Chasing the Bad Guys Jimmy Kuo Mc Afee
Chasing the Bad Guys Jimmy Kuo Mc. Afee Fellow
2 Agenda The Melissa Case n The Sobig. F Case n The Sasser/Netsky Case n A Police Reserve Specialist n
3 Virus Patrol Checks every USENET posting. n Scans every post that has executable code. n n – html – scripts – attachments – About 30 million per month (1 million per day) Finds 10 -20 thousand malware per month. (Viruses, trojans, bots, etc. )
The Melissa Virus Who Done It? The Mc. Afee Version
5 Virus Patrol WARNING! A virus has been found in a binary file posted to the following newsgroup(s): alt. sex Message header follows: >Message-Id: <19990326071553. 24526. 00000525@ng-cg 1. aol. com> >From: skyroket@aol. com (Sky Roket) >Subject: Passcode List 3 -26 -99 >Date: 26 Mar 1999 20: 15: 53 Dr Solomon's Find. Virus/Virus. Scan report follows: Dr Solomon's Find. Virus IN-HOUSE version. Copyright (c) 1999 Network Associates Inc. Drivers : 26 Mar 1999 Scanning for 42254 viruses, trojans and variants. list. zipLIST. DOC. . . Found the W 97 M/Melissa virus !!!
6 Skyroket@aol. com Sky Roket is Scott Steinmetz- from Lynnwood WA. born 2 -25 -62 Male Married Hobbies: Historical Gamming, Miniature Gamming, and of coarse computers Computers: AST Premium Occupation: Civil engineer Personal Quote: Be happy in all you do
7 Search for Scott Steinmetz How Jimmy Kuo spent his Saturday: n Search the internet: Internet white pages (lycos. com, altavista. net, yahoo. com, excite. com) n Only Scott Steinmetz in Washington is in a different part of WA. n Only 2 Steinmetz in Lynnwood, not him. n Contact Seattle Times (Wired magazine also investigating) n Both reporters able to find unlisted telephone number and talk to Mr. Steinmetz. n Both report: “He can’t be the one!”
8 AOL Scott Steinmetz says his login id was compromised (stolen). n AOL searches for “Who logged into that account and posted to the newsgroup at the time specified? ” n Message-Id: <19990326071553. 24526. 00000525@ng-cg 1. aol. com> From: skyroket@aol. com (Sky Roket) Date: 26 Mar 1999 20: 15: 53 IP address of user found. n IP belongs to Monmouth ISP. n
9 Got Him n n n Search warrant presented to Monmouth ISP. IP is issued to dialups. Phone number which connected to that ISP is located. FBI and police go to house. No one home. Neighbors tell of brother. Go to brother’s house. Arrest David L. Smith.
10 Is He Vicodin. ES? Melissa is named after a topless dancer from Florida. n Message post by Vicodin. ES: n Re: INDUSTRIAL MUSIC FOR SALE #1 - #4 Author Vicodin. ES <vicodines@aol. com> Date: 1995/04/16 Forum: rec. music. industrial Anyone interested in buying any of these disks 1 st punch yourself in the face for even considering paying those OUTRAGOUS prices 2 nd check around - D. U. or I. T. or even Blockbuster could beat these prices - hell I've seen some of those cd's in the used stores for $8. 00 and I live in the Bass heavy - Industrial scarce state of Florida!
11 Messages From David Smith and Vicodin. ES Industrial / Ambient / Techno / Coldwave - CD SALE Author d <dlsmith@monmouth. com> Date: 1997/07/10 Forum: rec. music. industrial reply to : dlsmith@monmouth. com Posted last week - disks that are spoken for were removed and 5 new disks added [list of CDs removed]. . . all CD's guarentted to work without skipping or your money back!!! Shipping is 0. 75 for the first disk and 0. 50 for each additional. For example if you buy 4 disks then shipping is 2. 25. Prices for shipping are US only - I will ship overseas but I gotta check prices. I think this is a fair price if you don't then just don't order any disks. peace, d ---- > (dlsmith@monmouth. com) Cubanate Discography & Comments Author Vicodin. ES <vicodines@aol. com> Date: 1995/04/01 Forum: rec. music. industrial [snip] {After the Metal ep is released Cubanate splits (breaks up) into Cubanate and KNitrate - each getting 2 members respectively} [snip]. . . one comment (opinion) - I feel that Cubanate Antimatter [european] was one of the best releases I have ever purchased and I truly feel that if Cubanate had not split up they would have changed the face of Industrial as we know it - but unfortunatly that will never happen because we now have two decent bands instead of one AMAZING band. peace Vic
12 Messages From David Smith and Vicodin. ES Re: CD-ROM is gone!!!! Virus? ? Author d <dlsmith@monmouth. com> Date: 1997/07/10 Forum: alt. comp. virus I have seen this with Anti. CMOS. a in Win 95. The virus makes the cd rom drive dissapear. The very suspicious part is that you got a message that your Boot Record has changed. If you didn't install anything that would need to write to your boot sector then I would say that you need to run a current AV program from a clean boot disk - run one with "heuristics" or deep "scan". I like AVP but you can use whoever you want but do it soon. peace d Re: Virus writer makes movies! Author Vicodin. ES <Vic@Bite-Me. Org> Date: 1998/05/23 Forum: alt. comp. virus Wow Mark!! Did you not read anything Mr. Sandman said? He doesn't even spread his viruses. Not ONE single virus written by him has EVER been in the wild and you take it upon yourself to "out" him. Maybe he didn't want you to do that - it is LEGAL to write viruses and publish information in his country and so he never crossed the line, unlike you! So now if Mr. Sandman loses business and receives government interference in his life you'll be ok with that? I feel sickened. As always Spanska I agree with you, they just can't except the fact that not all Vx are a bunch of immature children. We enjoy good conversation on this subject but not unfair practices of those overzealous internet wanna-be rent-a-cops! I can't believe some honest discussion with someone who has committed no crime has turned into Marks personal witch hunt. I hope you sleep well tonight Mark. Was it the fact that you were jealous of him and his nice lifestyle? I simply don't understand. peace, Vicodin. ES
13 Messages From Vicodin. ES Re: VIRUS ALERT! (W 97 M/Anti. SR 1. intd) (oops. . . ) Author Vicodin. ES <Vic@Bite-Me. Org> Date: 1998/02/13 Forum: alt. comp. virus Ok I would like to retract my last post and apologize to the Dr Solomon Virus Patrol. There was an error in that one - I do appreciate you pointing that out to me : ) anyway it's now fixed - but you get the idea that SR-1 can be bypassed. Also I'm not going to post the fixed version (I'll just mail it in to some AV's, ok Ståle? ). Was everyone else aware of the changes that Microsoft implemented with the SR-1 patch? Did Microsoft send a press release to the any AV companies? Just wondering. peace Vic Re: Narkotic Virus/Help!!! Author Vicodin. ES <Vic@Bite-Me. Org> Date: 1998/02/05 Forum: alt. comp. virus It's W 97 M/Cartman. . and I know all the majors have id'ed it. AVP, Mc. Afee, F-Prot and so on. Update your dat files and / or download a trial version from an up to date AV company and they will remove it. see : http: //www. datafellows. fi/v-descs/cartman. htm peace Vic
14 Aftermath He is/was Vicodin. ES. n Plead guilty. n – Guilty: Statutues: N. J. S. A. 2 C: 20 -25(a) and 2 C: 20 -26(a) 18 U. S. C Sections 1030(a)(5)(A) and 2 20 month sentence, federal and state; concurrent. n $5000 Federal fine, $2500 state. n n Cooperated with FBI in surveillance of virus writers.
15 Postscript: David L. Smith n Released – 20 Dec. 10, 2003 month sentence. (May, 2002) • Resentenced to 4 years, balance suspended. • Original sentence was 10 years. • To remain under federal supervision. • No access to computer or computer network unless approved by his probation officer. • Must perform community service (unspecified).
The Sobig. F Case
17 Top email viruses by month January 2003: February 2003: March 2003: April 2003: May 2003: June 2003: July 2003: August 2003: September 2003: October 2003: November 2003: December 2003: January 2004: February 2004: Klez. H: 619170, (3) Sobig. A: 155796 Klez. H: 366617, (4) Sobig. A: 130672 Klez. H: 425277, (3) Sobig. A: 129835 Klez. H: 388801, (2) Sobig. A: 106673 Yaha. E: 466729, (2) Sobig. B: 404655 Bugbear: 426673, (4) Sobig. C: 177622, (5). E: 168156, (6). A: 84564 Yaha. E: 399601, (3) Sobig. E: 189890, (5). A: 73915 Sobig. F: 12, 501, 932 (13 days) Sobig. F: 19, 175, 210 (10 days, +), (2) Swen. A: 1, 748, 562 Swen. A: 1, 833, 148, (2) Sobig. F: 483667 Swen. A: 700802, (3) Sobig. F: 346905 Dumaru. A: 499746, (3) Sobig. F: 318718 My. Doom. A: 19, 768, 533 (6 days), (4) Sobig. F: 246063 My. Doom. A: 39, 302, 679 (11 days), (3) Sobig. F: 326819 Ref: http: //www. messagelabs. com/viruseye/threats/list/default. asp
18 The earlier variants n n n Sobig. A Sobig. B Sobig. C Sobig. D Sobig. E Sobig. F January 9, 2003 May 18, 2003 May 31, 2003 June 18, 2003 June 25, 2003 August 18, 2003
19 n Sobig. A January 9, 2003 WARNING! A trojan has been found in an article posted to the following newsgroup(s): alt. binaries. pictures. comics, alt. binaries. amp, alt. binaries. bruce-lloyd, alt. binaries. nospam. teenfem. no-rules, alt. binaries. pictures. chimera, alt. binaries. pictures. erotica >Message-Id: <Vb 8 T 9. 155383$vi 4. 19804@post-02. news. easynews. com> >From: "Sanny" <san@dot. com> >Subject: The best!!! Magda_00374. mpeg >Date: 09 Jan 2003 05: 58: 14 GMT Magda_00374. mpeg. pif. . . Found the Multi. Dropper-FB trojan !!! n Sobig. B May 18, 2003 WARNING! A trojan has been found in an article posted to the following newsgroup(s): alt. binaries. pictures. comics, alt. binaries. models, alt. binaries. nospam. teenfem. no-rules, alt. binaries. pictures. erotica. amateur. female, alt. binaries. pictures. erotica. black. females, alt. binaries. pictures. erotica. gaymen >Message-Id: <w. Kdxa. 76772$OA 4. 1493761@news. easynews. com> >From: "Opare" <opa@re. com> >Subject: Cute! Whos got more? Kate_DCP-0765. jpeg >Date: 16 May 2003 22: 37: 17 GMT Kate_DCP-0765. jpeg. pif. . . Found the Multi. Dropper-FB trojan !!!
20 n Sobig. C May 31, 2003 WARNING! A trojan has been found in an article posted to the following newsgroup(s): alt. binaries. pictures. suze. repost, alt. binaries. erotic. senior-citizens, alt. binaries. full. post. verified. playboy, alt. binaries. pictures. erotica. black. females, alt. binaries. pictures. erotica. gaymen, alt. binaries. sounds. mp 3. holland >Message-Id: <MPG. 19420 de 150 e 0 db 47989685@news. easynews. com> >From: Bessy <bessy@hot. com> >Subject: Who's got more? DCP_4564. jpeg - DCP_4564. jpeg. pif [1/1] >Date: 31 May 2003 00: 53: 39 GMT DCP_4564. jpeg. pif. . . Found the Multi. Dropper-FB trojan !!! n Sobig. D June 18, 2003 WARNING! A trojan has been found in an article posted to the following newsgroup(s): alt. binaries. pictures. diva, alt. binaries. boneless, alt. binaries. nl, alt. binaries. pictures. bluebird. reposts, alt. binaries. pictures. erotica >Message-Id: <MPG. 1959 b 67 c 7 e 254 db 9989681@news. easynews. com> >From: osara <ossara@os. net> >Subject: Who's got more? - DSC-003745. jpeg >Date: 17 Jun 2003 23: 33: 08 GMT DSC-003745. jpeg. pif. . . Found the Multi. Dropper-FB trojan !!!
21 n Sobig. E June 25, 2003 WARNING! A trojan has been found in an article posted to the following newsgroup(s): alt. binaries. sounds. mp 3. complete_cd >Message-Id: <MPG. 1963031 dcaffc 795989682@news. easynews. com> >From: Cousy <cou@su. org> >Subject: Have you seen this one before? PC 00354727. jpeg >Date: 25 Jun 2003 00: 51: 39 GMT PC 00354727. jpeg. scr. . . Found the Multi. Dropper-FB trojan !!! n Sobig. F August 18, 2003
22 What we got! WARNING! A trojan has been found in an article posted to the following newsgroup(s): alt. binaries. amp, alt. binaries. pictures. chimera, alt. binaries. pictures. erotica. amateur. female Message header follows: >Message-Id: <MPG. 19 ab 3 e 8 e 843 bdff 0989681@news. easynews. com> >From: Misiko <Misiko@dot. com> >Subject: Nice, who has more of it? DSC-00465. jpeg >Date: 18 Aug 2003 19: 46: 19 GMT DSC-00465. jpeg. pif. . . Found the Multi. Dropper-FB trojan !!!
23 Others WARNING! A trojan has been found in an article posted to the following newsgroup(s): alt. binaries. full. post. verified. playboy, alt. binaries. nospam. teenfem. nonude, alt. binaries. pictures. bluebird. reposts, alt. binaries. pictures. erotica. amateur. females, alt. binaries. pictures. erotica. amateurs Message header follows: >Message-Id: <MPG. 19 ab 40 b 72 e 8 ed 720989682@news. easynews. com> >From: Misiko <Misiko@dot. com> >Subject: Great, who's got more? ? DSC-00465. jpeg >Date: 18 Aug 2003 19: 55: 13 GMT DSC-00465. jpeg. pif. . . Found the Multi. Dropper-FB trojan !!!
24 3 in total WARNING! A trojan has been found in an article posted to the following newsgroup(s): dk. binaer. erotik, alt. binaries. pictures. comics Message header follows: >Message-Id: <MPG. 19 ab 4172760 b 1166989683@news. easynews. com> >From: Misiko <Misiko@dot. com> >Subject: Great, who's got any more? DSC-00465. jpeg >Date: 18 Aug 2003 19: 57: 11 GMT DSC-00465. jpeg. scr. . . Found the Multi. Dropper-FB trojan !!!
25 What we got! WARNING! A trojan has been found in an article posted to the following newsgroup(s): alt. binaries. amp, alt. binaries. pictures. chimera, alt. binaries. pictures. erotica. amateur. female Message header follows: >Message-Id: <MPG. 19 ab 3 e 8 e 843 bdff 0989681@news. easynews. com> >From: Misiko <Misiko@dot. com> >Subject: Nice, who has more of it? DSC-00465. jpeg >Date: 18 Aug 2003 19: 46: 19 GMT DSC-00465. jpeg. pif. . . Found the Multi. Dropper-FB trojan !!!
26 Multi. Dropper-FB n Dropper stub in front of Sobig. F virus! n Not natural from virus! n Had to be from virus release!!! Package it up and call FBI!
27 Next steps n Call FBI contact n Send set of Aug 18 Virus Patrol messages n Discuss with another FBI agent n FBI obtains Grand Jury subpoena for Easy. News. com servers
28 Findings - As reported by Michael Minor n Account was opened using stolen credit card n Account was opened minutes before virus was released n Account traced to computer in BC, Canada. [Burnaby, outside Vancouver] n Machine was previously infected and commandeered
29 Continuing Investigation
Netsky vs. Bagle and Sasser
31 Mydoom. A n Mydoom. B n Mydoom. C n n n Mydoom. D Mydoom. E Mydoom. F Mydoom. G Mydoom. H January 26, 2004 January 28, 2004 Skipped (someone outside of AV industry used it for Doomjuice. A February 9, 2004 February 12, 2004 February 13, 2004 February 19, 2004 March 2, 2004 March 3, 2004
32 Bagle n. A 1/18/04 Netsky Mydoom Most viral emails ever Same author Source code distributed, now different authors n . B n . A 2/16/04 n . B 2/18/04 “Skynet, not Netsky” n. F . C 1/26/04 1/28/04 2/12/04 2/13/04 Announces self as Skynet. cz 2/17/04 n n . A n. B n. D n. E n 2/27/04 . C 2/19/04 2/25/04 Calls Mydoom. F a thief of ideas
33 Bagle n. D 2/28/04 n. E 2/28/04 n. F 2/29/04 n. G 2/29/04 n. H 3/1/04. I n. J n. K n Netsky Mydoom Introduces passworded ZIP files . D n. E n 3/1/04 Reiterates Skynet. cz 3/2/04 “Hey, Netsky, fuck off you bitch, 3/2/04 don’t ruine our bussiness, wanna start a war? ” 3/3/04 n. F 3/3/04 n. G 3/4/04 n. H 3/5/04 n . G 3/2/04 n . H 3/3/04
34 Bagle n . L Netsky n. I 3/7/04 n. J 3/8/04 n. K 3/8/04 Mentions texas and “last one” 3/9/04. L 3/10/04 n. M 3/11/04 n . M n. N n. O n. P n 3/11/04 3/13/04 3/15/04 ZIP password now given via an image file n . N 3/15/04 n . O 3/17/04 Hand off of source to another set of programmers Mentions Fanaticon.
35 Bagle n. Q 3/18/04 n. R 3/18/04 n. S 3/18/04 n. T 3/18/04 n n . U. V Netsky Uses 590 internet infected machines to infect through n . P 3/21/04 n . Q 3/28/04 3/26/04 Mentions Russia; no backdoors 3/29/04. R n. S n. T n. U n n . W 4/5/04 n . X 4/8/04 3/31/04 4/5/04 4/6/04 4/7/04 Mentions Bruce Schneider, cz, and Russia Inserts backdoor
36 Bagle . Y 4/26/04 n. Z n. AA n Netsky n. V n. W n. X n. Y n. Z n. AA n Sasser 4/14/04 4/16/04 4/21/04 … our new Anti. Hacker Engine From Net. Dy Hey Bagle whats up ? 4/26/04 . AB 4/28/04 Hey Bagle, feel our revenge! . A n. B n. C n. D n n . AC 5/2/04 … we have programmed the sasser virus 4/30/04 5/1/04 5/2/04 5/3/04 SKYNETAVE. EXE
37 Bagle n. AB 5/6/04 Netsky Sasser 5/8/04 – Sven Jaschan arrested for Sasser 5/8/04 – 21 year-old and others arrested for Agobot . E n. F n 5/8/04 5/11/04 – 5 more arrests for Sasser, 1 admits to distribution n . AD 5/19/04 9/10/04 – Sven Jaschan indicted: Computer Sabotage $157, 000 damage.
38 Sven Jaschan n Confiscated source code reveals he authored Sasser. A through. E. (. F is repackaged. A. ) n Source code shows he made use of much downloaded source code. n Netsky source code also confiscated. n Turned 18 during Sasser incidents. n To be prosecuted as a young adult.
39 Continuing Prosecution
40 More Arrests in Lower Saxony n Sept. 4, 2004 – Teenager arrested for domain hijack of e. Bay. de
Virus Patrol update
42 Dmitry Gryaznov continues work IRC Patrol n Network: DALnet Channel: #sayangabang Server: mesra. kl. my. dal. net User: D^S^Alam!entah@klg-40 -101. tm. net. my DCC_Send: C: WINDOWSLIFE_STAGES. TXT. SHS 202. 188. 40. 101: 2538 File: DCC�000. dcc Size: 39936 DCC�000. dcc. . . Found the IRC/Stages. worm virus !!!
43 Dmitry Gryaznov continues work P 2 P Patrol n Network: Gnutella URL: http: //69. 153. 60. 201: 9725/get/347/Britney Spears - 07 - I love rock and roll. mp 3. vbs Also. Seen. At: 65. 24. 171. 3 File: PUSH 8Instrume. vbs Size: 12171 PUSH 8Instrume. vbs. . . Found the VBS/Love. Letter@MM virus !!!
44 More P 2 P Patrol outputs n Network: Gnutella URL: http: //216. 175. 106. 245: 62118/get/295/Norton Internet Security 2003 Professional. exe File: PUSH 08Norton_I. exe Size: 39936 PUSH 08Norton_I. exe. . . Found the W 32/Ronoper. worm. u virus !!!
Police Reserve Specialist
46 Hillsboro, Oregon Police Department “Through use of specialized reserve volunteers, to augment, broaden, and increase, the effectiveness of HPD in its mission to protect the community” Training on Legal Procedures, and General Orientation to Enforcement and Investigations n Limited Duty (not gun-carrying) n To be utilized when and where specialized skills are needed n Works directly with or under the direction of law enforcement. n
47 PRS Involvement n Computer Forensics n Computer/Information Security n Network & Systems Analysis n Intellectual Property Investigations n ID Theft & Fraud Investigations n Spin-off projects for the Community
Identity Theft
49 Phishing Scams Send email to: spoof@ebay. com phishing@visa. com Contact: www. ic 3. gov
50 Questions?
- Slides: 50
