Cyber Criminals Prove Elusive

It was a great year for catching cyber criminals, but the culprits behind some of the most damaging software viruses of 2004 are proving adept at eluding authorities, security experts say.

Tracking virus writers -- and more importantly, gathering evidence against them -- is a thorny problem for law enforcement agencies worldwide. While the number of arrests made and sentences handed down make 2004 the best year yet for catching cyber criminals, it won't have a noticeable effect on eliminating virus writers, according to Finnish security firm F-Secure.

"The arrests, nearly all of them relating to virus writing, have been the hobbyists, teenagers -- the easy ones," said Mikko Hypponen, F-Secure director of anti-virus research. "What we'd be much more interested in getting arrested would be the professionals and the virus writers who do it for money."

The company pointed to three primary security-related trends in 2004: a massive increase in phishing attacks; the introduction of open-source botnets and for-profit virus writing.

Consider the six major viruses -- Bagle, MyDoom, Netsky, Sasser, Korgo and Sober -- of 2004: three were designed for specific crimes, F-Secure said.

The intent of MyDoom and Bagle and the legions of variants it spawned was to create zombied spam proxies, despite the very real-world effect of causing millions in damages and the distributed denial-of -service (DDoS) attacks on Microsoft.com and SCO.com.

It gave spammers a launching pad to dramatically increase the amount of junk e-mails around the world. According to F-Secure numbers, at one point MyDoom.A was responsible for 10 percent of all e-mail traffic.

Because both viruses used the Mitglieder proxy Trojan officials at the security company suspect the two viruses might have been written by one group of writers. Bagle.A downloaded the Trojan from a Web site, and it was installed through a backdoor in MyDoom.A-infected machines.

The two viruses also prompted something of a turf battle among virus writers. Netsky, which delivers its own PC-compromising payload, also deleted the registry entries used to launch the Bagle proxy.

The Korgo virus, on the other hand, was designed to grab credit card and banking information, according to F-Secure. Similar to the Sasser worm, the virus targeted Windows 2000 and XP machines, scanning random IP addresses for PCs with a vulnerable, unpatched Local Security Authority Subsystem Service (LSASS).

While the amount of spam is becoming an ever-increasing problem for individuals and corporations -- the numbers range anywhere from 66 percent to 82 percent of total e-mail volume, depending on the season -- the viruses that launch spam proxies are being created because it makes money.

Marty Lindner, CERT Coordination Center team leader for incident handling, said the increase in spam and phishing attacks -- human exploitation, not software exploitation -- is one of the biggest trends in 2004.

"Why do the bad guys have to work so hard writing fancy code to exploit a buffer overflow or something when I can offer you a Rolex watch and I've got you?"

Catching virus writers has been a tough job for law enforcement agencies around the world. Despite some high-profile arrests, the relative number is small. In August, the Department of Justice reported with success with Operation Slam Spam.

"If there's an increase [in arrests and indictments], it's very, very slight," said Paul Bresson, a spokesperson for the FBI, about his agency's efforts to combat virus writers. "We tend to devote our resources depending on the volume and scope of what's out there, and if there's a lot out there, we devote more resources."

The international nature of the Internet means many criminals can leave a long, convoluted trail that crosses national boundaries with ease, even if its law enforcement agencies can't. Despite actions by the Federal Trade Commission to promote cross-border communications and aid, there are still blind spots where virus writers can flourish.

Hypponen said whenever he speaks with his law enforcement contacts about tracking spammers or virus writers and it leads to places like Romania or Belarussia or Lithuania, "you hear this sigh from the investigators," because they know it became that much harder to gain local cooperation, he said.

"The bad guys know how to re-route their spam and their viruses and their hacking through six, seven, eight different countries and go through places like China and South Korea and some obscure island in the South Pacific just to make it hard for the authorities to track them," Hypponen said.

As an example, he points to a recent case where a Russian factory was hit with a virus by a hacker group operating out of Kuwait. The virus, gaining access to the machines, started downloading more code from a Web site registered in a small island off the coast of Africa. The actual Web server, however, wasn't there; it was registered through Sweden to Jordan. From Jordan, the infected machines in Russia downloaded code that connected them with an IRC chat system operated in chat. cnn.com -- CNN's chat server in the U.S.

Hypponen said it was a relatively easy matter for his company to call CNN and the ISPs in charge of the Web server to blunt the effects of the outbreak, but it's something police would have had a tougher time accomplishing.

"If the Russian factory would have called the cops," he said, "how likely would it have been for the Russian police to first of all successfully track the virus around the globe and how likely is it that they would have been able to prosecute the Kuwaiti offenders?"