From: "Swisher, Bob" <bswisher@ou.edu>
To: "'it-fyi@listserv.ou.edu'" <it-fyi@lists.ou.edu>
Subject: it-fyi: Clues to Creator of Internet Virus (New York Times on the
Date: Wed, 31 Mar 1999 08:13:18 -0600
March 30, 1999
Digital Tracks Yield Clues to Creator of Internet Virus
By JOHN MARKOFF
AMBRIDGE, Mass. -- Following the telltale digital fingerprints of the
author of a rapidly spreading computer virus, a lone software detective
has assembled a dossier suggesting that the virus writer has struck
previously and that the programmer's activities are already well known
to computer security experts.
The investigator, Richard Smith, 45, is the president of Phar Lap
Software, a small software development company here. Although Smith
usually spends his time designing software tools and operating systems,
over the weekend he used programmers' tools to peer inside the document
that carries the virus known as Melissa, which has wildly spread through
the Internet in recent days.
Smith found indications that the virus is a work of a programmer -- or
possibly a small group -- who wrote and distributed a similar program
two years ago. Moreover, by searching the World Wide Web, he has found
clues to the identity of the programmers and even more striking evidence
that could lead the authorities to the computer on which the program was
written.
Today Smith turned that information over to the Federal Bureau of
Investigation.
Paul Bresson, an F.B.I. spokesman, would say only, "We have a case
that's open and we're actively investigating the virus." Distributing a
computer virus is a Federal crime.
Whoever the virus writer is, the work took its toll today. The Computer
Emergency Response Team, a Pentagon-financed security service at
Carnegie Mellon University, reported calls from 250 organizations
indicating that the virus had affected at least 100,000 workplace
computers.
"We believe the number is probably higher than that," said Jeff
Carpenter, a team leader for the group, but because of precautions taken
by companies over the weekend, "we do think the problem has not been as
bad today as we feared it might be."
The virus, which began to cause havoc on Friday, is like a chain letter
spread in an e-mail attachment listing several pornographic Web sites.
When recipients open the attachment, it tries to mail itself to 50 other
e-mail addresses stored in the user's computer, propagating itself each
time with the subject line "Important Message From" followed by the name
of the previous victim.
The high-tech sleuthing by Smith here in Cambridge is remarkable in part
because he was the one who earlier this month raised questions about the
propriety of a little-known Microsoft feature that embeds unique
hardware numbers in every Microsoft Office document file.
Microsoft designed the numbering scheme to help track software objects
and documents in a computer network. The company said it would change
the feature after Smith revealed that the company was compiling the
numbers of its users' computers in a database.
On Friday, however, Smith found a new use for the numbering scheme: it
meant that the Melissa file carried a unique fingerprint corresponding
to the personal computer on which it was created. And because the
Microsoft Word program is designed to embed information in each document
about each user who has written or revised it, the file also had what
amounted to an author list.
On Friday evening, Smith collected that information and posted it to an
Internet news group that discusses software viruses. Later that evening
he received a response from a Swedish computer science graduate student
who said the virus writer's activities appeared to be similar to those
of a known virus author who had identified himself as VicodinES in
computer network postings.
"He told me the Melissa virus looked very similar," Smith said. "He had
noticed a similar software coding style."
The graduate student also pointed Smith to a Web site that was
maintained by VicodinES.
"I started looking for files which contained the same Ethernet address,"
the number that provides the digital fingerprint, Smith said. "Then we
could assume the same computer and maybe the same person was the author
of Melissa." On Sunday he succeeded. In addition, he downloaded files
from the Web site that had been revised under the names of multiple
authors, indicating that the work could be a collaboration.
Another avenue of searching the Web yielded more about the identity of
the virus creator. On Saturday Smith discovered that Dr. Solomon, an
anti-virus software company, had posted an alert that the virus had been
mailed on Friday to an online discussion, or news group, from an America
Online account.
Exploring with a Web search engine known as Deja News, which indexes
news groups, he discovered that the same account had posted a virus in
December 1997.
He found serial numbers that linked VicodinES to the America Online
posting.
"It's pretty clear that VicodinES is somehow related to all this," Smith
said. "Whether he's the author I don't know, but he has his fingerprints
everywhere."
He said he also found what appear to be actual names buried in several
documents.
Frederik Bjorck, a doctoral student at Stockholm University, who was
also contacted today by the F.B.I., said that he and Smith had shared
some information, but they essentially reached the same conclusion
independently: that Melissa can be traced to a virus writer who uses the
moniker VicodinES.
"VicodenES is definitely a talent," Bjorck said. "He's the brains behind
this." He said his investigation led him to believe that the virus might
have been written with help from several others.
The Internet host of the VicodinES Web page is SourceofKaos, a loose
organization of Web sites that its creator says is dedicated to freedom
of speech. The creator, who spoke on the condition of anonymity, said
SourceofKaos was the free host of the Web sites of people with unpopular
views, with most of the sites related to virus collection,
detection and creation.
The creator of SourceofKaos, based in Orlando, Fla., said that he had
never met VicodinES, but that they had corresponded last year on the
Internet. He said he recalled VicodinES as being of "high schoolish"
age, but added that VicodinES had a reputation as a talented virus
writer.
"He's capable of doing what this virus does," the creator said.
The VicodinES home page touts the accomplishments of the "noted virus
researcher VidodinES," including the creation of two viruses intended
for Microsoft products. One virus VicodinES claims to have created
infects Excel 97, while a second is designed to infect Office 2000.
Steve R. White, senior manager of anti-virus research at the IBM Watson
Research Center in Hawthorne, N.Y., said Melissa "has spread more widely
and rapidly than any P.C. virus in history," noting that it is too soon
to tell the extent of damage because computer security professionals
still are in "the fog of battle."
Copyright 1999 The New York Times Company