Global hunt to kill off internet virus

Global hunt to kill off internet virus
By Robert Uhlig, Technology Correspondent
(Filed: 23/08/2003)


High-tech security investigators and police were involved in a global race against time last night to find 20 home computers harbouring a program that threatened to cripple the internet.

Experts discovered only in the early hours yesterday that the Sobig.F virus, thought to have infected tens of millions of PCs in the past week, contained an alarming secret.
Hidden in it was an instruction to make contact at 8pm (BST) with 20 home computers that could be anywhere in the world, all with high-speed broadband connections and each hosting an unidentified program.

"The problem is not knowing what that program is," said Carole Theriault, a security consultant at Sophos, an anti-virus company.

"It could mean that a smiley face bounces across your screen or it could be something massive. It is still under the control of the virus writer."

Possibilities included launching another virus or spam attack, collecting sensitive information, or deleting files stored on an infected computer or network.

Some computer experts believe that a large American crime syndicate is behind Sobig.F, using it and the 20 rogue home computers to extract personal information from people, such as their credit card numbers.

Miss Theriault said that even if the mystery program was written as a joke, the sheer volume of internet data converging on the 20 computers could slow the internet to a crawl.

Although most European businesses had closed for the weekend by the time Sobig.F triggered its potentially devastating payload, the time of 8pm was intended to coincide with the regular business afternoon in America. It will be activated again at 8pm tomorrow.

Computer security experts said that almost all the rogue computers had been identified late last night. Nineteen of the 20 had been shut down; the other was still connected to the internet but was not sending out any damaging programmes, a spokesman for Sophos said.

Expert remained on the alert amid concerns about what the virus might do tomorrow night. The spokesman said the original virus writer could target other home computers.

Since Sobig.F surfaced on Monday it has been crippling corporate email networks and filling home users' inboxes with a glut of messages.

The extent of the damage was unknown, but 20 million PCs in China alone were thought to be infected.

AOL, an internet service provider, said it had stopped more than 23 million copies of the virus, while MessageLabs, an email filtering firm, caught more than three million.

Michael Crawford, a security specialist at PA Consulting, said the week's infections could have cost £500 million.

Most companies never admit that they have been infected by a virus, but known victims include the American navy

Sobig.F swept through Iraq yesterday and the United Nations, the Ministry of Defence and several leading news stations said that their systems had been affected.

London was believed to be the worst-hit European city, with BT's broadband service among the victims.

Paul Wood, the chief information analyst at MessageLabs, said: "Sobig-F is unprecedented in our history. We intercepted more than one million infections in the first day alone."

An investigator at the National Hi-Tech Crime Unit said that officials and police in dozens of countries were seeking the perpetrator. "We want to prosecute," he said.

Investigators were piecing together suspect profiles from strings of computer code to try to trace their destination through a maze of internet addresses.

Last year the FBI and British police tracked down a Welsh virus writer, Simon Vallor, after he named his friends and included comments about Wales in the text of his virus, GoKar.

Vallor was sentenced to two years in jail, the longest sentence yet under the Computer Misuse Act 1990, for spreading his virus to 42 countries.

David Perry, of Trend Micro, an anti-virus firm, said the motives of virus writers often included showing off to girlfriends.

SOURCE