FBI hunts down worm writers

Companies and home computer users have had to deal with the MSBlast worm--also known as W32/Blaster and W32.Lovsan--which started spreading Aug. 11; a worm that attempted to plug the hole exploited by the MSBlast worm; and the Sobig.F virus, which spread through e-mail attachments opened by unsuspecting people.

"We are working with the Department of Homeland Security and with state and local law enforcement on our Cyber Task Forces to track down the perpetrators of Sobig and the recent W32/Blaster worm," FBI Director Robert Mueller said in a statement. "We employ the latest technology and code analysis to direct us to potential sources, and I am confident that we will find the culprits."

The FBI subpoenaed Arizona Internet provider Easynews.com a week ago, looking for more information about a person who posted the Sobig.F virus to several porn newsgroups. Easynews didn't answer interview requests but released a statement last Friday.

"It appears the account was created with a stolen credit card for the sole purpose of uploading the virus to the Usenet network," Michael Minor, chief technology officer of Easynews, said in the statement.

The FBI has its work cut out for it.

The agency has caught only a handful of suspected virus writers, usually because the suspects left a digital trail back to their PCs or talked about the attack after the fact. The person who wrote the Melissa virus, David L. Smith, was nabbed because he released the virus using a stolen America Online account that he connected to using his home computer. The author of the Anna Kournikova virus admitted to releasing that program after creating it with a point-and-click toolkit.

While finding clues on the Internet may be more difficult than finding a needle in the proverbial haystack, high-profile cases may generate their own leads because of the amount of scrutiny that the Internet security community brings to bear, said Steve Trilling, senior director of research for security firm Symantec.

"Historically, we have seen that the cases that have done the most damage have received the most scrutiny," he said. Sobig has caused a great deal of damage.

Sobig.F hit the Internet hard last week, clogging e-mail systems with messages that bear copies of the virus. The Sobig.F virus spreads by harvesting e-mails from Web pages and from an infected computer's address book. It sends a copy of itself to the addresses in an e-mail message with subject lines such as "Your Details," "Re: Approved" and "Thank you!" The virus also spreads by copying itself to shared network hard drives that are accessible to the infected computer.

Sobig.F has spread aggressively, sending far more e-mails with copies of the virus than any such program to date. The latest Sobig virus uses an e-mail address other than the victim's as the apparent source of e-mail messages that it sends to spread itself. Many antivirus systems send alerts to the apparent senders of viral e-mail messages, notifying them that they are infected--even when the malicious program is known to forge the source's e-mail address. The result is more clogging of in-boxes and more confusion, as users have to deal with additional messages that accuse them of being infected.

Despite the hunt, many security experts believe that the author of the Sobig virus will strike again. That's because the Sobig viruses--the first of which was created in January--are thought to be created as a moneymaker. The viruses turn every infected PC into an "open proxy," or a system that can be used to send spam. Security experts believe that the programmers of Sobig sell the list of open proxies to underground bulk e-mailers that need to send anonymous e-mail.

The FBI requested that anyone with any clues to the origins of Sobig or the MSBlast worm contact the bureau immediately.