Presentation is loading. Please wait.

Presentation is loading. Please wait.

Chasing the Bad Guys Jimmy Kuo McAfee Fellow. Page 2 Agenda The Melissa Case The Sobig.F Case The Sasser/Netsky Case A Police Reserve Specialist.

Similar presentations


Presentation on theme: "Chasing the Bad Guys Jimmy Kuo McAfee Fellow. Page 2 Agenda The Melissa Case The Sobig.F Case The Sasser/Netsky Case A Police Reserve Specialist."— Presentation transcript:

1 Chasing the Bad Guys Jimmy Kuo McAfee Fellow

2 Page 2 Agenda The Melissa Case The Sobig.F Case The Sasser/Netsky Case A Police Reserve Specialist

3 Page 3 Virus Patrol Checks every USENET posting. Scans every post that has executable code. – html – scripts – attachments – About 30 million per month (1 million per day) Finds thousand malware per month. (Viruses, trojans, bots, etc.)

4 The Melissa Virus Who Done It? The McAfee Version

5 Page 5 Virus Patrol WARNING! A virus has been found in a binary file posted to the following newsgroup(s): alt.sex Message header follows: >Message-Id: >From: (Sky Roket) >Subject: Passcode List >Date: 26 Mar :15:53 Dr Solomon's FindVirus/VirusScan report follows: Dr Solomon's FindVirus IN-HOUSE version. Copyright (c) 1999 Network Associates Inc. Drivers : 26 Mar 1999 Scanning for viruses, trojans and variants. list.zip\LIST.DOC... Found the W97M/Melissa virus !!!

6 Page 6 Sky Roket is Scott Steinmetz- from Lynnwood WA. born Male Married Hobbies: Historical Gamming, Miniature Gamming, and of coarse computers Computers: AST Premium Occupation: Civil engineer Personal Quote: Be happy in all you do

7 Page 7 Search for Scott Steinmetz How Jimmy Kuo spent his Saturday: Search the internet: Internet white pages (lycos.com, altavista.net, yahoo.com, excite.com) Only Scott Steinmetz in Washington is in a different part of WA. Only 2 Steinmetz in Lynnwood, not him. Contact Seattle Times (Wired magazine also investigating) Both reporters able to find unlisted telephone number and talk to Mr. Steinmetz. Both report: “He can’t be the one!”

8 Page 8 AOL Scott Steinmetz says his login id was compromised (stolen). AOL searches for “Who logged into that account and posted to the newsgroup at the time specified?” Message-Id: From: (Sky Roket) Date: 26 Mar :15:53 IP address of user found. IP belongs to Monmouth ISP.

9 Page 9 Got Him Search warrant presented to Monmouth ISP. IP is issued to dialups. Phone number which connected to that ISP is located. FBI and police go to house. No one home. Neighbors tell of brother. Go to brother’s house. Arrest David L. Smith.

10 Page 10 Is He VicodinES? Melissa is named after a topless dancer from Florida. Message post by VicodinES: Re: INDUSTRIAL MUSIC FOR SALE #1 - #4 Author VicodinES Date: 1995/04/16 Forum: rec.music.industrial Anyone interested in buying any of these disks 1st punch yourself in the face for even considering paying those OUTRAGOUS prices 2nd check around - D.U. or I.T. or even Blockbuster could beat these prices - hell I've seen some of those cd's in the used stores for $8.00 and I live in the Bass heavy - Industrial scarce state of Florida!

11 Page 11 Messages From David Smith and VicodinES Industrial / Ambient / Techno / Coldwave - CD SALE Author d Date: 1997/07/10 Forum: rec.music.industrial reply to : Posted last week - disks that are spoken for were removed and 5 new disks added [list of CDs removed]...all CD's guarentted to work without skipping or your money back!!! Shipping is 0.75 for the first disk and 0.50 for each additional. For example if you buy 4 disks then shipping is Prices for shipping are US only - I will ship overseas but I gotta check prices. I think this is a fair price if you don't then just don't order any disks. peace, d > Cubanate Discography & Comments Author VicodinES Date: 1995/04/01 Forum: rec.music.industrial [snip] {After the Metal ep is released Cubanate splits (breaks up) into Cubanate and K- Nitrate - each getting 2 members respectively} [snip]...one comment (opinion) - I feel that Cubanate Antimatter [european] was one of the best releases I have ever purchased and I truly feel that if Cubanate had not split up they would have changed the face of Industrial as we know it - but unfortunatly that will never happen because we now have two decent bands instead of one AMAZING band. peace Vic

12 Page 12 Messages From David Smith and VicodinES Re: CD-ROM is gone!!!! Virus???? Author d Date: 1997/07/10 Forum: alt.comp.virus I have seen this with AntiCMOS.a in Win95. The virus makes the cd rom drive dissapear. The very suspicious part is that you got a message that your Boot Record has changed. If you didn't install anything that would need to write to your boot sector then I would would say that you need to run a current AV program from a clean boot disk - run one with "heuristics" or deep "scan". I like AVP but you can use whoever you want but do it soon. peace d Re: Virus writer makes movies! Author VicodinES Date: 1998/05/23 Forum: alt.comp.virus Wow Mark!! Did you not read anything MrSandman said? He doesn't even spread his viruses. Not ONE single virus written by him has EVER been in the wild and you take it upon yourself to "out" him. Maybe he didn't want you to do that - it is LEGAL to write viruses and publish information in his country and so he never crossed the line, unlike you! So now if MrSandman loses business and receives government interference in his life you'll be ok with that? I feel sickened. As always Spanska I agree with you, they just can't except the fact that not all Vx are a bunch of immature children. We enjoy good conversation on this subject but not unfair practices of those overzealous internet wanna-be rent-a-cops! I can't believe some honest discussion with someone who has committed no crime has turned into Marks personal witch hunt. I hope you sleep well tonight Mark. Was it the fact that you were jealous of him and his nice lifestyle? I simply don't understand. peace, VicodinES

13 Page 13 Messages From VicodinES Re: VIRUS ALERT! (W97M/AntiSR1.intd) (oops...) Author VicodinES Date: 1998/02/13 Forum: alt.comp.virus Ok I would like to retract my last post and apologize to the Dr Solomon Virus Patrol. There was an error in that one - I do appreciate you pointing that out to me :) anyway it's now fixed - but you get the idea that SR-1 can be bypassed. Also I'm not going to post the fixed version (I'll just mail it in to some AV's, ok Ståle?). Was everyone else aware of the changes that Microsoft implemented with the SR-1 patch? Did Microsoft send a press release to the any AV companies? Just wondering. peace Vic Re: Narkotic Virus/Help!!! Author VicodinES Date: 1998/02/05 Forum: alt.comp.virus It's W97M/Cartman.... and I know all the majors have id'ed it. AVP, McAfee, F-Prot and so on. Update your dat files and / or download a trial version from an up to date AV company and they will remove it. see : peace Vic

14 Page 14 Aftermath He is/was VicodinES. Plead guilty. – Guilty: Statutues: N.J.S.A. 2C:20-25(a) and 2C:20-26(a) 18 U.S.C Sections 1030(a)(5)(A) and 2 20 month sentence, federal and state; concurrent. $5000 Federal fine, $2500 state. Cooperated with FBI in surveillance of virus writers.

15 Page 15 Postscript: David L. Smith Released Dec. 10, 2003 – 20 month sentence. (May, 2002) Resentenced to 4 years, balance suspended. Original sentence was 10 years. To remain under federal supervision. No access to computer or computer network unless approved by his probation officer. Must perform community service (unspecified).

16 The Sobig.F Case

17 Page 17 Top viruses by month January 2003: Klez.H: , (3) Sobig.A: February 2003:Klez.H: , (4) Sobig.A: March 2003:Klez.H: , (3) Sobig.A: April 2003:Klez.H: , (2) Sobig.A: May 2003:Yaha.E: , (2) Sobig.B: June 2003:Bugbear: , (4) Sobig.C: , (5).E: , (6).A: July 2003:Yaha.E: , (3) Sobig.E: , (5).A: August 2003:Sobig.F: 12,501,932 (13 days) September 2003:Sobig.F: 19,175,210 (10 days, +), (2) Swen.A: 1,748,562 October 2003:Swen.A: 1,833,148, (2) Sobig.F: November 2003:Swen.A: , (3) Sobig.F: December 2003:Dumaru.A: , (3) Sobig.F: January 2004:MyDoom.A: 19,768,533 (6 days), (4) Sobig.F: February 2004:MyDoom.A: 39,302,679 (11 days), (3) Sobig.F: Ref:

18 Page 18 The earlier variants Sobig.AJanuary 9, 2003 Sobig.BMay 18, 2003 Sobig.CMay 31, 2003 Sobig.DJune 18, 2003 Sobig.EJune 25, 2003 Sobig.FAugust 18, 2003

19 Page 19 Sobig.AJanuary 9, 2003 WARNING! A trojan has been found in an article posted to the following newsgroup(s): alt.binaries.pictures.comics, alt.binaries.amp, alt.binaries.bruce-lloyd, alt.binaries.nospam.teenfem.no-rules, alt.binaries.pictures.chimera, alt.binaries.pictures.erotica >Message-Id: >From: "Sanny" >Subject: The best!!! Magda_00374.mpeg >Date: 09 Jan :58:14 GMT Magda_00374.mpeg.pif... Found the MultiDropper-FB trojan !!! Sobig.BMay 18, 2003 WARNING! A trojan has been found in an article posted to the following newsgroup(s): alt.binaries.pictures.comics, alt.binaries.models, alt.binaries.nospam.teenfem.no-rules, alt.binaries.pictures.erotica.amateur.female, alt.binaries.pictures.erotica.black.females, alt.binaries.pictures.erotica.gaymen >Message-Id: >From: "Opare" >Subject: Cute! Whos got more? Kate_DCP-0765.jpeg >Date: 16 May :37:17 GMT Kate_DCP-0765.jpeg.pif... Found the MultiDropper-FB trojan !!!

20 Page 20 Sobig.CMay 31, 2003 WARNING! A trojan has been found in an article posted to the following newsgroup(s): alt.binaries.pictures.suze.repost, alt.binaries.erotic.senior-citizens, alt.binaries.full.post.verified.playboy, alt.binaries.pictures.erotica.black.females, alt.binaries.pictures.erotica.gaymen, alt.binaries.sounds.mp3.holland >Message-Id: >From: Bessy >Subject: Who's got more? DCP_4564.jpeg - DCP_4564.jpeg.pif [1/1] >Date: 31 May :53:39 GMT DCP_4564.jpeg.pif... Found the MultiDropper-FB trojan !!! Sobig.DJune 18, 2003 WARNING! A trojan has been found in an article posted to the following newsgroup(s): alt.binaries.pictures.diva, alt.binaries.boneless, alt.binaries.nl, alt.binaries.pictures.bluebird.reposts, alt.binaries.pictures.erotica >Message-Id: >From: osara >Subject: Who's got more? - DSC jpeg >Date: 17 Jun :33:08 GMT DSC jpeg.pif... Found the MultiDropper-FB trojan !!!

21 Page 21 Sobig.EJune 25, 2003 WARNING! A trojan has been found in an article posted to the following newsgroup(s): alt.binaries.sounds.mp3.complete_cd >Message-Id: >From: Cousy >Subject: Have you seen this one before? PC jpeg >Date: 25 Jun :51:39 GMT PC jpeg.scr... Found the MultiDropper-FB trojan !!! Sobig.FAugust 18, 2003

22 Page 22 What we got! WARNING! A trojan has been found in an article posted to the following newsgroup(s): alt.binaries.amp, alt.binaries.pictures.chimera, alt.binaries.pictures.erotica, alt.binaries.pictures.erotica.amateur.female Message header follows: >Message-Id: >From: Misiko >Subject: Nice, who has more of it? DSC jpeg >Date: 18 Aug :46:19 GMT DSC jpeg.pif... Found the MultiDropper-FB trojan !!!

23 Page 23 Others WARNING! A trojan has been found in an article posted to the following newsgroup(s): alt.binaries.full.post.verified.playboy, alt.binaries.nospam.teenfem.nonude, alt.binaries.pictures.bluebird.reposts, alt.binaries.pictures.erotica.amateur, alt.binaries.pictures.erotica.amateur.females, alt.binaries.pictures.erotica.amateurs Message header follows: >Message-Id: >From: Misiko >Subject: Great, who's got more?? DSC jpeg >Date: 18 Aug :55:13 GMT DSC jpeg.pif... Found the MultiDropper-FB trojan !!!

24 Page 24 3 in total WARNING! A trojan has been found in an article posted to the following newsgroup(s): dk.binaer.erotik, alt.binaries.pictures.comics Message header follows: >Message-Id: >From: Misiko >Subject: Great, who's got any more? DSC jpeg >Date: 18 Aug :57:11 GMT DSC jpeg.scr... Found the MultiDropper-FB trojan !!!

25 Page 25 What we got! WARNING! A trojan has been found in an article posted to the following newsgroup(s): alt.binaries.amp, alt.binaries.pictures.chimera, alt.binaries.pictures.erotica, alt.binaries.pictures.erotica.amateur.female Message header follows: >Message-Id: >From: Misiko >Subject: Nice, who has more of it? DSC jpeg >Date: 18 Aug :46:19 GMT DSC jpeg.pif... Found the MultiDropper-FB trojan !!!

26 Page 26 MultiDropper-FB Dropper stub in front of Sobig.F virus! Not natural from virus! Had to be from virus release!!! Package it up and call FBI!

27 Page 27 Next steps Call FBI contact Send set of Aug 18 Virus Patrol messages Discuss with another FBI agent FBI obtains Grand Jury subpoena for EasyNews.com servers

28 Page 28 Findings - As reported by Michael Minor Account was opened using stolen credit card Account was opened minutes before virus was released Account traced to computer in BC, Canada. [Burnaby, outside Vancouver] Machine was previously infected and commandeered

29 Page 29 Continuing Investigation

30 Netsky vs. Bagle and Sasser

31 Page 31 Mydoom Mydoom.AJanuary 26, 2004 Mydoom.BJanuary 28, 2004 Mydoom.CSkipped (someone outside of AV industry used it for Doomjuice.A February 9, 2004 Mydoom.DFebruary 12, 2004 Mydoom.EFebruary 13, 2004 Mydoom.FFebruary 19, 2004 Mydoom.GMarch 2, 2004 Mydoom.HMarch 3, 2004

32 Page 32 Bagle.A1/18/04.B2/17/04.C2/27/04 Netsky.A2/16/04.B2/18/04.C2/25/04 Mydoom.A1/26/04.B1/28/04.D2/12/04.E2/13/04.F2/19/04 Most viral s ever Same author Calls Mydoom.F a thief of ideas Announces self as Skynet.cz Source code distributed, now different authors “Skynet, not Netsky”

33 Page 33 Bagle.D2/28/04.E2/28/04.F2/29/04.G2/29/04.H3/1/04.I3/2/04.J3/2/04.K3/3/04 Netsky.D3/1/04.E3/1/04.F3/3/04.G3/4/04.H3/5/04 Mydoom.G3/2/04.H3/3/04 Reiterates Skynet.cz “Hey,Netsky, fuck off you bitch, don’t ruine our bussiness, wanna start a war?” Introduces passworded ZIP files

34 Page 34 Bagle.L3/9/04.M3/11/04.N3/13/04.O3/15/04.P3/15/04 Netsky.I3/7/04.J3/8/04.K3/8/04.L3/10/04.M3/11/04.N3/15/04.O3/17/04 Mentions texas and “last one” Hand off of source to another set of programmers Mentions Fanaticon. ZIP password now given via an image file

35 Page 35 Bagle.Q3/18/04.R3/18/04.S3/18/04.T3/18/04.U3/26/04.V3/29/04.W4/5/04.X4/8/04 Netsky.P3/21/04.Q3/28/04.R3/31/04.S4/5/04.T4/6/04.U4/7/04 Mentions Russia; no backdoors Mentions Bruce Schneider, cz, and Russia Inserts backdoor Uses 590 internet infected machines to infect through

36 Page 36 Bagle.Y4/26/04.Z.AA Netsky.V4/14/04.W4/16/04.X4/21/04.Y.Z.AA4/26/04.AB4/28/04.AC5/2/04 From NetDy Hey Bagle whats up ? Hey Bagle, feel our revenge! … our new AntiHacker Engine Sasser.A4/30/04.B5/1/04.C5/2/04.D5/3/04 … we have programmed the sasser virus SKYNETAVE.EXE

37 Page 37 Bagle.AB5/6/04 Netsky.AD5/19/04 Sasser.E5/8/04.F5/11/04 5/8/04 – Sven Jaschan arrested for Sasser 5/8/04 – 21 year-old and others arrested for Agobot 5/11/04 – 5 more arrests for Sasser, 1 admits to distribution 9/10/04 – Sven Jaschan indicted: Computer Sabotage $157,000 damage.

38 Page 38 Confiscated source code reveals he authored Sasser.A through.E. (.F is repackaged.A.) Source code shows he made use of much downloaded source code. Netsky source code also confiscated. Turned 18 during Sasser incidents. To be prosecuted as a young adult. Sven Jaschan

39 Page 39 Continuing Prosecution

40 Page 40 More Arrests in Lower Saxony Sept. 4, 2004 – Teenager arrested for domain hijack of eBay.de

41 Virus Patrol update

42 Page 42 Dmitry Gryaznov continues work IRC Patrol Network: DALnet Channel: #sayangabang Server: mesra.kl.my.dal.net User: DCC_Send: C:\WINDOWS\LIFE_STAGES.TXT.SHS :2538 File: DCC\ dcc Size: DCC\ dcc... Found the IRC/Stages.worm virus !!!

43 Page 43 Dmitry Gryaznov continues work P2P Patrol Network: Gnutella URL: Spears I love rock and roll.mp3.vbs AlsoSeenAt: File: PUSH8\Instrume.vbs Size: PUSH8\Instrume.vbs... Found the virus !!!

44 Page 44 More P2P Patrol outputs Network: Gnutella URL: Internet Security 2003 Professional.exe File: PUSH08\Norton_I.exe Size: PUSH08\Norton_I.exe... Found the W32/Ronoper.worm.u virus !!!

45 Police Reserve Specialist

46 Page 46 Hillsboro, Oregon Police Department “Through use of specialized reserve volunteers, to augment, broaden, and increase, the effectiveness of HPD in its mission to protect the community” Training on Legal Procedures, and General Orientation to Enforcement and Investigations Limited Duty (not gun-carrying) To be utilized when and where specialized skills are needed Works directly with or under the direction of law enforcement.

47 Page 47 PRS Involvement Computer Forensics Computer/Information Security Network & Systems Analysis Intellectual Property Investigations ID Theft & Fraud Investigations Spin-off projects for the Community

48 Identity Theft

49 Page 49 Phishing Scams Send to: Contact:

50 Page 50 Questions?


Download ppt "Chasing the Bad Guys Jimmy Kuo McAfee Fellow. Page 2 Agenda The Melissa Case The Sobig.F Case The Sasser/Netsky Case A Police Reserve Specialist."

Similar presentations


Ads by Google