Catching a virus
September 2, 2003 2:51 PM   Subscribe

This kid is a complete retard, have the virus contact his own domain where he also hosts a bunch of other worm related stuff and call the executable teekid (his handle) duh.....
posted by zeoslap at 2:59 PM on September 2, 2003

"Smoking Gun Filter" in 3, 2, 1 . . .
posted by Outlawyr at 3:00 PM on September 2, 2003

You know, I usually support white hat and even black hat hacking, cracking, and other sometimes malicious stuff because I don't like to hinder creativity of any sort, but the sobig virus has caused a tremendous amount of damage. I'm still getting dozens of bounce messages from fake emails that look like they were sent from me, and I just deleted 1500 sobig messages that have been piling up in the past five days.
posted by mathowie at 3:03 PM on September 2, 2003

Seems like this kid is going to be made an example of just because he was stupid enough to get caught. It didnt exactly require a rocket scientist to catch him either. The first rule of Worm writing is dont send information back to your website duh! of course he could claim he's being framed, i guess.
posted by carfilhiot at 3:10 PM on September 2, 2003

Weird how the TSG url says 'sobig1.html' when the Blaster/Lovesan worm has nothing at all to do with the SoBig virus.
posted by zsazsa at 3:15 PM on September 2, 2003

Fry this fucking kid.

I've got his application, right here.
posted by xmutex at 3:20 PM on September 2, 2003

Fascinating, my ass - this was one of the easiest virus busts to ever happen - he left a trail of white flour on black asphault.

Second, Matt - he actually was nabbed for taking the Blaster worm (NOT SoBig) and making a variant (Blaster.B) that infected only approx. 7,000 of the alleged.....1.2M victims. That's what, 0.5% ?

Between the amount of damage caused with Blaster and then SoBig, the Feds are looking for someone....ANYONE to make it look like they're making headway in this case.

The good thing is if Lee left this trail, he probably has the source code for Blaster variant A lying around which, with any luck, should have some sort of patterns not available via reverse engineering or hexediting.

Where does this lead us with SoBig? We're up to F....and all I've heard is that it was spread via a file disguised as porn, using an account on a newsgroup server bought with a stolen credit card using a hacked computer based in Canada.

Not a peep about variants A-E...and at this point everyone's wondering if G is due around Sept. 11th - two days after all the other variants are suppose to "drop dead" and stop pinging their servers and spreading.

*mumble*
posted by bkdelong at 3:33 PM on September 2, 2003

I heard something somewhere about this only affecting Microsoft systems.

hmm.
posted by xmutex at 3:39 PM on September 2, 2003

Like everyone else said, he was easily caught because he had the worm contact his website. Thats like robbing a bank and leaving your bank statement behind.
posted by Keyser Soze at 3:45 PM on September 2, 2003

The good thing is if Lee left this trail, he probably has the source code for Blaster variant A lying around which, with any luck, should have some sort of patterns not available via reverse engineering or hexediting.

He probably just hex edited the original executable or ran a bound his own exe to the original.
posted by angry modem at 3:57 PM on September 2, 2003

What a stupid friggin kid. Why don't you just leave a big message saying "Jeffery Lee Wuz here!" in the code? Nimrod.
posted by aacheson at 3:57 PM on September 2, 2003

er, -ran a
posted by angry modem at 4:07 PM on September 2, 2003

Weird how the TSG url says 'sobig1.html' when the Blaster/Lovesan worm has nothing at all to do with the SoBig virus.

Maybe they were referring to Lee himself.
posted by jpoulos at 4:08 PM on September 2, 2003

I usually support white hat and even black hat hacking, cracking, and other sometimes malicious stuff because I don't like to hinder creativity of any sort.

This makes less than no sense to me, Matt. White hats are great. But supporting malicious hacking/viruses in the name of creativity? Do you feel the same way about people who smash up store windows late at night? Punks who key up peoples cars? What about clever bank heists? Clever scam artists?

Viruses like the ones going around now cost real time and real money, as you said. So why be lenient about it? Writing a virus could be creative, (although the word is that blaster was a sloppy hack) but launching one is always thuggish vandalism.
posted by tirade at 4:39 PM on September 2, 2003

This makes less than no sense to me, Matt.

In general, I treat software crime different than regular real-world crime, because it is usually not comparable. The sobig stuff and blaster stuff is in fact some gnarly stuff that is responsible for millions of wasted manhours, but in general I can turn a cheek at even the most malicious stuff.

I say that even after this metafilter server has been "0wnzered" a couple times and my work sites have been totally wiped out. The extent to which the crackers went to complete the attacks is fascinating to me, even though I was the one wronged. There's a real craft in it, with various levels of proxy cloaking, the exploits they use in the OS and the tools they create to do it. I've spoken directly with people that did the "crimes" before and I enjoyed the conversations, even though they totally took my server over. I came out of every hack knowing quite a few new tricks to thwart future attackers.

I guess what I meant to say is that I don't equate someone getting a login to a SQL server somewhere with the kidnapping of my child or the theft of my car.
posted by mathowie at 5:11 PM on September 2, 2003

You might be doing a diservice to the future crackers, too, I might note -- if they get the idea that everyone might be as cool about it as you are.

/starts looking for exploits on metafilter.
posted by weston at 5:33 PM on September 2, 2003

But what about the Hinternet? It's an interersting challenge and an ego boost when I and my techy l33t pals avoid being "0wnzered", but for normal neophytes like my Dad, it's a day of annoyance. He doesn't appreciate how 'cool' thse hacks are.
posted by punilux at 5:40 PM on September 2, 2003

Actually his last name is Parson. He only wrote a variation that had his name all over it, probably for bragging rights, that infected a few thousand computers. Simply put, this is not the droid youre looking for.

"Piling on" as its called is hardly the "virus author" and infecting 7,000 machines is hardly the guy responsible for the attack. Not to mention it takes two people to pull off an attack, the one who wrote the vulnerability (Microsoft) and the one who exploited it. He's more of a looter than a bank robber. I'm curious as to some kind of class action for gross incompetence and liability against MS, regardless of what their click-through-licenses say.

Also, how to filter out SoBig by subject line. Works for me.
posted by skallas at 5:50 PM on September 2, 2003

The good thing is if Lee left this trail, he probably has the source code for Blaster variant A lying around which, with any luck, should have some sort of patterns not available via reverse engineering or hexediting.

He probably just hex edited the original executable or ran a bound his own exe to the original.

what do you mean by patterns?

a chinese group orignally reverse engineered the MS patch to find the exploit and then posted source code for the crack IIRC. So the source has always been out there. not that it's required. how it infects and what the worm does afterwards is pretty obvious to anyone with or without the source. its not going to help stop it by looking at the source - the only thing that helps is patching!
posted by carfilhiot at 6:06 PM on September 2, 2003

You might be doing a diservice to the future crackers, too, I might note -- if they get the idea that everyone might be as cool about it as you are.

but it's impossible to stop. if you've got an open connection to the internet, you've probably got a firewall. check how many portscans and other dodgy people trying to connect to your machine. probably ~20-40 per hour. you can't stop that - you may have the ip of the person connecting to you but who do you complain to? a while back there was an article on /. about a guy who tried to get the fbi to do something about a hacker. they just laughed at him - unless you're a corporate you are nothing.

in many ways it's worse than spam. you just accept it and patch often, if you're not behind a firewall.
posted by carfilhiot at 6:14 PM on September 2, 2003

Blaster and its variants are a form of wealth redistribution. The average computer user, who hasn't a clue how to remove the virus once infected, pays PC techs to remove it. The Mom and Pop computer shop I work for did 80 PCs with Blaster at $55 a pop. Great revenue for us ... sucks for the folks forkin' over the fee.
posted by netbros at 7:07 PM on September 2, 2003

I don't equate someone getting a login to a SQL server somewhere with the kidnapping of my child or the theft of my car.

nor i. but our government DOES, and there's a problem in that, i think.

Blaster and its variants are a form of wealth redistribution.

as are the entire line of microshit products. an entire industry depends on the regular failure of microshit products.
posted by quonsar at 7:34 PM on September 2, 2003

a chinese group orignally reverse engineered the MS patch to find the exploit and then posted source code for the crack

This could explain why Microsoft are so reluctant to fix potential exploits.
posted by inpHilltr8r at 8:00 PM on September 2, 2003

I with Matt on the whole hacker thing. I've been around the net long enough to remember when getting superuser access was a goal...not a crime. And I have friends who write virus...and none of them have ever released one. Most coders at anti-virus houses could whip out code so virulent the net wouldn't know what hit it...but they don't. Why? Because they aren't script kiddies.

This kid is a script kiddie. He admitted that he only modified someone else's code, then with his amazing l33t powers of d00m he whipped up a butt ugly website that tracked back to him. He's an idiot, and should be soundly spanked with a deck of punchcards...but this is to hacking what the Keystone Cops are to forensic investigators.

Now, if we find the little bastard who released sobig, I firmly believe that a just punishment would be to glue the Alt Ctrl Del keys to his little nads and reboot him...say once for each sobig message each of us had to deal with.
posted by dejah420 at 8:52 PM on September 2, 2003

There is something interesting here. I don't follow these things as closely as I used to when I was a corporate network administrator, but I believe this is the first time that a "successful" newsworthy virus/worm was created by reverse-engineering the patch. The reverse-engineering has happened before, but I think this is the first time that it was actually incorporated into a widespread, successful attack.

I don't entirely look down on cracker hackers; some of them are just the doorknob-turners of the internet. But others go farther, and put sugar in gas tanks -- or the analogy that I use for virus and worm authors, putting sugar in a gas station's supply tank. It's malicious, it causes enormously expensive damage (most of which is simply lost administrator time -- or lost administrator sleep!), and it needs to be prosecuted.

By the way, the FBI's resource limitations mean they have a net $5000 floor for damages to become involved in a case. That sucks for individuals, of course, but it doesn't bar local prosecution, or civil lawsuits, by any means.

And it bears repeating: Microsoft is the target, because Microsoft is everywhere. This would be true even if their security were 10x better. Redmond is much better these days at promptly patching most security holes, and has moved to incorporate automatic Windows Update in its new operating systems (which may, or may not, be turned onby default, depending on OEM). The problem is the vast numbers of unpatched systems, as this example proves: the worm didn't appear until after the patch. Nor is it simply dumb users that may be blamed. Many corporations have strict, bureaucratic change control processes that require testing new OS patches with all critical company software before it can begin to be deployed. This hampers the prompt installation of patches. Few administrators are eager to hand over the process to an automated wizard, because the chances of the patch breaking something important are much higher than the chances of the corporate network being compromised. This gap between patch availability and patch installation is always going to be there in some fashion, and is the weak link in the chain, ripe for exploitation.
posted by dhartung at 10:20 PM on September 2, 2003

Microsoft is the target, because Microsoft is everywhere. This would be true even if their security were 10x better.

I tend to reject the idea that they're only a target because they're popular, however. Take Apache, for example, which can beat IIS in most popularity contests, but seems to have a rep for fewer vulnerabilities and more quickly applied patches.

Of course, we're talking about a different user base when we talk about web servers rather than email clients (sysadmins vs. everyday users) and that makes a difference. But one assumes that sysadmin dilligence would scale up on both sides of the IIS / Apache comparison...
posted by weston at 9:27 AM on September 3, 2003

Of course, we're talking about a different user base when we talk about web servers rather than email clients (sysadmins vs. everyday users) and that makes a difference.

Sure does. Imagine a Windowless world with millions of joe schmoe home users trying to keep their linux desktops secure... scary thought.
posted by tirade at 10:10 AM on September 3, 2003

I think it's a lot less scary than the current situation, tirade.
posted by maniactown at 11:55 AM on September 3, 2003

... or imagine a world with OSes that measure the time between vulnerabilities in the default install in years.

Stop buying the corporate software lies, it's possible to distribute software that doesn't contain holes like this. The fact of the matter is that it's more profitable not to, and I'm sure we're all aware of where Microsoft stands on the profit vs. customer satisfaction issue.

As it was said above, this won't stop until people stop caring about the people exploiting these holes, and start worrying about the people who create the holes. You don't think master-lock would be in a world of lawsuits if you could open any of their padlocks by holding them just so? There's an expectation of security in an OS just as there is in a padlock. Sure this guy is a criminal, but the real crime is that companies like Microsoft continue to profit off of developing dangerous software.
posted by betaray at 8:46 PM on September 4, 2003