FBI tracks down viruses creators

August 28, 2003

The FBI is "confident" that it will arrest those persons who are responsible for creating and spreading the Blaster (MSBlast/Lovesan) worm and the Sobig.F virus, the bureau's spokesman said.

Companies and home computer users have had to deal with the MSBlast worm--also known as W32/Blaster and W32.Lovsan--which began spreading Aug. 11; the Welchia worm that attempted to patch the hole exploited by the MSBlast worm; and the Sobig.F worm, which spread rapidly through e-mail attachments opened by unwary victims.

"We are working with the Department of Homeland Security and with state and local law enforcement on our Cyber Task Forces to track down the perpetrators of Sobig and the recent W32/Blaster worm," FBI Director Robert Mueller said in a statement. "We employ the latest technology and code analysis to direct us to potential sources, and I am confident that we will find the culprits."

The agency has grabbed only a few of alleged virus creators, usually because the suspects left a digital trail back to their PCs or talked about the virus infection after the fact. The programmer, who wrote the Melissa worm, David L. Smith, was caught because he released the virus using a stolen America Online account that he connected to using his home machine. The writes of the Anna Kournikova virus admitted to releasing that program after creating it with a point-and-click toolkit.

The FBI asked that anyone with any suspicions to the origins of Sobig or the Blaster worm contact the bureau immediately.

Sobig.F has spread aggressively, sending far more e-mails with copies of the virus than any such worm to date. The latest Sobig virus uses an e-mail address other than the victim's as the obvious source of e-mail messages that it sends to spread itself. Many antivirus systems send alerts to the apparent senders of infected messages, informing them that they are infected--even when the malicious program is known to forge the source's e-mail address. The result is more blockage of in-boxes and more disorder, as users have to deal with additional messages that blame them of being infected.

Most users of personal firewalls were well protected against these worms. So, such products as ZoneAlarm Pro and Outpost Firewall Pro block e-mail attachments used by SoBig.F worm thus preventing a victim to accidentially execute it. The same can be said about the Blaster worm that cannot exploit Remote Procedure Call flaw as most personal firewalls block or notify user about hacking attempt.

Meanwhile, many security experts believe a new version of the Sobig.F e-mail virus could arrive any day, even before the latest variant is timed to expire on Sept. 10.