Security experts are expressing caution about the FBI's confident prediction that it will catch all the culprits behind the two viral epidemics which ravaged the Internet last month.
Although quick to praise to authorities for nabbing Jeffrey Lee Parson, 18, on suspicion of writing a copycat version of the Blaster worm last Friday, AV specialists warn that other suspects in the Blaster and Sobig-F outbreaks may be much more difficult to track down.
Alex Shipp, anti-virus technologist at MessageLabs, drew a distinction between script kiddie-style virus authors such as Parson, who often brag about their exploits, and the unknown creators of the Sobig mass mailer series, who cover their tracks.
"There's a big difference between virus authors like Simon Vallor, who was caught after he boasted about creating a series of viruses in a chatroom, who are crying out for attention and whoever wrote the Sobig series," Shipp told The Register.
"Virus writers put their name inside viruses or leave a trail from where a virus is first posted on the Net back to them. The people behind Sobig have left no such clues. It'll be difficult to track them down but with more variants coming out over time this may help the authorities, especially if the people behind the virus make a mistake," he added.
Graham Cluley, senior technology consultant for Sophos Anti-Virus, agrees that there are "no obvious clues" in the code of the Sobig mass mailers.
However Sobig-F did attempt to contact 20 computers just over a week ago in a failed attempt to download a 'second-phase' payload. Analysing these computers might be a useful line of inquiry, Cluley suggests.
Investigators think the original Blaster worm was posted onto a pornographic newsgroup via Arizona ISP Easynews.com using an account purchased with a stolen credit card.
Meanwhile the variant of the worm allegedly created by Parson contained a Trojan horse component, which communicated with a virus-writing Web site owned by the teenager. For good measure Parsons' online nickname teekid is coded into Blaster-B.
Sometimes, as in the case Jan de Wit, author of the Anna Kournikova worm, virus authors turn themselves into the authorities out of remorse for their actions. but virus writers are seldom discreet.
Cluley comments: "What pleasure can you get in creating a virus if you don't tell anyone?"
Vanity isn't the only factor that gives virus authors away. Stupidity often plays a decisive role. Although this charge has been levelled at Parsons, Cluley reckons Michael Buen
- a virus writer who included his CV in the malicious code he produced - is easily the dumbest he has ever come across.
The unlikely lads: virus writers in the dock
In November 1988, Cornell graduate student Robert Morris wrote the first worm to propagate over the Internet. The Morris Worm exploited a Unix-related vulnerability to spread. Morris, the son of a security expert at the National Security Agency, was convicted of computer abuse offences and sentenced to three years probation, 400 hours of community service and a $10,000 fine.
In November 1995, Christopher Pile (alias "The Black Baron") appeared for sentencing for eleven offences under the Sections two and three of the Computer Misuse Act at Exeter Crown Court. Pile, who had earlier pleaded guilty to all charges against him, was sentenced to eighteen months in prison.
Cheng Ing-hau, a sergeant in the Taiwanese Army, wrote the destructive Chernobyl (CIH) virus in 1998, reportedly out of a grievance he harboured against AV companies. The virus was programmed to erase the contents of infected hard disks on April 26, the anniversary of the Chernobyl nuclear disaster of 1986. He was detained by the Taiwanese military authorities in April 1999 but later released without charge because (scarcely believably) no Taiwanese firms came forward to admit they had been affected by the virus. He was re-arrested in September 2000 after a complaint by a Taiwanese student but again managed to escape serious punishment.
David L Smith of New Jersey wrote the Melissa mass mailing virus, which he released in March 1999, reportedly as a 'tribute' to a Florida lap dancer he was fixated upon. The worm created a message storm which forced major IT companies including Microsoft, Intel and Lucent Technologies to shut down their email gateways and left a trail of destruction in its wake. Smith pleaded guilty to releasing the virus in December 1999 but the authorities left him waiting for sentencing until May 2002, when he was sent to jail for 20 months and fined $5,000. Smith, who's in his 30s, launched the prolific Melissa mass mailing worm by posting infected documents to an alt.sex Usenet newsgroup using a stolen AOL account. Investigators eventually traced Smith from this illicit posting.
Filipino computer studies student Onel de Guzman was prime suspect in the release of the LoveBug computer virus in 2000. A lack of relevant computer crime laws in the Philippines meant he was never prosecuted. Guzman was mates with Michael Buen, who somehow reckoned bundling his CV with a computer virus might inprove his chances of geting a job.
Jan de Wit (AKA On the Fly), of The Netherlands, wrote the Anna Kournikova virus in 2001 using virus creation toolkit. Shocked at the success of his creation, de Wit turned himself into the authorities and pleaded guilty to releasing the prolific mass mailing worm. He claimed he released the virus as an experiment after reading a survey which suggested users hadn't learnt any lessons from the spread of the LoveBug.
At de Wit's September 2001 trial, US investigators were only able to list 55 incidents of infection, causing just $166,827 worth of damage (independent commentators believe this figure grossly underestimated the damage caused by the virus). After pleading guilty, de Wit was sentenced to 150 hours of community service for computer crime offences. Many thought this sentence unduly lenient but de Wit appealed anyway. His punishment was upheld on appeal.
Last year, 22 year-old Welsh Web designer Simon Vallor admitted creating the Gokar, Redesi and Admirer mass mailers. In January 2003, he was sentenced to two years imprisonment.
The ones that got away...
Dark Avenger, the author of one of the first polymorphic virus (i.e. a virus that changes its characteristics in an attempt to fool AV scanners,) was one of the most prolific virus authors of the late 1980s. However his viruses had no major impact. He was never charged with any criminal offence but frequently commented on the virus writing scene and was largely responsible for earning his home country, Bulgaria, and the wider Balkan region, the reputation as the world centre for virus writing up until the mid 1990s.
The threat of the Code Red IIS infecting worm was arguably overhyped, but after the FBI and Microsoft made the unprecedented step of staging a joint press conference to warn about its spread you might think its author(s) would soon be apprehended. Think again.
Although more prolific than Code Red, Nimda spread by exploiting the same underlying flaw in Microsoft IIS Web Server software to even more devastating effect. Nada on any arrests.
SirCam the bandwidth-hogging, privacy-threatening worm has also failed to generate any arrests.
Slammer, arguably the most destructive worm ever, knocked South Korean ISPs offline and rendered some bank automatic teller machines temporarily inoperable back in January. The worm even took out the PC network of a Ohio nuclear power plant. There's no sign of any progress towards identifying the perpetrators in the release of the worm.
The author of Klez, the most prolific virus of 2002, which remains a nuisance even now, likewise remains at large.
Jeffrey Lee Parsons has been arrested but the authors of the original Blaster worm, which floored home PCs and small business networks last month, remain out of reach of the authorities. Authors of the Blaster 'clean-up' worm, Nachi, which caused almost as many problems as the worm it was meant to eradicate, have also avoided having their collar felt. ®