Tracking A Thief Via The Sircam Virus?

func writes with a rather strange situation: "Hey, my house was robbed, and they stole my computer, vcr, rc heli, and all my beer (!bastards!). But, on the positive side, the thief has been using the computer, and managed to infect himself with the Sircam virus. Now, some of my friends are getting virii sent to them by my stolen computer! Any way to track this guy via email, or even an ip or something stored in the virus code itself? And if I do find him, do I send the cops, or just my 6-foot-4, 260-lb ex-eastern-block buddy Radek?"

Since this virus' spread (cross fingers) seems to be slowing down a bit, this may take fast work. If you can reply with any suggestions for func, please include "Radek" or "Cops" in your subject line. (Just not the FBI.) Perhaps he could send a friendly letter to the thief offering free tech support?

HTML email?

If he's been emailing your friends, why not setup a quick webserver which hosts a .gif or .jpg and send the guy an HTML email back with an img tag referencing to the website you setup. Turn on logging on the website and you'll have his IP address and the access time. From there you can email the upstream/the cops and you should be set.

Headers

"Received:" headers in he mail usually contain IP addresses and dates -- when checked against ISP logs they can point to the user, or a phone number if he used a dialup with your account.

Of course, email MUST be copied in the form it was received, not mutilated by Outlook or other kind of garbage. If the recipient is unlucky enough to use Exchange, enable POP or IMAP support and download email from it using fetchmail or pine.

Even easier/quicker

If he's running any old binary sent to him, why not have one of your friends send a gift in reply? All it needs to do is grab the IP and timestamp, then email those details to you. Forward that to the police who can get location data from the ISP.

Why not bypass the ISP (and the accompanying red-tape) entirely? If the laptop is using a modem to connect to the net, send the thief a binary which would cause the modem to call your home or work number and immediately play a sound clip that you can identify. When you receive a call that plays the sound clip, look on your caller ID and then use a reverse directory to map the phone number to a physical address.

If the laptop is using ethernet to connect... well, that's a bit tougher. I'm not sure how to track it without the assistance of the ISP it in that case.

Hidden Bomb?

I never thought about this, but it is an interesting idea. Has anyone programmed a hidden bomb that must be disabled every couple times you boot up, by the user. If this disabling action isn't completed after a few boots, it starts sending information to a secure location. Just give them enough leway to hang themselves. (Of course, this assumes they are on the net.)

Although, the first thing I would do if someone handed me a computer is format and reload all the drives...

Keep in contact with him!

You need to give him a reason to keep in contact with someone. I suggest you ask a female friend to take nude pictures of herself which she will send on a regular basis to this guy. Eventually, she will meet him in a sleezy hotel room and crush him between her thighs.

Re:Yes.

Assuming that the poor guy's startup page is not set to slashdot! If thats the case the thief knows whats going on. ;)

Cop paranoia of a lesser kind

Somewhat related...

A long time ago a friend of mine ran a BBS on his Amiga. He had the startup rigged with a boot-meny containing a fake "Start BBS"-entry as a default, which - if chosen - would encrypt the RDB (Rigid Disk-Block) and reset. Or something to that effect.

Hey, don't look at me, it wasn't my computer, nor my idea.

it depends

If it was good beer, leave the cops out of it. If it was bad beer, sic the law on him.
If it was BUD, have Radek slap some sense into you.

Radek!

Someone who steals your computer and then disables the security deserves what he gets.

I assume he disabled your security. And not that you forgot to secure it.

Re:Fuck the police, get some vengence

> The cops will just get snitty with you cuz you solved the crime.

If you walk in to your local PD and say "I 0wn h1m! j00 cl00less fux0rz list3n 2 m33!", yeah, they'll get snitty.

If you walk in, and behind closed doors (or cubicles :), outline how you solved it, in such a way that the officer you're talking to also has enough of an understanding on how to solve it, you've just taught a cop a new way to solve crime that none of his buddies know, and you've probably just made a friend.

Beat a man over the head with a fish, and he'll slap you across the face with one. Teach a man to fish and you're both fed for life.

Re:Im not so sure this will help

> This probibly wont help you get right to your robber, he probibly sold all your stuff. And if he was smart he probibly sold it to a used computer store that would resell it. Although most pilfers arent the smartest bunch, good luck ;)

IANAL, but ISTR that in these cases, the used computer store (pawnshop) is guilty of "posession of stolen property". As is, for that matter, the innocent sucker who walks in off the street and buys it. As such, you can still get your computer back.

Option 1: (There's only one bad guy, the thief.) The guy who bought the computer will be pissed, he'll be pissed at the computer store. The guy who runs the computer store will be really pissed, and he'll be pissed at the guy who sold it to him. End result -- the thief loses his ability to sell stuff at that store.

Option 2: (There's another bad guy, in that there's a store or pawnshop operating as a "fence", that is, reselling goods they know are stolen). The guy who bought the computer will be pissed. The cops will have evidence to use in their (likely ongoing) case against the fencing operation. End result -- the thief may get away, but the fencing operation goes down.

Either way, by providing evidence to the cops, you increase the odds of getting your stuff back and cleaning up your town.

Re:Cops can help...

> ...if they are willing to look at technical details.

Very true, the trick is to get someone at your local PD interested in the case. Routine burglaries are, well, routine. Just as the FBI laughs if the losses are less than $BIGNUM, your local cops generally don't give a damn about property theft, because the odds are slim and the cases are boring as hell.

1) So don't call - show up in meatspace at your local police department. (Or if you've filed a police report on the burglary, you probably have an officer's business card. In that case, call and try to set up a 15-minute appointment.)

2) You may want to talk to a detective, rather than the beat cop. Dunno how lucky you'll be at finding one. Might be worth a shot. Go through channels.

3) (Here's the kicker). YOU know how to solve the crime. The cops don't. So YOU explain it to the cop or detective - in detail. Bring printouts. Use highlighters. Emphasize the point that even though you did the legwork, you don't want credit - you want the cop to get credit for solving the "high-tech" case. This means career advancement to the cop/dick, and ought to interest him, even if the dollar value of the case is peanuts.

"My house was broken into and bad guys stole my stuff" - a boring case, like dozens of others, involving all the paperwork with no chance of recovering the goods.

"Here's an open-and-shut case on how to track a thief through cyberspace" - something new, possibly a promotion for finding a new way to solve cases, and a reputation within the department as "the guy who knows how to track criminals through cyberspace, he's even smarter than that moron the Feds send us every few months".

If you're helpful your local cops, they just might be able to help you.

Re:Should be pretty easy.

> Worst case, the current user is somebody who bought the computer from your thief and not the thief her- or himself, but it still gets you close.

No, that's not the worst case. Worst case is that the virus didn't actually infect the stolen computer, but rather the replacement computer that you're using now...

Re:Fuck the police, get some vengence

> Send you friend over and tell him to bring back both the thief's thumbs.

Nowthat'sacruelandunusualpunishment!

you were warned.....

How quickly we forget. Or was I the only one who ran out and filled my computer with cement [slashdot.org]?

Use his stupidity against him...

If he's running any old binary sent to him, why not have one of your friends send a gift in reply? All it needs to do is grab the IP and timestamp, then email those details to you. Forward that to the police who can get location data from the ISP.

Re:Hidden Bomb?

I was contracted to write one a few years ago for installation onto all of a company's notebooks. Once a week it had to be reset, or the machine would purge documents and lock out.

RE: Tracking A Thief Via The Sircam Virus?

And if I do find him, do I send the cops, or just my 6-foot-4, 260-lb ex-eastern-block buddy Radek?"

Given what I know from my own Eastern block friends.
If you ever want to see your beer again... send the cops:)

Re:Radek!

What security? Up until a few days ago, there wasn't a virus package that would detect SirCam. Do you expect him to update virus checkers on computers not in his possession? Presumably you don't mean security by disabling the ability to retrieve email, so then what do you mean?

Note: I do disable VBS files (by associating them with notepad) on my home WinME machine, but this isn't common practice. I do it because many people use my home machine. Disabiling VBS files like this isn't considered "security enablement" in the sense of updating patches and locking down ports.

Re:Hidden Bomb?

I was contracted to write one a few years ago for installation onto all of a company's notebooks. Once a week it had to be reset, or the machine would purge documents and lock out.

Yeah, I heard about that program. It's called Microsoft Windows.

-Martin

heh, tempting...

it'd be tempting to send Radek round, but you've got the problem of finding them in the first place. Get in touch with the police, and get your friends to note down the message headers of the emails. Then with a selection of times and IP's the police should be able to contact the ISP, and find out what phone number the theif is dialling from. Of course, this hinges on the chances of you finding a cop with a clue ;)

Bear in mind

It MAY be an innocant person that bought a second hand computer. Id go with the cop method, not the Radek method.

Re:what an idiot.

My wife had her computer stolen - and her old ICQ popped up. Someone traced the computer to an IP and an ISP, and we called the cops.

Did they act on this? No way.

The thief was basically handed to the OTTAWA POLICE on a silver platter, but apparently donut eating and beating defenceless women's heads against cars was more important.

I'd say send Radek, that is if the ISP will tell you who it is...

Re:what an idiot.

if your ISP gives you the info, don't bother with the cops, use Radek OR just wait unitl he/she has left the location you compter is residing at and then STEAL IT BACK !! What thief would belive that the Original owner tracked him/her down and did the same thing right back.
besides if you have home owners insurance you could still collect the value of the computer, then use that cash to upgrade to a better system, or use it to put out a contract on the thiefs head. either way.

Your ISP??

Odds are good he's using YOUR ISP seeing how you probably checked that 'remember password' box. If that's the case, I'd take a copy of the police report and goto your ISP (assuming it IS your ISP the dude dialed into, which is easily checked by looking at the header of the email message) and talk to management right-a-way!

If it was one of my local ISP's I'd take about 1 case of beer with you as a small incentive.

better yet

Call the BSA

what an idiot.

all the major isp's now record your DNR phone # per call. Easy to trace via the ip and date and time. You'll need to get the isp and police involved.

Re:Some laptops phones home

Actually I was quite sure that I've seen some company actually doint that. Here is a story on The Register:
http://www.theregister.co.uk/content/archive/20026 .html [theregister.co.uk]

And a link to the company doing it: http://www.ztrace.com/ [ztrace.com]

Yes.

Ok, here's what you do. The emails he's sending contain a few bits of data that are critical. One is the IP address that he is using at the time he sends the email, and the other is the time (according to the mail server; both bits are in the header of the email) at which the mail is sent.

Get an attorney, and file a "John Doe" lawsuit against the thief...the goal here is to get a lawsuit, so that you can get a subpoena. And who are you subpoena'ing, and for what? The ISP the thief uses, for the logs of the phone number that was connected at that time, and the account information of the owner of that account. Turn that over to the police, and you should be good to go. That information is sufficient (explain it well to them) to get a search warrant and...voila! He's crispy.

Happy hunting!

Should be pretty easy.

All you should have to do is check the headers and to standard spamcopesque ip tracing. At that point, you have an IP address. Take that info to the ISP the crook is using, and ask for the dialup node log. You'll probably need at the very least a subpoena to get the cid logs, but you should have no problem as long as you can prove that it is coming from your property.

If you could post the Headers of the offending emails, I'll bet most people here could tell you where the thief is in 5 minutes.

D - M - C - A

excuse me...

just how will that get your beer back?