YOU ARE HERE: LAT HomeCollections

Computers Bearing Virus Orders Isolated

FBI, security experts zero in on the source of the malicious program that has triggered widespread problems.

August 23, 2003|Joseph Menn | Times Staff Writer

The FBI and private computer security experts shut down most of the computers that were supposed to give new instructions to a quick-spreading e-mail virus Friday as authorities homed in on its creator.

As many as 19 of the 20 computers had been knocked offline by noon PDT, when hundreds of thousands of personal computers infected by the SoBig.F virus tried to contact them, according to anti-virus firm Symantec Corp., one of several companies that has been assisting the FBI, the Department of Homeland Security and other authorities. The infected PCs were seeking directions to other computers, where they could have downloaded new and potentially malicious software.

One of the 20 computers that was still online gave the inquiring PCs the Web address for a pornography site, which was not believed capable of delivering any malicious code, said Steve Trilling, senior director of Symantec Research.

Experts said the virus writer probably was using the address as a place holder and planned to post a more dangerous Internet address Sunday or later. The virus has programmed the infected PCs to check in for additional information every Friday and Sunday through Sept. 7.

The experts analyzing the virus were able to decode the numeric Internet addresses for all 20 of the computers, known as servers, as well as the networks they were operating on. They could not glean the physical location or the identity of their owners, however.

On another front, the FBI made significant progress in its hunt for the author of the SoBig virus, zeroing on in an Internet service provider in Phoenix.

"It looks like the original variant was posted through us" Monday afternoon, said Michael Minor, chief technology officer of Easynews Inc.

FBI spokesman Paul Bresson said the agency was "aggressively investigating."

Two versions of the virus were initially disguised as porn images that were posted to several Internet communities known as newsgroups, Minor said. Whoever downloaded those pictures were probably the first to have their computers infected.

In complying with a subpoena from the FBI's Los Angeles field office, Minor said, Easynews turned over the Internet location of the person who posted the program, along with the credit card the person used to open an account minutes before posting the virus.

But Minor said he believed the odds of the FBI getting its man were slim, given that the credit card probably was stolen and the computer the person used was unlikely to be his own. "We haven't seen any mistakes so far from this guy," Minor said.

Meanwhile, SoBig continued to spread around the world Friday, scouring infected machines for e-mail addresses and sending itself to others. Recipients infect their computers when they try to open innocuous-looking attachments. Even those who delete the attachments have been inundated with as many as a thousand e-mails a day as the messages generated by the virus bounce around the Net.

SoBig prompted the shutdown of the U.S. passport agency's computers Thursday and Friday, employees said. Other federal offices had "sporadic problems," said Department of Homeland Security spokeswoman Rachel Sunbarger.

Some companies had to disable their e-mail for hours. Among the firms hurt by SoBig's spread were Starbucks Corp., FedEx Corp. and New York Times Co.

The damage could have been far worse. Security experts feared SoBig would update itself -- with aid from the 20 master computers -- and turn into a generator of junk e-mail, a platform for attacking major Web sites or a program for stealing confidential information.

But since security companies were able to decode the identities of the master computers, "we haven't seen anything crazy," Symantec's Trilling said. Some of the 20 computers were disabled just hours before the trigger time at noon Friday.

The 20th server controlled by the hacker is connected by a cable modem provided by one of the major U.S. Internet services and is probably in a private home, said Bo Sorensen, a vice president at F-Secure Corp., which helped analyze the virus.

Once contacted by the FBI, the networks shut down 19 of the servers. In the case of the 20th, the cable provider might not have been able to pinpoint the right computer, Sorensen said.

It also is possible that federal agents left the last computer alone in case the hacker tries to return to it. "It would seem like a decent way of catching the guy," Sorensen said.

Although SoBig appears to be fizzling, the outlook for the future is not good. The virus is set to expire on Sept. 10, but a new, more powerful version could be released Sept. 11.

Even if that doesn't occur, some experts said they expected a new virus combining the quickness of SoBig with the destructive power of the recent Blaster worm to surface eventually.

"If you take both of those viruses and combine them, then you have something above and beyond a nuisance," Ernst & Young security expert Jose Granado said. "The more people do it, the better they get."

Los Angeles Times Articles