On the trail of the ILOVEYOU author
As the computing world recovers from the debilitating effects of the ILOVEYOU virus late last week, investigators in the Philippines seem to have a bead on a woman who they believe could be the author.
Yet even at this late stage of the investigation, some cyber sleuths believe that investigators should turn their attention elsewhere. In this hunt for the perpetrator of the nasty virus that erupted with a vengeance Wednesday night, the portrait of the author has morphed almost as many times as the virus itself.
On Sunday, investigators reportedly believed the writer to be a Philippines-based female student at a local Makati City college, known as the AMA Computer College. Makati City is a suburb of Manila that is home to much of the foreign community residing in the Philippines and boasts a distinctive technological bent.
The evidence being followed by the investigators most likely revolve around six pieces of information included in the ILOVEYOU worm and its downloadable component -- the password-sniffing Trojan, WIN-BUGSFIX.exe:
- the apparent alias of the writer: spyder;
- an e-mail address in the worm: ispyder@mail.com
- an e-mail used by the Trojan as a destination for sniffed passwords: mailme@super.net.ph
- a name: Barok;
- a phrase: 'i hate go to school'; and
- a group's name: GRAMMERSoft
Spyder is assumed to be the author of the worm. While little is known about him/her, a hacker known as Spyder released a program, named Barok 2.1, on the Net in January. The function of the Barok program resembles the downloadable component of the worm, known as WIN-BUGSFIX.exe. A look at the object code of that component reveals that it contains the phrase:
"barok... i hate to go to school suck - by spyder @Copyright (c) 2000 GRAMMERSoft Group-Manila, Phils"
The same phrase can be found in Barok 2.1 as well. In fact, the WIN-BUGSFIX.exe program and the remote component of Barok 2.1 -- known as the server -- differ by 4 bytes. That almost proves beyond a doubt that the author of Barok 2.1 and the ILOVEYOU virus are one and the same: Spyder.
Barok 2.1 seems to have been created expressly for the virus. A previous version released in January, Barok 2.0 has another line within the 'server' code:
"BAROK -- student of amacc mkt. phils - by: spyder @Copyright (c) 2000 GRAMMERSoft Group"
A look at schools in the Philippines area turns up the name of the AMA Computer College in Makati City near Manila. That's the school which investigators have now homed in on.
A separate tack followed in the Philippines is currently investigaing the owners of three e-mail accounts -- ispyder@mail.com, mailme@super.net.ph and spyder@super.net.ph -- and the source of four Web pages.
Access Net Inc., the Internet service provider (ISP) that owns Super.Net, stated on Friday that tracking the user through its servers is difficult. That's due to the fact that it provides service through prepaid cards. "Being a free account, the writer(s) obviously capitalized on the anonymity that he/she could maintain," said Jose O. Carlotta, chief operating officer for the Pasig City, Philippines, company, in a Friday e-mail interview.
"We do not require any information from the card buyer to create his/her e-mail account. Future access to the e-mail account (can) be done by access through another card or through another service provider."
Yet, the fact that a prepaid card had to be bought to establish the account ties the virus's author much more strongly to the Philippines. "Our cards are very popular and widely distributed in Metro Manila," said Carlotta.
However, Carlotta added a caveat. "The culprit could have ... hacked the password of this account," he said. "(That's) something he has done with impunity with accounts belonging to other post-paid service providers with whom the needed registration information is more stringent." With records from phone calls to access the service the police believe they have found their man, er, woman.
That's perhaps the biggest twist in the investigation. Historically, women have not been part of the virus exchange, or VX, scene.
In her research on profiling virus writers, IBM researcher Sarah Gordon, found hardly any women participating in the virus creation or distribution.
"In conversations with dozens of individuals involved in the virus writing culture, we have found only two instances of 'direct' female involvement," she wrote in a 1994 paper that profiled the 'generic' virus writer.
"One was the girlfriend of a virus writer, and one was a woman who was involved with the virus writing group NuKE. However, it is uncertain as to whether or not she ever produced any viruses.
A computer expert in Sweden bet that an 18-year-old German exchange student in Australia was responsible for the virus. But the Australian Federal Police (AFP) said Sunday they had been given no firm evidence to back up the allegation. Fredrik Bjorck, a Stockholm University researcher in data systems, said Saturday that the originator went under the name of "Michael" and had left traces on Internet user groups. The Swedish news agency TT said Bjorck had helped the FBI trace the destructive Melissa computer virus last year.
All in all, the data trail currently being followed by the police could be cleverly crafted to throw off investigators. Yet, that possibility has become more remote as the weight of the evidence builds.
Moreover, despite causing an epidemic and clogging e-mail servers worldwide, the virus writer who created the ILOVEYOU virus is no Brainiac.
It's unlikely that the virus creator had any idea how widespread his worm would infect. That makes it more than likely that the information gleaned from a variety of files makes sense.
Still, the Philippines government is under a great deal of pressure to have the situation resolved.
Because of ILOVEYOU, the nation of islands found itself the focus of world attention at a time when armed militants roam the countryside and it would rather be out of the spotlight. Its current difficulty results from several hostage situations and the maneuverings of a revolutionary organization known as the Moro Islamic Liberation Front.
"If they can keep the focus on the virus and off the hostages, the better it is for their national esteem," said David Kennedy, director of research services for security service provider ICSA.net. "Any arrest they can make, even if it is the wrong guy, will help them." That puts authorities at the National Bureau of Investigations in the hot seat.