Benny. For better or worse, those authors are a known quantity. What keeps antivirus people awake at night these days is an entirely new threat: worms created for explicit criminal purposes.
These began to emerge last year. Sobig in particular alarmed virus researchers. It was released six separate times throughout 2003, and each time the worm was programmed to shut itself off permanently after a few days or weeks.
Every time the worm appeared anew, it had been altered in a way that suggested a single author had been tinkering with it, observing its behaviour in the wild, then killing off his creation to prepare a new and more insidious version.
"It was a set of very well-controlled experiments, says Mikko Hypponen, director of antivirus research at F-Secure, a computer security firm. "The code is high quality. It's been tested well. It really works in the real world.'' By the time the latest variant, Sobig.F, appeared in August, the worm was programmed to install a back door that would allow the author to assume control of the victim's computer. To what purpose? Experts say its author has used the captured machines to send spam and may also be stealing financial information from the victims' computers.
No one has any clue who wrote Sobig. The writers of this new class of worm leave none of the traces of their identities that malware authors traditionally include in their code, like their screen names or "greetz, shout-outs to their cyberfriends. Because criminal authors actively spread their creations, they are cautious about tipping their hand.
"The FBI is out for the Sobig guy with both claws, and they want to make an example of him, David Perry notes. "He's not going to mouth off.'' Dunham of iDefense says his online research has turned up "anecdotal evidence'' that the Sobig author comes from Russia or elsewhere in Europe.
Others suspect China or other parts of Asia. It seems unlikely that Sobig came from the United States, because American police forces have been the most proactive of any worldwide in hunting those who spread malware. Many experts believe the Sobig author will release a new variant sometime this year.
Sobig was not alone. A variant of the Mimail worm, which appeared last spring, would install a fake pop-up screen on a computer pretending to be from PayPal, an online e-commerce firm. It would claim that PayPal had lost the victim's credit-card or banking details and ask him to type it in again. When he did, the worm would forward the information to the worm's still-unknown author.
Another worm, called Bugbear.B, was programmed to employ sophisticated password-guessing strategies at banks and brokerages to steal personal information. "It was specifically designed to target financial institutions, said Vincent Weafer, senior director of Symantec.
The era of the stealth worm is upon us. None of these pieces of malware was destructive or designed to cripple the Internet with too much traffic. On the contrary, they were designed to be unobtrusive, to slip into the background, the better to secretly harvest data. Five years ago, the biggest danger was the "Chernobyl'' virus, which deleted your hard drive. But the prevalence of hard-drive-destroying viruses has steadily declined to almost zero. Malware authors have learned a lesson that biologists have long known: the best way for a virus to spread is to ensure its host remains alive.
"It's like comparing Ebola to AIDS, says Joe Wells, an antivirus researcher and founder of WildList, a long-established virus-tracking group. "They both do the same thing. Except one does it in three days, and the other lingers and lingers and lingers. But which is worse? The ones that linger are the ones that spread the most.'' In essence, the long years of experimentation have served as a sort of Darwinian evolutionary contest, in which virus writers have gradually figured out the best strategies for survival.
Given the pace of virus development, we are probably going to see even nastier criminal attacks in the future. Some academics have predicted the rise of "cryptoviruses'' - malware that invades your computer and encrypts all your files, making them unreadable.
"The only way to get the data back will be to pay a ransom, says Stuart Schechter, a doctoral candidate in computer security at Harvard. (One night on a discussion board I stumbled across a few virus writers casually discussing this very concept.) Antivirus companies are writing research papers that worry about the rising threat of "metamorphic'' worms - ones that can shift their shapes so radically that antivirus companies cannot recognize they're a piece of malware. Some experimental metamorphic code has been published by Z0mbie, a reclusive Russian member of the 29A virus-writing group.
And mobile-phone viruses are probably also only a few years away. A phone virus could secretly place 3 a.m. calls to a toll number, sticking you with thousand-dollar charges that the virus' author would collect. Or it could drown 911 in phantom calls. As Marty Lindner, a cybersecurity expert at CERT/CC, a U.S.-funded computer research centre, puts it, "The sky's the limit.'' The profusion of viruses has even become a U.S. national security issue.
Government officials worry that terrorists could easily launch viruses that cripple American telecommunications, sowing confusion in advance of a physical 9/11-style attack.
Paula Scalingi, the former director of the U.S. Department of Energy's Office of Critical Infrastructure Protection, now works as a consultant running disaster-preparedness exercises. Last year she helped organize "Purple Crescent'' in New Orleans, an exercise that modeled a terrorist strike against the city's annual Jazz and Heritage Festival. The simulation includes a physical attack but also uses a worm unleashed by the terrorists designed to cripple communications and sow confusion nationwide. The physical attack winds up flooding New Orleans; the cyberattack makes hospital care chaotic. "They have trouble communicating, they can't get staff in, it's hard for them to order supplies, she says. "The impact of worms and viruses can be prodigious.'' This new age of criminal viruses puts traditional malware authors in a politically precarious spot. Police forces are under more pressure than ever to take any worm seriously, regardless of the motivations of the author.
A young Spaniard named Antonio discovered that last fall. He is a quiet 23-year-old computer professional who lives near Madrid. Last August, he read about the Blaster worm and how it exploited a Microsoft flaw. He became intrigued, and after poking around on a few virus sites, found some sample code that worked the same way. He downloaded it and began tinkering to see how it worked. Then on Nov. 14, as he left to go to work, Spanish police met him at his door. They told him the anti-virus company Panda Software had discovered his worm had spread to 120,000 computers. When Panda analyzed the worm code, it quickly discovered that the program pointed to a site Antonio had developed. Panda forwarded the information to the police, who hunted Antonio down via his Internet service provider.
The police stripped his house of every computer - including his roommate's - and threw Antonio in jail. After two days, they let him out, upon which Antonio's employer immediately fired him. "I have very little money, he said when I met him in December. "If I don't have a job in a little time, in a few months I can't pay the rent. I will have to go to my parents.''
The Spanish court is currently considering what charges to press. Antonio's lawyer, Javier Maestre, argued that the worm had no dangerous payload and did no damage to any of the computers it infected. He suspects Antonio is being targeted by the police, who want to pretend they've made an important cyberbust, and by an antivirus company seeking publicity.
Artificial life can spin out of control - and when it does, it can take real life with it. Antonio says he did not actually intend to release his worm at all. The worm spreads by scanning computers for the Blaster vulnerability, then sending a copy of itself to any open target. Antonio maintains he thought he was playing it safe, because his computer was not directly connected to the Internet. His roommate's computer had the Internet connection, and a local network - a set of cables connecting their computers together - allowed Antonio to share the signal. But what Antonio didn't realize, he says, was that his worm would regard his friend's computer as a foreign target. It spawned a copy of itself in his friend's machine. From there it leapfrogged on to the Internet - and out into the wild. His creation had come to life and, like Frankenstein's monster, decided upon a path of its own.
Return To Virus And Spyware Information Central Page Return To Virus Information PageUpdated on ... December 12, 2006