Published May 24, 2000
An elite squad of amateur virus-tracking sleuths are successfully identifying suspects for police and the FBI. The hunters are on a campaign to find those who had created damage-causing infectious programs spread to computers around the globe.
No ensconced virus-writing prankster is safe from these three researchers. No matter where in the world the perpetrators hide, digital clues reveal their location and actual names for the authorities.
At each international convulsion of a new virus, worm, macro or trojan horse program released through the Internet, the team is called. These devote specialists, like their counterparts whom they hunt, each engage in their activities for enjoyment of the chase, and the challenge of gaining knowledge about the workings of the Internet.
The elder statesman of the unique trio is Richard Smith, a retired programmer from Bookline, MA, owner and founder of Phar Lap software. Web security issues are a casual interest to him. In his spare time Smith has documented many unethical practices of mainstream software publishers.
Last year, Smith revealed RealNetworks’ secret data-gathering processes. Also he was the first to uncover Microsoft’s hidden registration tricks and the discrete identifying/tracking numbers embedded by their software in users files.
Fredrik Bjorck, a 27-year old Ph.D student studying security at the University of Stockholm, is also a consultant for an international tax and accounting firm. Bjorck and Smith’s first encounter was on an Usenet newsgroup, sharing an interest in finding the source of these internationally spreading viruses.
Bjorck brought in Jonathan James, an 18-year old high school student from Uppsala, north of Stockholm. James’ tasks included the laborious effort of sifting through computer codes.
Smith, Bjorck and James collaborated to successfully locate and identify the code-writer of the Melissa email worm last year and have been involved in other high profile incidents since. The three men have not actually met each other in person.
Between May 4-10, the “love bug” program worm was sent to 45 million computers in 20 countries, reports the Washington Post. Our trio quickly traced the infectious attack in different directions, converging ultimately on the same point of origin, an Internet Service Provider in Manila, Philippines. Impressively, they also identified college dropouts Onel de Guzman and Michael Beun, suspects for authorities.
Smith believes a high probability that other people were involved. Bjorck is convinced that the sole suspect may be just the primary distributor rather than the originating author.
James had examined the code of the program worm. He found it precociously similar to those from the AMA Computer College in the Philippines. De Guzman was a member of Grammersoft, a computer cracking group of AMACC students that sold term papers and small business software.
Because United States government agencies had been damaged by this and other viruses, the FBI is involved. Special agent Jim Margolin from the New York office said that discussing private citizen’s contributions to the agency is contrary to policy; however, he proudly confirmed that Smith, Bjorck and James, “…are recognized by our people to generally know what they are talking about.”
Margolin said the FBI is presently asking the US Attorney’s office for extradition of the non-US citizen suspects for violations of US laws in the absence of applicable statutes in the Philippines. This raises another Noriega-style precedent of extending jurisdiction internationally.
Computer viruses need to hide themselves, and the voluminous bulk of the Windows operating system provides more than sufficient camouflage. Companies like IBM and Symantec Corp. are engaged in advancing counter-virus software.
The rapid spread of the recent VBS LoveLetter worm, like others before it, use known unplugged security holes in programs like Microsoft Outlook and Microsoft Windows operating systems. The worm changes instructions on the victim’s computer so that the email program’s address book is used to send the infection to all addresses.
Viruses of this type typically skyrocket to epidemic proportions within the first 8- 24 hours then wane at 36 hours, and are reduced to a minor inconvenience by 48 hours. The spread trickles for the next few weeks and then more-or-less subsides.
The worm application on the infected computer affects files that end in .vbs, .vbe, .js, .css, .wsh, .sct, .hta, .jpg, .jpeg, .mp2, and .mp3 by overwriting them with a copy of itself. The best course of recovery after detection is to replace these files from the incremental backup of your data. Macintosh and Linux users are immune.
The Web site in the Philippines had been quickly shut-down. Bjorck, Smith and James are ready to hunt for the source of the next big one which shall surely come.