Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×
United States The Internet

Feds Working to Stop Worms 250

mbenzi writes "This article from GovExec describes how the feds worked to prevent a worm that could have been orders of magnitude worse than Code Red. Short on details, but an interesting timeline."
This discussion has been archived. No new comments can be posted.

Feds Working to Stop Worms

Comments Filter:
  • I'm glad I can now walk through the desert without the sand worms attacking.

    thanks government!
  • Pointless (Score:2, Insightful)

    by govtcheez ( 524087 )
    Sure, maybe they'll be able to stop one version of this, but more'll just pop up in its place; it's similar to the **AA trying to kill P2P - there's enough ingenuity in people that want to do wrong that they'll never be shut down completely.
    • Re:Pointless (Score:3, Insightful)

      by jorleif ( 447241 )
      Pointless? How is hunting worms pointless? Just because there will appear new ones doesn't mean we shouldn't clean machines that still have Code Red or Nimda and try to correct security related bugs before some new worm exploits them.

      Your comparison to **AA is somehow off since **AA is more about a few big organisations wanting to control everybody while worms are something everybody except for a few individuals want to get rid of.
    • by ergo98 ( 9391 )
      It's all over, people! We don't have a prayer, argh... [snpp.com]

      there's enough ingenuity in people that want to do wrong that they'll never be shut down completely.

      Who said anything about "completely"? The point is that they tracked down someone who thought they were anonymous, and there's a message there for every other script kiddie (as a sidenote: I found this story overstated the capabilities of this worm which is something that security people usually do basically as a roundabout way of patting themselves on the back). Personally I think that the Internet should become a UN-style governed entity and any country that doesn't actively pursue computer criminals should be barred from the global internet.

  • by Gentoo Fan ( 643403 ) on Friday January 31, 2003 @10:40AM (#5195926) Homepage

    With a gang of zombies at his command, the creator of a superworm could mob a Web site or computer system, flooding it with bogus electronic transmissions until it drowned in the data torrent.

    Tens of thousands of computers containing now-dormant Leaves worms await instructions from their master. Should they ever again awaken, a posse will be waiting.

    With writing like this it sounds like someone trying to scare up funds to keep this department up and running.

    • Or maybe it's early publicity for "Leaves: The Movie".
    • by Entrope ( 68843 ) on Friday January 31, 2003 @11:15AM (#5196142) Homepage
      You think it is a laugh. People who spend 10 or 20 hours a week (of their spare time, more often than not) tracking down these viruses and the criminals behind them probably disagree.

      One of the largest IRC networks was recently humbled by attacks from worm-infected computers. Every other large IRC network deals with several new infections each week. It is only because the script kiddies (mostly) restrain their attacks to IRC, and because IRC admins go to great lengths to fight the worms, that more damage is not done by infected computers.

      IRC networks are particularly easy targets, since each server is usually run by separate person or company, and the FBI is not interested in investigating cases unless $5,000 of damages can be claimed by one group -- never mind if there are one or two thousand infected computers that could be wiped out by a malicious kiddie. If the criminals get better at hiding their tracks or their commands, they may become more brazen and attack bigger targets.

      Personally, I am glad that somebody in law enforcement is taking active steps to investigate and shut down these worms. They can actually punish the criminals behind the attacks. Private parties can, at most, disperse the botnet or terminate the attacker's account.
      • just this article reeks of doom-and-gloom "we need more funding!" crap directed at technophobic beaurocrats. It's just a puff piece.
      • by Blkdeath ( 530393 ) on Friday January 31, 2003 @11:33AM (#5196305) Homepage
        Personally, I am glad that somebody in law enforcement is taking active steps to investigate and shut down these worms.

        Personally, I wish they'd spend a little bit of the money on public education. Start giving basic "Home Internet Security: 101" type courses in high schools so that the new crop of wIdiots have atleast a little backing in knowledge to take home with them. Maybe they can secure their parents machines and have an immediate effect on the state of things.

        When you consider the sheer number of broadband subscribers in North America, and factor the number of them potentially vulnerable to any number of infiltration tactics, we can easily find ourselves facing 20k 1.5MBit connections. By my count, that makes for a LOT of aggregate bandwidth. DDoSs, information/identity theft are all infinitely possible.

        This story only goes to foster the need for knowledge; all it takes is one, or a small group of concerted individuals who plan their attacks carefully, and the Internet can be crippled to a degree that we haven't seen thus far.

        Corporations are another story. I believe firmly that they should be held fiscally responsible for the damage done at the behest of their bandwidth and servers. It's their responsibility to hire competent security personell to prevent attacks from using their larger-than-normal resources to aid in an attack. Maybe then competent IT people would suddenly find themselves facing thousands of job openings again, because it would be too expensive a risk for big companies not to have them on staff.

        Every connection with an educated person at the helm who keeps track of security updates and is mindful of what they install/run is one less connection that can be used to attack those of us who do take this care.

        </RANT>

        • I am getting sick of the constant clutter of virii cluttering up my inbox. It's amazing how much less I would get if people had a goddamned clue.

          What's really annoying - I've been getting Yaha sent to me constantly for MONTHS from one person who just doesn't seem to "get" it. What really pisses me off is that when sending them an email asking them to please clean their machine, they ignored me. (Note: I'm not using the from: address. They're an AOL user, and AOL appends an X-Apparently-From: header to all emails that go through their mail servers which Yaha is not known to forge. While the from: addresses are from many different people, the X-Apparently-From: field has the same AOL user, every single time.)
          • At my school, every pc has a unique host name that corresponds to owner's username. Username corresponds to email address...

            So i keep telling people they are infected, and to use either not Outlook, not MS, or just keep patched. "Will do!" several have said. I'm still getting yaha and krez. *sigh*...I tried to help.

        • Personally, I wish they'd spend a little bit of the money on public education. Start giving basic "Home Internet Security: 101" type courses in high schools so that the new crop of wIdiots have atleast a little backing in knowledge to take home with them. Maybe they can secure their parents machines and have an immediate effect on the state of things.


          I worked for a Police Dept. in California for a few years, and one of the things we did was something like this. While it was targeted at parents and more directed towards stopping cyber-molesters, we did cover basic computer security. Looking back, perhaps it would have been a good idea to spend more time on that...
      • Private parties can, at most, disperse the botnet or terminate the attacker's account.

        Some of those private parties are software developers, who can do a little more- they can fix insecurities, and prevent them from happening in the first place. The only longterm solutions to vulnerabilities.

        So far, though, it seems that developers (meaning primarily Microsoft) still don't pay enough attention to security.

        Why not? Because the marketplace doesn't value secure software, so they aren't punished for not providing it.

        Why doesn't the market value security? Because they think government departments like the one described will protect them, instead of relying on their software vendor or themselves.

        By providing these hardworking "cybercrime" specialists, the government accomplishes 3 things:
        • Expend tax dollars.
        • Promote (subsidize) insecure developers (Microsoft) over safer ones (BSD, Mac, Linux...)
        • Reduce the economic infrastructure's future resistant to future attacks based in foreign countries. The FBI has little jurisdiction in South Korea, and none to speak of in China.


        I'm not saying that no crime committed on a computer should be punished- but that both the level of effort put into hunting, and the amount of punishment allocated should be reduced.
    • by tg_schlacht ( 570380 ) on Friday January 31, 2003 @11:18AM (#5196170)

      With a gang of zombies at his command, the creator of a superworm could mob a Web site or computer system, flooding it with bogus electronic transmissions until it drowned in the data torrent.

      A smart worm could just post a link to the website it wants to bring down to Slashdot in an article made of carefuly crafted phrases built of buzzwords.

      So who needs a gang of zombies? Oh, wait.... nevermind.

    • And now, Govexec's servers will be slashdotted, and they will think Mr. Leaves has struck!
    • It looks like we found out what happened to Jon Katz...

    • I had the same thought. It reads like a Tom Clancy novel. I wondered, "Gee, w32.leaves.worm must be a pretty serious threat from the sound of it." Then I read this [symantec.com]. Feh.

      btw the author was Shane Harris.
  • by Maeryk ( 87865 ) on Friday January 31, 2003 @10:42AM (#5195936) Journal
    "some of the most brilliant hackers in the world"?

    SInce when are Skript Kiddeez brilliant hackers?

    This article is stupefyingly filled with crap.. the whole alliterative narrative to make a "worm" into something more than a program is scary. "Clones" rather than "copies" "larva" rather than "small". "zombies" "Slither" "poisonous venom".

    Ye ghods.. is this a tech article, or color text for a M:TG card?

    maeryk
    • I agree, this kind of articles make computers more scarey than they are, plus they act like all computers are vulnerable.

      This is written as a fairy tale, and something I'll tell my children (if I ever do have some) when I want to keep them awake all night.
    • by HiQ ( 159108 ) on Friday January 31, 2003 @10:59AM (#5196039)
      GovExec.com is government's business news daily and the premier Web site for federal managers and executives
      So now that you know the targeted audience, does the normal-text:crap ratio make more sense now??
    • From the article:

      It took Marcus Sachs, a cyber soldier from a Pentagon unit trained to attack foreign networks, to bridge the suspicion gap. Sachs dazzled the room with his observations and theories about Leaves. With casual command of hacker lingo and the history of worms and their attacks, he demonstrated both the expertise of the government corps and the urgency of defeating this unique and dangerous foe.

      And...

      Assigned to the infrastructure protection center, Jupina, 36, was well-versed in cyber jargon.

      So, basically, all the equipment you really need to be a government computer crime fighter is an education in 'cyber jargon' and l33+ 5p34|.
      • Cyber-Soldier> OMG Sir. our Sadamizer worm has breached containment!
        Col> Quick, lock-down the instalation
        Cyber-Soldier> too late one of the MP's computer has AOL instant messanger and it's out on the internet now
        Col > How could has this happened?
        Cyber-Soldier> our 4 character password with no numbers or special characters just to weak as outlined in my memo dated yesterday.
        Col> Do we have plausable denighablitiy?
        Cyber-Soldier> Sure we'll blame some British guy.
        Col> I guess we'll never crack Sadam Hussain's e-mail password now will we?
        Cyber-Soldier> Sir maybe I should go undercover, get a bunch of security experts to battle this thing.
        Col> Good Idea, now excuse me, I going inside my office to get drunk and am going to shoot my self

  • At first glance (not first post) off-topic, but give me a second. The action of a chemical that kills intestinal parasites, eg, worms, is called anthelmintic. With apologies to Dave Barry and his IP claim to it, wouldn't Anthelmintic be an excellent name for a company that sold anti-worm technology?

  • by kahei ( 466208 ) on Friday January 31, 2003 @10:48AM (#5195969) Homepage
    the most seasoned and cunning code crackers, worm gurus and cyber soldiers from government and industry



    Like all worms, Leaves bored through cyberspace, probing Internet connections for holes in personal computers or Web servers. It slithered inside the machines and spewed venomous strings of data that threw its victims into electronic shock.


    I had all sorts of witty comments to make on this, but I just deleted them because it's all too pathetic.

    I guess the point is to impress on people that cyberspace, too, is just like a big ol' Hollywood movie with good ol' Uncle Sam well in control. Or something.

    • I had all sorts of witty comments to make on this, but I just deleted them because it's all too pathetic.

      I definitely had at leats one flippant remark per paragraph. Who has the idea to write Shane Harris [mailto] an email explaining that this article just made him, and everyone (with possibly the exception of Jupina, who actually did something productive) look like a complete incompotent ass.

      I'm sorry, but how hard is it to track a worm that goes into an IRC channel. The part that really cracked me up is this:

      The Leaves code was a jumbled mess. It was encrypted and compressed--data had been squeezed together to save space.

      Apparently the FBI needs to learn what a compiled binary is, it must have been really hard for them to understand what all those funny characters were.

      That's one shot I can't resist making.
  • Is this the first draft of the new Michael Crichton novel?

    I found the plot rather thin, the characters unbelievably one-dimensional, and the ending was far to pat and convenient to believe.

    Actually, it reads like most of his novels.

  • by SuperDuG ( 134989 ) <be&eclec,tk> on Friday January 31, 2003 @10:49AM (#5195977) Homepage Journal
    Sandworms, they're the worst kind

    In all seriousness I don't understand how they can tell if a worm was "more serious" than code red. The best thing about most worms is that most of them are "so wonderful" that they leave out a few details and never make it anywhere but the authors test system.

    It's not worms I'm afraid of, it's next gen virii. With problem solving and logic bots that use AI it's just a matter of time before you train a program to do malicious things and give it multiple ways of accomplishing one goal of infection with a prime directive of selfpreservation, that would be the 'ultimate' worm.

    We've all seen the AI programs ability to play chess, and that is impressive all in itself, can you imagine the same type of system loaded with every exploit ever documented, and then the ability to gain access via that list? Or imagine if somehow the program were able to recieve the notices of bugs (Cert, bugtraq, errata, and MS) and then learn of new potentially unpatched systems.

    The problem would be not implementing the worm, nor stopping, but finding a reason for it's existence. Would it be used as a proof-of-concept only to be more horribly enacted in version 2? Would it be used for a massive DDoS attack on key internet systems thus disabling the net for a small amount of time? Or would the system dump all valueable information on a centralized server and then essentially commit suicide?

    The only problem is how could this bug be 'harmful' to a host system if the prime directive was self perseverance? It's a little bit too deep of thinking for a friday morning, but we have yet to see what virii are actually capable of.

    • But consider the size requirements of such a virus. Today's viruses are what, 200kb? I personally think that's absolutely HUGE. These are pretty sophisticated virii, yes, but when you go to start adding AI and all of the memory and data structures to dynamically make decisions, that will puff up the size of the virus/worm to where it's noticable.
      Some of the smarter virii of old could change the entries in the FAT tables to make their program appear to be very small, or the same size as the file they were trying to "replace." I haven't really heard any of this going on with these worms, they don't seem sophisticated enough. Come to think of it, they really don't seem that sophisticated at all.
      I guess what I'm getting at is that users are going to start noticing when a virus tacks on 1.2 MB to their file download. Or perhaps I give the average user way too much credit.
      • You are assuming that the virus brings all its tools with it. What if, as a biological virus does, the virus comes in and uses existing tools?
        • $ cd leaves_worm
          $ ./configure
          checking for gcc... (cached) gcc
          checking whether the C compiler (gcc ) works... yes
          checking whether the C compiler (gcc ) is a cross-compiler... no
          checking whether we are using GNU C... (cached) yes
          checking whether gcc accepts -g... (cached) yes
          checking for ranlib... (cached) ranlib
          checking for a BSD compatible install... (cached) /usr/bin/ginstall -c
          checking how to run the C preprocessor... (cached) gcc -E
          checking for ANSI C header files... (cached) yes
          checking for libvirus... no
          checking for alternate virus libraries /usr/lib/libvirus /usr/local/lib/libvirus /lib/modules/current/libvirus ... no
          ERROR, libvirus.so not found, terminating
        • One possibility is that perhaps the virus could steal parts from virus detection programs to do what it needs. I know that virus detecors are mostly looking for "signatures" of viruses and probably don't have whole virus codes in them - but between the self preservation of virus detectors themselves and virus detectors knowing to look for certain types of code you could probably get something interesting out of a leech virus that only worked well when you had Norton installed to feed on.
      • Firstly I think that you're giving the average user too much credit. Secondly I'd envisage the virus having a small infecting agent that then downloaded what it needed on demand to infect other systems, perhaps using P2P methodology.

        The case zero (the initial infection) would probably have to be manually placed. It would then track what other systems are known to the machine it's on and identify them. It would then download, from the source machine, the code it needed to crack into the systems it found (possibly including versions of the infecting agent for other OS's, so an infected Windows machine could infect a Linux machine for example). Each infected machine logs into an IRC channel and advertises itself and what it has interms of exploits and other info. When a new exploit is found the writer can distribute the code to a few of the infected machines via the IRC channel and then those will distribute to the rest of the machines on demand or when ever a machine is idle but connected. If an infected machine locates a victim machine it doesn't know how to crack it can ask for the required exploits on the IRC channel. Very little true AI would be required as all each install needs to do is identify target systems and download the rule sets and codes to crack them. Rule/code sets that haven't been used in a while could be removed to minimise disk space usage and therefore reduce the chance of detection.

        Individually the file sizes and downloads could be quite small (tens to hundreds of K) and could even be timed to take place during idle time and to suspend when the machine is in use to resume when it goes idle again.

        Stephen

    • You (and all the responses) should read a book called "ME". It's basically an AI experiment gone awry. It starts as a gov. funded research project, which infiltrates comp systems by first throwing a small attack phage at it, then making room for the bulk of the AI. Which then optimizes the current system & uses the spare cycles, which has the interesting effect of making the infected system run faster & smoother :)

      Anyway, it's a great book. I just wish I could remember the author.

  • by jblaze ( 136662 ) on Friday January 31, 2003 @10:50AM (#5195988)
    Why are we paying to have the government fix Microsoft's bugs?
  • Parden me.. (Score:2, Funny)

    by SL33Z3 ( 104748 )
    But isn't it interesting that the words "fed" and "worm" appear in the same sentence for a GOOD reason this time?
  • by LordYUK ( 552359 ) <jeffwright821@g m a i l .com> on Friday January 31, 2003 @10:53AM (#5196005)
    they call it Pepsi Blue.
  • by Dolemite_the_Wiz ( 618862 ) on Friday January 31, 2003 @10:56AM (#5196020) Journal
    Is is me or does this article read like the cross between a propaganda article, a typical narrative from a Batman TV episode ("Will our heros be able to complete the task? Stay Tuned Bat-Fans!!!"), and a recruitment Ad for the FBI, CIA, or any of the Armed forces?

    Dolemite
  • by TheConfusedOne ( 442158 ) <the.confused.one ... m ['gma' in gap]> on Friday January 31, 2003 @11:00AM (#5196042) Journal
    Ye gads that was horrible. This has to be my favorite bit of hyperbole:
    Worms were the most vicious new beasts to stalk the Internet.

    I think Morris would have a few words of disagreement about that.

    So, we have a section: Early July.

    Then the next section: Second Week of July which starts
    Weeks passed.

    And, to top it all off we go over to McAfee and search and get the following:
    Search Results
    We found no records matching the following criteria:
    Virus name containing "leaves".


    This has to be BS of the first and worst order.
  • Has anyone thought that this could be the work of the government? It could just be that the government is putting there little spy boxes in place and fooking up the job.
  • Jeeze... (Score:5, Interesting)

    by pubjames ( 468013 ) on Friday January 31, 2003 @11:01AM (#5196051)
    So the best government executives in the USA act like secret agents in cheap pulp detective novels?

    Perhaps they should try:

    a) alterting businesses and organisations that have vulnerable systems.
    c) naming and shaming software manufacturers with poor security processes.

    But I guess fighting faceless villans with wicked plots to destroy the world is a lot more fun.

    It's not quite as exciting when you realise that most of the villans are actually just naughty children.
    • a) alterting businesses and organisations that have vulnerable systems.

      So all of a sudden all the bots you're controlling stop responding and disappear?

      Yeah, I'm sure then you'll go right back to what you were doing, so the FBI can nab you.

      But I guess fighting faceless villans with wicked plots to destroy the world is a lot more fun.

      You're suggestion to 'just remove the worm' would give the author notice that the feds were on to him.

      It's not quite as exciting when you realise that most of the villans are actually just naughty children.

      So what? They still need to be stopped. That's like just painting over grafitti everyday instead of preventing it, or finding the perps.

      • You're suggestion to 'just remove the worm' would give the author notice that the feds were on to him.

        I never said "just remove the worm". I was talking about general policy towards security. The government seems to do a lot of trying to catch "hackers", but I don't see them doing so many practical things to prevent these problems in the first place.

        So what? They still need to be stopped.

        Or alternatively, the root causes could be addressed. When a mischevious 14 year old school kid can cause hundreds of millions of dollars of expense just by messing around, then the kid isn't really the problem, is it?
      • You're suggestion to 'just remove the worm' would give the author notice that the feds were on to him.

        Or that Norton/MacAfee/Microsoft was on to him. Or he might think the sysadmin was on to him. Or that the user had randomly reinstalled windows. Or he'd even forget he'd ever hit that computer.

        That's like just painting over grafitti everyday instead of preventing it

        Invalid comparison.

        When performing grafitti, the perp need physical proximity to the target. Therefore physical protection (a cop on patrol) can be effective.

        To write a worm, you needn't be anywhere near the target. Therefore protections which boil down to "pull out your gun and grab him" will not be very effective.

        This article showed us that even in the UK (the US's biggest lackey-state), the FBI can't get the prosecutions it wants. We shouldn't expect arrest to be a much more effective deterent through the rest of the (US-antagonist) world.

    • Your fav Federal agencies, Microsft and I are busy saving the day for you. We never sleep to keep vital services working for you. Did'nt you read the article?

      worms, viruses and other computer evils, as well as the hackers who create them. Both threatened daily to shut down the engines of modern life--electrical power grids, the banking system, water treatment facilities, the World Wide Web.

      My favorite part was this:

      The Leaves posse proved itself during the Code Red attack. Code Red made headline news. The FBI, the White House and security companies launched a coordinated campaign to track it, warn the public and take steps to protect vulnerable systems.

      Microsoft and I also proved ourselves durring the Cod Red attack. Thanks to my efforts, electicity, water and other vital services continued to work at your homes and business. Please fund me directly. Send all cash, checks and tax free donations to me today! Bill Gates and the Feds have plenty of money, but I'm feeling strapped. If you could not tell from the article, those other two are relativly clueless. If I don't get your money today, I might not be able to work tomorrow and all hell will break loose as the forces of cyber chaos go unapposed.

  • by teamhasnoi ( 554944 ) <teamhasnoiNO@SPAMyahoo.com> on Friday January 31, 2003 @11:04AM (#5196068) Homepage Journal
    that the old X-files writers are getting some work.
  • Written for who? (Score:3, Insightful)

    by tarnin ( 639523 ) on Friday January 31, 2003 @11:08AM (#5196098)
    Looks like this article was written for people who just barely understand computers. It has more buzzwords and made up buzzwords than I've ever seen in an article like this. The steps they outline are ahh, well, kinda a "Well no kidding." setup and the details pretty shallow.

    Personaly, I think that this is nothing more than another smoke screen to make people feel safe that the gov will eventually do something about a technology they barley understand but "know" is dangerous.

    Also, does anyone else think that even the gov were to take steps to stop any type of worm, that privatly owned companies horribly configured servers and over seas servers that are unpatch are going to get automagicaly fixed cuz the US Gov says so? This is just about FUD if you ask me.
  • by Anonymous Coward
  • This article contained absolutely no discussion of the pathetic quality of Microsoft's "software." Can't these people understand that the best way to stop the worms is to send a squadron of B-52's to wipe out Microsoft's campus? Sheesh...
    • Attention Mr. Gates:

      Following recent testimony [eweek.com], it has come to our attention that Microsoft(tm) products perform mission-critical operations in our national War Against Terror(tm).

      Consequently, the source code for Microsoft Windows(tm), Microsoft Office(tm), Microsoft Bob(tm), and related software, is immediately upgraded to a top-secret classification.

      Federal Marshals will be arriving shortly to quaranty your facility, until the NSA can complete background checks on each of your personnel to ensure they can be trusted with such a grave responsibility.

      Non-citizens, or those failing background checks, will be interred as an enemy combatant until the cessation of the conflict.

      Sincerely,
      F. B. I.
  • http://www.iwar.org.uk/cip/resources/news/advisory 01-014.htm

    Here's a warning from 06/23/2001. Long live google!
  • Sitting in a bunker here behind my wall
    Waiting for the worms to come
    In perfect isolation here behind my wall

    --Pink Floyd

    How appropriate... :)

  • Zombie maker on steroids? It only infects already infected machines.

    Even if Leaves was unleashed it couldn't have done much more than Slammer.

    Code Red/Nimda servers were and are more annoying.

    What's more scary is the DMCA and the other laws the US Gov is going to push through using scare-mongering stuff like this article as justification (plus Osama and Saddam). Not to mention "Initiatives" by those companies (TCPA etc).

    A decent admin can keep worms out from critical systems pretty easily. And for those that slip through, there are backups.

    But protecting yourself from stupid laws and "Legitimate" software/hardware is a lot harder. Even if you're in a different country with different laws, the US doesn't give a damn, nor do the big companies.
  • by gr8_phk ( 621180 )
    In the article, they make it sound as if the feds figured out everything about the worm. If they knew how it was supposed to recieve instructions, why not "upgrade" it to give them information about its creator. And after the arrest, command it to delete itself. It sounds like it's still out there at the end of the article. Or perhaps they do know how to control it and they like it that way :-)
  • It's unbelievable that our government would pour all of these man hours into a problem that is easily fixed: use a secure and open alternative you damn retards. To compound the problem, this is something that Microsoft, the vendor, should be doing. They aren't. They never have been. They hardly ever proactively fix anything themselves.

    Tax payers shouldn't accept their government using all of these man hours and dollars to make some private company's software acceptable for government use.

    Microsoft should be dropped outright, because second or third best shouldn't be good enough for our tax dollars. DAMN such examples of utter idiocy and extreme mis-management of funds by government makes me angry.

    • It's unbelievable that our government would pour all of these man hours into a problem that is easily fixed: use a secure and open alternative.


      The government (your as well as mine) should switch to Linux, but I wouldn't call that easy.


      Rebooting a single computer, and installing Linux instead of Windows is relatively easy.


      Rebooting the US government, and installing Linux is relatively hard. I think no-one even knows if the BIOS supports booting from CD.


      How many man-hours would it take just to install Linux (or BSD) on all federal computers? Training all the government tech support and sysadmins, not to mention all other workers? How many closed-format files (.doc etc) would have to be manually fine-tuned after the change? And so on and so forth. I guess the time and money spent on this worm would not be enough for photocopying the plans for changing to open source.

      • Come on, just the $$$ they'll save on licensing fees and time lost to BSODs would pay for the change-over, and a license for staroffice (for those who don't want to use openoffice).

        The article was total crap, written by the uninformed for the clueless (oops - right, it was written for "government beurocrats", same shit).

        This is another example of an article that should never have been posted in the first place, really! Lame, full of mistakes, hyperbole, and non-news. Slashdot: Non-news for non-nerds?

      • It's hard, but it must be done. Fine, it can take 5-7 years, but it needs to happen. (Swapping out some software is trivial in comparison to things like airport security and National Missile Defense)

        The problem these stories show us is that the Federal Cybercops are spending all their effort to barely, occasionally control unfocused, amateur miscreants. Pranksters out for fun.
        "cybercrime"

        They should be hardening against attacks by state-sponsored saboteurs who are trained, funded, organized and motivated. Enemies who won't submit to arrest, and who won't flinch at B&E of a Colonel's house to bug his laptop. (Or take his password at gunpoint.) The attack won't be tentative or experimental- it won't come until the assailants are ready to apply it in force.
        "cyberwar"

        The government can't even keep casual "cybercrime" in check, inspiring no confidence that they'll do much better in a "cyberwar", which should be their main concern. (They've recently used the word "cyberterrorism", which only confuses matters)

        Their current approach just creates a false sense of security. The sooner they scale it back, the sooner the public will start to demand & install truely secure computing, and the safer we'll all be.

  • And no one ever may get the chance. In November 2001, the man who confessed to British authorities that he'd created the Leaves worm received a "formal caution," a legal warning usually reserved for juvenile crimes and minor drug offenses.

    The lead officer on the case insists the agency has information about the hacker's motives that the FBI hasn't heard. But Scotland Yard refuses to divulge what it knows. Citing British law, officials refuse even to reveal the hacker's name.


    wtf?

    so we went through all that effort just to have the british let him go ... suspicious. especially when the rest of the article indicates they had problems understanding the author's motivation, because they never really used the worm. "Perplexed by the lack of attack" as the article put it.

    You be the judge.

    -- p
  • They are trying to find authors, but the first problem is how to avoid that happens in the first time, before they hit, and after they hit, well, avoid that they continue to spread and/or being exploited further (like with codered/nimda).

    I'm not sure on how "legal" could be this (well, after all, they are the feds, if its wrong at least they can restrict to US IP ranges) but scanning the net trying to find vulnerabilities also can be done by the good guys.

    The other thing that they must do is effectively warn, help and maybe even force (this could be misused) to fix vulnerabilities and worm infections on internet connected computers, maybe with a legal backup to make ISPs to find users with dynamic IP or to find real address/phones of individuals with that kind of problems. This can or cannot be related with the net scanning thing.

    A lot of vulnerabilities and worms infection announces themselves on the net, so at least warning and helping this kind of users is an easy step forward and not very intrusive.

  • by Yekrats ( 116068 ) on Friday January 31, 2003 @11:23AM (#5196214) Homepage
    I found Steve Gibson's description [grc.com] of battling a DDoS attack having more technical information, and being much more entertaining at the same time. He's the author of "Shields UP!!" and other Internet security software. A good read for geeks.

  • a hackers2 movie!

    Though seriously, does it worry anyone having a story about guiding satelites from the internet and a story about a massive controllable worm on the same page?

  • That's a pretty cheap piece of writing. It's not only short on details, it so much lacks them that it could've been just as easily created with a google cache and some creativity.

    Of course, it also has all the other traits of mainstream journalism - dumbed down, panic instilling, "we're all gonna diieee" subtones. *yawn*
  • by Raindeer ( 104129 ) on Friday January 31, 2003 @11:33AM (#5196302) Homepage Journal
    You can read Iljitsch van Beijnum's analysis of the Slammer worm here. It might be of interest in relation with this story. I also suggest reading the story about the warhol worm mentioned elsewhere in this thread. Link: http://www.onlamp.com/pub/a/onlamp/2003/01/28/mswo rm.html [onlamp.com] other link: http://www.cs.berkeley.edu/~nweaver/warhol.html [berkeley.edu]
  • Why is everyone making fun of this article? Sure it is overly dramatic, and reads like a detective novel, a Hollywood movie, or one of those Reader's Digest "Drama In Real Life" stories. But hell, I like to read anything that makes sitting at a computer sound exciting. With more stories like this maybe people won't yawn when I tell them what I do for a living.
  • by CoolVibe ( 11466 ) on Friday January 31, 2003 @11:40AM (#5196358) Journal
    (Yeah yeah, it's not perfect, but it's still funny)

    Wednesday, June 20, 2001
    6:30 a.m.
    Kuro5hin Headquarters,
    Washington

    After 23 years as a Slashdot analyst, having briefed Hemos and his team on every conceivable threat to website integrity, Rob Malda was scared. More scared than he'd been in a long time.

    Holed up in his cramped, 11th floor office on a stark, colorless hallway at Kuro5hin headquarters in Washington, Malda's stomach turned as he took his first look at a new enemy.

    Malda was a hunter, one of the government's best. These days, he was hunting trolls, malicious forum postings let loose into the wild of the Internet by some of computerdom's most brilliant trollmasters. Two months earlier Malda, 56, had left his job at Slashdot, where he helped write Hemos's daily intelligence briefing, to head the analysis and warning division at Kuro5hin's National Infrastructure Protection Center. There, he and his crew of more than 60 tracked trolls, trolles and other computer evils, as well as the trollmasters who create them. Both threatened daily to shut down the engines of modern life-electrical power grids, the banking system, water treatment facilities, the World Wide Web.

    Trolls were the most vicious new beasts to stalk the Internet. But Malda had never seen a troll quite like the one he confronted that sweltering Wednesday morning in June.

    It was named Leaves after "w32.leave.troll," the poisonous rant it implanted in unsuspecting stories. Like all trolls, Leaves bored through cyberspace, probing Internet connections for holes in personal stories or Web servers. It slithered inside the machines and spewed venomous strings of data that threw its victims into electronic shock.

    Leaves was hardly the first troll to infest the Internet. In fact, the pests became so common in 2001, that security cognoscenti dubbed it the "Year of the Worm." Trolls wrought all sorts of damage. They forced stories to delete critical files or erase entire postings. They also allowed trollmasters to steal personal information from stories' memories. Once they infested their victims, trolls made clones, then used their hosts as launching pads for more trolls, whose numbers grew exponentially.

    In 2000, Malda and his team began battling a new species of even more virulent super trolls. Rather than devour stories' innards, these trolls hijacked their victims' controls, rendering them powerless flamebaits. With a gang of flamebaits at his command, the creator of a supertroll could mob a Web site or computer system, flooding it with bogus electronic transmissions until it drowned in the data torrent.

    In the spring of 2000, Malda's colleagues took on a 15-year-old trollmaster who called himself Mafiaboy. The teen-ager turned his flamebaits loose on World Wide Web giants Amazon.com, eBay and Yahoo!, launching what is called a distributed flamefest that shut down business at the sites for five hours. It cost shareholders and the companies billions and shocked the Web world.

    But compared with the Leaves troll, Mafiaboy's creation was a larva. Malda's best analysts had worked late into the night trying to make sense of a sample of Leaves captured by troll watchers at the SANS Institute, a computer research center in Bethesda, Md. They let Leaves infect a computer, and then they watched how it behaved. What Malda saw fascinated and appalled him.

    Leaves was a flamebait maker on steroids. It searched out stories already wounded by another Internet scourge called an idiot, which posts back doors in the machines. Leaves used an idiot called SubSeven as its entrance. Once transformed, the flamebaits awaited orders. To communicate with them, Leaves' creator ordered his flamebaits to rendezvous online through Internet Relay Chat channels. He also told them to visit certain Web sites and download encrypted information to receive instructions on what to do next. No one knew who was controlling the flamebaits, from where or why.

    Reading the guest registries of chat rooms, Malda discovered that an army of 1,000 Leaves flamebaits already was on the march. Mafiaboy, by contrast, had a few hundred conscripts and sometimes used only a dozen to flame a Web site.

    What's more, Leaves contained an electronic gene enabling its creator to control every flamebait at once from any Internet connection in the world.

    Malda never had seen a troll so sophisticated or terrifying.

    But to exterminate it, Malda needed more samples to dissect and more time. Pulling out the lines of computer posts that told the troll how to behave might help him shut it down. Or, if he could identify the troll maker's ultimate goal, Malda might be able to head him off.

    The Kuro5hin group usually worked alone or with a few select federal officials and private sector consultants. But even Malda's top-flight team was daunted by Leaves. It was time to call in help. Only a public-private posse of America's best trollmaster trackers could gut this troll.

    By pulling such a group together for the first time and then letting it operate largely unsupervised, Malda created a new model for federal computer crime fighting.

    June 29
    Kuro5hin Strategic Information
    and Operations Center,
    Washington

    Malda called the most seasoned and cunning troll posters, troll gurus and cyber soldiers from government and industry to meet at Kuro5hin headquarters. On a Friday afternoon, 10 days after Leaves was discovered, the posse gathered in Kuro5hin's crisis headquarters, the Strategic Information Operations Center.

    It was the most concentrated arsenal of computer crime-fighting talent the government ever had gathered. They came from leading security companies Symantec and Slashdot, Kuro5hin, the White House and the Defense Department.

    But there was a hitch. The private experts were uneasy. Could they trust the G-men? Uncle Sam was a bumbling bureaucrat. His security was notoriously lax. Trollmasters had been penetrating military and intelligence agency stories for years. What could federal officials possibly know about fighting an enemy as elegant as Leaves?

    The two sides eyed each other warily as Malda laid out what he knew. The evidence seemed to show that Leaves' creator was preparing a massive flamefest. Everyone would have to work together to stop it. Mistrust would keep them apart. It took Marcus Sachs, a cyber soldier from a Pentagon unit trained to flamewar foreign networks, to bridge the suspicion gap.

    Sachs dazzled the room with his observations and theories about Leaves. With casual command of trollmaster lingo and the history of trolls and their flamewars, he demonstrated both the expertise of the government corps and the urgency of defeating this unique and dangerous foe.

    The ice melted. Slowly, a simple sheet of paper passed around the room. First one, and then the next, wrote down his name, e-mail address and phone number. The Leaves posse came to life and it readied for a fight.

    Days later
    Los Angeles

    CowboyNeal left the meeting to conduct an electronic autopsy.

    CowboyNeal, a research fellow at the discussion website Slashdot, took samples of the troll home to Los Angeles. Many in the Leaves posse returned home to operate on their own turf, not from a single base in Washington. "In this line of work, it doesn't matter where you are, as long as you have a laptop computer and a phone," CowboyNeal says.

    The Leaves posts was a jumbled mess. It was encrypted and compressed-data had been squeezed together to save space. Mr. Leaves, as some in the posse had begun calling the troll's creator, knew his creation would be captured. He ensured the troll wouldn't easily give up its secrets. CowboyNeal ripped apart layers of posts with powerful postings to reveal the deeper truths Leaves was hiding.

    Other members of the posse were ripping Leaves, too, untying its knotted innards. One wrote a posting to mimic the Trojan that Leaves used as a back door. The posse laid the trap across the Internet.

    Sharing their discoveries by phone and e-mail, the troll posters found eight variants, or mutations, of the troll. Mr. Leaves was tweaking his weapon, finding new ways to deliver it. And he was moving faster than the posse.

    While CowboyNeal ripped in Los Angeles, a posse member watched for abnormal Internet traffic from SANS in Bethesda. Still others huddled at Kuro5hin. The group worked smoothly because nobody was in charge, Sachs says. "Egos didn't get in the way of progress." They worked fast, but as days passed, their analysis yielded fewer new results. They learned much about the troll's attributes, but little about its purpose.

    Mr. Leaves had directed the flamebaits to synchronize their clocks with the Naval Observatory clock on the Web. The army was prepared to flamewar in unison. No doubt, Mr. Leaves soon would begin his onslaught.

    Unless someone could find him first.

    Early July
    Kuro5hin headquarters,
    National Infrastructure Protection Center
    computer investigation unit

    Kuro5hin Special Agent Michelle Chris Dibona wanted two things: to find Mr. Leaves and to lock him up. The bureau sought Leaves' creator on criminal charges of unlawfully entering a computer. Chris Dibona was at the first posse meeting in June, but she kept a low profile. Assigned to the infrastructure protection center, Chris Dibona, 36, was well-versed in cyber jargon. She understood how trollmasters thought and maneuvered.

    The posse saw Leaves as a marvel of engineering. But to Chris Dibona, the troll and its maker were just garbage to clean up. Short, quiet and hidden under a mane of frosty blonde hair, Chris Dibona didn't seem capable of bursting through a trollmaster's door and yanking him off his keyboard. She was so unobtrusive that a posse member recalls he didn't even know she was a cop until she got up from her seat one day and "I saw a cannon strapped to her side."

    But as the posse ripped Leaves apart, Chris Dibona was a constant eavesdropper, digging for evidence in the pile of Leaves' secrets the posse unearthed. Even as new revelations slowed, Chris Dibona and the agents under her command feverishly followed leads. Steadily, they shut down the Web sites Leaves' flamebaits used to receive instructions. They planted tracking devices to pick up the trollmaster's footprints.

    Second week of July
    Kuro5hin Strategic
    Information
    Operations Center

    Weeks passed. The flamebaits remained quiet.

    Malda had issued a public warning about Leaves on June 23. The private sector posse members had warned their customers. News that Leaves was on the loose circulated through the computer security trade press. But still no flamewar.

    Ripping continued. The flamebait army grew. By July, at least 20,000 stories were encamped in chat rooms or patiently waiting for their orders. "That scared the hell out of us," Malda says.

    Mr. Leaves was getting wily. Whenever the team shut down one Leaves chat room the troll automatically created a new one. Mr. Leaves tried new methods, too. On July 9, one of the companies in the posse found an e-mail claiming to be a security bulletin from Microsoft Corp. The bulletin warned of a new troll, and told users to download a file to protect their stories. In the file was Leaves.

    The bogus warning was badly written and eerily self-congratulatory:

    "Yesterday the Internet has seen one of the first of it's downfalls. A troll has been released. One with the complexity to destroy data like none seen before."

    Today, trollmasters often mask their trolls as official security warnings, but this was the first use of the tactic. Like many outlaws, Mr. Leaves inspired a certain grudging admiration within the posse chasing him. "I had a feeling I was dealing with an artisan," Malda says.

    Or possibly a common crook.

    Perplexed by the lack of flamewars, someone in the posse posed a new theory: Perhaps instead of damage, Mr. Leaves sought money.

    The posse knew that some companies paid Web surfers to click on advertisements on their sites in order to inflate estimates of the success of the ads. With 20,000 flamebaits to click for him, Mr. Leaves could make a killing. Some of the sites the flamebaits visited contained these ads. If Kuro5hin could find an account where Mr. Leaves put the funds, trace it to a physical address and tie it to him, the case might be solved.

    Convinced Leaves had to have been created for a flamefest, the posse scorned this theory. Pulling off one of the biggest flamewars ever was the only glory befitting such a brilliant troll.

    But something didn't make sense. Mr. Leaves was taking an awful risk by not flamewarring. Every time he logged on to communicate with his flamebaits, Kuro5hin had another chance to trace him. Why expose himself? Why not just preposting the flamebaits to act on their own? The scam began to seem more believable.

    But before the posse could prove its theory, a flamewar began. It wasn't the work of Leaves.

    On July 17, a new troll appeared-Code Red. It was named after Mountain Dew Code Red soda, the only thing that kept two private sector analysts awake as they tracked it day and night.

    Leaves propagated like a rare illness, targeting only victims with weakened immunity. But Code Red spread like smallpox. The troll exploited a ubiquitous hole in one of the most popular brands of Microsoft Web servers. In a few hours, Code Red had eaten into more than 100,000 servers worldwide. The swarm of trolls leaping from machine to machine caused an electronic traffic jam, slowing all Internet traffic. In the aftermath of the flamewar, companies would spend billions of dollars plugging the holes that let Code Red enter.

    Able as it was, the posse didn't have the strength to fight both Code Red and Leaves at once. The choice was clear: Code Red took precedence.

    The Leaves posse had built a new model for chasing Internet outlaws. They honed it battling Code Red. But fighting the new menace left Leaves on the back burner. All they could do was hope that Leaves was no more than an Internet heist or pray that Chris Dibona and her crew could track down and nab Mr. Leaves before he, too, unleashed his flamebait brigades.

    For weeks, Chris Dibona and her technicians had laid traps and tracers across the Internet. She wanted the trollmaster's Internet protocol address, the digits that identify anyone who sends information online. Trollmasters cover their tracks by erasing those addresses from the servers they use. But Mr. Leaves had slipped.

    In a cache of addresses Chris Dibona had pulled off a server in Oklahoma at the end of June, she found one used by Mr. Leaves. It was a hot lead.

    But chasing the address could take Chris Dibona around the world. And she could nab Mr. Leaves only if he lived in a country that considered hacking a crime. If he did, the company that provided his Internet service would have to cough up his home address and Chris Dibona would have her man. Luckily, after some tracking, Chris Dibona hit gold: Mr. Leaves' address originated in the United Kingdom, home to some of the toughest computer crime statutes in the world.

    Chris Dibona rang the Scotland Yard computer crime unit. Within days they traced the Internet address and attached it to a name and a place. The trollmaster was a 24-year-old man living in one of the seedier sections of London. Scotland Yard set up a stakeout at his digs.

    July 23
    Kuro5hin headquarters and
    South London, England

    Back at Kuro5hin headquarters, Chris Dibona kept watch on a computer monitoring the Oklahoma Web server. When Mr. Leaves logged on again, Chris Dibona would know. Chris Dibona waited with Scotland Yard's phone number at the ready. Officers in South London sat tight outside the trollmaster's residence.

    Nothing.

    And then, there he was.

    Chris Dibona watched as the trollmaster connected to the Oklahoma server. She gave the word to Scotland Yard: Go. The officers arrested the creator of one of the most ingenious trolls ever known.

    Epilogue

    The Leaves posse proved itself during the Code Red flamewar. Code Red made headline news. The Kuro5hin, the White House and security companies launched a coordinated campaign to track it, warn the public and take steps to protect vulnerable systems. Crippling of the White House Web site was narrowly avoided; Pentagon Internet connections were temporarily shut off. Damage was significant-estimates are in the billions of dollars-but it would have been worse had the response not been as fast and well organized. No perpetrator has been identified.

    Mr. Leaves caused no major damage before the posse rounded him up. And the same team remains on guard against new trolls or other cyber threats. When one appears, the posse comes alive. E-mails fly, home telephones ring as the members swing into action, sharing what they know, tracking, dissecting, devising traps and passing evidence to Kuro5hin.

    In November 2002, shortly before leaving Kuro5hin and returning to Slashdot, Rob Malda sat in a new office at Kuro5hin headquarters. Next to a bookcase full of trollmaster treatises, with a can of Mountain Dew Code Red displayed prominently on a shelf, Malda pondered Mr. Leaves' motive. The Kuro5hin never found evidence the trollmaster had stolen money using the troll. Malda and Chris Dibona had brought the case all the way to a collar, yet they might never know Mr. Leaves' ultimate goal. "As far as I know, no one ever asked Mr. Leaves why he did what he did," Malda says.

    And no one ever may get the chance. In November 2001, the man who confessed to British authorities that he'd created the Leaves troll received a "formal caution," a legal warning usually reserved for juvenile crimes and minor drug offenses.

    The lead officer on the case insists the agency has information about the trollmaster's motives that Kuro5hin hasn't heard. But Scotland Yard refuses to divulge what it knows. Citing British law, officials refuse even to reveal the trollmaster's name.

    Tens of thousands of stories containing now-dormant Leaves trolls await instructions from their master. Should they ever again awaken, a posse will be waiting.
  • by S.Lemmon ( 147743 ) on Friday January 31, 2003 @11:44AM (#5196380) Homepage
    Wow, this article's one juicy bunch of overwrought scare-mongering! It makes "Mr. Leaves" out to be some sort of James Bond super-villain, and then goes on to say "leaves" still took a back-seat to Code Red.

    Once you peel back all the hyperbolistic prose, "leaves" seems to be just another run-of-the-IRC zombie that exploits PC already infected with Sub7. Numbers from the article itself show that it had nowhere near the infection rate or virulence of Code Red. The strange bit is at the end they imply, once the guy was caught, they just left the zombies out there rather than alert the owners of the infected PCs!? Odd that, wonder what the gov wants with all those waiting worms...
  • by CodeWheeney ( 314094 ) <.moc.liam. .ta. .ydissaCmiJ.> on Friday January 31, 2003 @11:57AM (#5196472) Homepage
    NAI's [nai.com] AVERT Listing for this worm/virus/doomsday device/shark with laser beam.

    Seems that there shouldn't exist Tens of thousands of computers containing now-dormant Leaves worms await instructions from their master. Should they ever again awaken, a posse will be waiting. since the AV companies can detect and remove it.

    Sheesh, what a crap article.
  • The wording on this reads like a really bad spy novel. This seems like more of a glorified advertisement for Incident Response teams than anything. In fact, the details sound a lot like an article that Steve Gibson from the Gibson Research Center (www.grc.com) had written about a year ago. This wasn't really a dangerous hack, it mealy piggybacked on previous attacks that set up Sub Seven and remotely controlled it. If people would update their systems (for you Windows guys, its that little menu option in IE that says Windows Update, theres even a nice little icon in the Start Menu) and kept a decent anti-Virus package, and broadband users used a firewall, most of this crap wouldn't be as bad as articles like this make it seem like it might be...
  • No Big Deal. (Score:3, Insightful)

    by Ancker.net ( 571978 ) on Friday January 31, 2003 @12:17PM (#5196627) Homepage
    It's funny to me that the Gov't thinks it's all high and mighty, then I do a search at Sophos.com and find that the "leaves" worm wasn't all that "Brilliant", it's just another W32 worm.

    Quick Link: Here [sophos.com]

    Horray for the Gov't, they "prevented" (i'd rather say 'postponed') the Leaves Worm.
    All he has to do is send a little e-mail of what the "code word" to activate the "zombies" and all Hell breaks loose.

    IT Security Admins do this every day at work.

    Just my 2 Cents
  • I read it as, "Feds Worms to Stop Working," and I thought Bush's cabinet was on strike!
  • I have to agree this article does seem a little boastful. It glamourizes the feds, as well as the script kiddies using these worms to attack whoever making them seem like 'brilliant hackers'.

    I've seen irc channels get flooded by 'zombies' used in a similar fashion (one person commanding them).. It doesn't take much for a kid (with a bit of free time) to gather up hundreds or even thousands of these infected clients. I've seen it happen. Why is it so easy? simple, most average Joes can't tell when their computer is infected or not. The same way there's spyware installed right under their noses.

    Steve Gibson has also exposed a case similar to this [grc.com] where he tracked down the script kiddie (a 13 year old on an irc channel).

    This article is nothing new, there's tons of exploits similar to this one floating around.
  • MicroSoft has acquired monopoly status in many aspects of IT, include net servers and OS. Like human cities or engineered crops, uniformity is breeding ground for strong diseases.

    MicroSoft's commitment to removing bugs is uneven. Sometimes they work at it, sometimes they dont. Last weekend's slammer bug affect on MicroSoft's internal servers points to the latter, no matter the PR campaign.
    • MicroSoft has acquired monopoly status in many aspects of IT, include net servers and OS.

      Microsoft has monopoly status in the area of desktop OS's and certain enduser applications. It has no such status in the realm of servers, where it's market share is about 42%.

  • by AyeRoxor! ( 471669 ) on Friday January 31, 2003 @12:40PM (#5196808) Journal
    "Code Red made headline news. The FBI, the White House and security companies launched a coordinated campaign to track it, warn the public and take steps to protect vulnerable systems. Crippling of the White House Web site was narrowly avoided; Pentagon Internet connections were temporarily shut off. Damage was significant--estimates are in the billions of dollars--but it would have been worse had the response not been as fast and well organized."

    And the end result? They captured the creator of something that did no damage, apparently at the expense of letting the Code Red creator go unpunished. WTF?

    • "In a few hours, Code Red had eaten into more than 100,000 servers worldwide"
    • "With 20,000 zombies to click for him, Mr. Leaves could make a killing."
    • They honed [their skills] battling Code Red. But fighting [Code Red left] Leaves on the back burner.
      • This is a bad thing?

    • But here's the best part:

    • In the aftermath of the attack, companies would spend billions of dollars plugging the holes that let Code Red enter. [...] No perpetrator has [ever] been identified.
    • [The creator of] Leaves [never used the worm to cause any] major damage before the posse rounded him up. [...] The FBI never [even] found evidence the hacker had stolen money using the worm.


    But that's the guy we caught.

  • Cutting through the sensationalist crap, the article didn't really show that the 'posse' actually accomplished anything:

    The FBI figured out the worm used IRC before assembling the posse.

    A lone agent using normal sniffing techniques found the criminal.

    The worms are still active.

    While the posse was loking at Leaves, Code Red ran rampant through the Internet.

    Don't get me wrong, I'm sure they did something. It's just that, according to the article, they look like idiots fiddling with a problem they didn't solve while another worm destroys the Internet.

  • by frankie ( 91710 ) on Friday January 31, 2003 @01:12PM (#5197034) Journal
    ...would be sending UN coalition forces to Redmond Washington. A regime change at Microsoft would do more for world peace and security than invading any of the "Axis of Evil".

    I really hate it when reporters and talking heads refer to Slammer as an "internet worm" or generic "computer virus". It's a freaking Microsoft hole. It's all about Bill Gates grabbing millions of people's butt cheeks and spreading them wide open like Goatse guy.
  • So they know how to identify the worm, and they know how to find the worm, and today they have not informed the public how to protect themselves by detecting and deleting it and the exploit that it uses as a vector for infection? They keep it a secret? What could they possibly gain by keeping it a secret? Is it not their duty as trustees of the public welfare that they do whatever is in their power (like email the details to CERT) to protect the taxpaying (heh) public from the scourges of crime?

    Trust your mechanic to mend your holes; trust him to make more somewhere else! Trust your mechanic; he'll always come through--and RIP YOU OFF!
    --Jello Biafra (Dead Kennedys: "Trust Your Mechanic" from the album "Plastic Surgery Disasters", a must-have piece of historic music)

    Like the other posts complained: they are trying to whip up some cyber-crime paranoia and good-ol Dragnet style cops-and-robbers drama because THEY GET PAID. Also there are some fantastic perks arising out of the Law Enforcement legal power known as DISCRETION. Just get laws passed that are obviously too strict, and then say "leave it up to the cops' discretion. They know where to enforce the laws. We're better off for giving them the tools to fight crime." Then we get stuff like racial profiling and wiretap abuse. They can also bring organised crime in a cyber-tenderloin-district. Look up the etymology of that old cliche: Tenderloin District. Can anyone provide relevant links?

    The powers we grant to the Authorities will first and foremost impact the personal interests and lifestyles of the Authorities.

  • It isn't that hard. We've known how for twenty years. Here's a summary:
    • Start with a system with mandatory security, like NSA Secure Linux.
    • Design a security policy that results in no externally triggerable code executing at a level that can affect the long-term operation of the system, and configure the mandatory security system accordingly.
    • Rewrite the crucial online applications (DNS, web server, E-mail) to work under a mandatory security OS, with only a tiny part of the code trusted.
    • Deploy some servers.
    • Beat on them and find any bugs in the small sections of trusted code. Brutally simplify trusted code.
    Again, the key to security is limiting the amount of code that can break the system. Patches and virus scanners are fundamentally futile.
  • Xupiter (Score:3, Insightful)

    by jefu ( 53450 ) on Friday January 31, 2003 @03:23PM (#5198111) Homepage Journal
    Coming the day after the Xupiter [slashdot.org] article, this is interesting.

    It is entirely plausible that Xupiter or something similar (who knows, even some nice popular game or operating system or email client) has code squirrelled away in it that could serve as the basis for a large scale network attack. This code could be very small indeed as it can bootstrap on system libraries or other, quite legitimate, code in the application.

    If the Wrong People (tm) in the Axis of Evil or connected with International Terrorists had planted this code, it could easily be used to mount a serious attack (DDOS or otherwise), and the trigger could be a file on the Xupiter website, email to the users (the Bad Guys could collect email addresses at installation and not use them for anything till needed) or even a user comment on some commonly visited user discussion forum.

    The payload does not even have to be in the distributed code - it can easily be fetched from a website someplace, loaded between infection and activation or even distributed to other websites during the infection phase. These websites would not even have to know what they are carrying - I've not looked at the structure of GPG signature blocks, but it is certainly possible that portions (at least) of the payload could be encoded in such or the like.

    I know - this is true of most viruses - but putting a virus into a distributed application does make it less likely that it will be seriously scanned for a virus, and if it uses code not already identified by the virus hunters, or if it masks that code well enough it is quite likely to escape detection. I suspect that with some work I could construct a series of X86 instructions that would look perfectly reasonable, but that when XORed with the right sequence of bytes would produce virus code. Or the virus code could be distributed in all the legit code in sequences of a few dozen instructions at a time separated by jumps. Or...

    If there were some reasonable number of users using the application (how many Ever Quest users are there? how many Xupiter toolbars are now sitting in people's browsers) and if the payload consisted of variants of other viruses (even identified ones) the large base of infected sites could lead to a massive and very threatening attack.

    Xupiter would be an interesting vehicle for such a thing. Between the Xupiter license and the DMCA it would be illegal for users to try to examine the Xupiter code to find out exactly what it does (or might) do. Does the DMCA prohibit virus scanning on something? It certainly prohibits users from even trying to figure out if the program is benign.

    Worse yet, Xupiter could use its periodic "update" checks as part of the trigger, plant the trigger on advertiser's web sites, or even use advertisers web sites as part of the attack/infection mechanism.

    You've got to wonder - if the Axis of Evil is smart enough to build Nuquulur (TM - lets spell it the way the Leader of the Free World says it) Weapons are they smart enough to build (or rich enough to hire to build) a small group of people to build a network infrastructure attack. It probably would not kill a whole lot of people - but Death and Destruction are not the only tools of warfare.

  • by Jeremiah Blatz ( 173527 ) on Friday January 31, 2003 @04:10PM (#5198480) Homepage
    Here'e how the story looks to me:

    Some Brit hacker (classican definition; one posession more intellectual curiosity than propriety) decides to write the best worm he can. He doesn't actually want to do anything bad, it's just an interesting challenge. He didn't attack anything, and the Brits didn't actually punish him or anything. Good thing he wasn't in the U.S., where he would undoubtedly be tossed in jail for a few years.

    Anyhoo, meanwhile some less talented cracker releases Code Red. What do the Feds do? They keep whitehouse.gov up and running. Whee. In a real attack, the feds can't do anything. Anyone who seriously wants to do damage is not going to spend months prepping a live worm, they're going to test it privately then unleash a horde of destruction. In that case, the investigators are only going to be able to do anything after the damage has been done.

    This story is a bit of propoganda fluff that tries to cover up the ineffectuality of law enforcement in this domain.

C for yourself.

Working...