Police Futurists International
 
HOME ABOUT PFI NEWSLETTER FUTURES RESEARCH CONFERENCES JOIN PFI CONTACT PFI
Welcome to Police Futurists International
MEMBER LOGIN
ABOUT PFI
CURRENT ISSUEBACK ISSUESPFI WEB ARTICLES  
 
WEB ARTICLES
     
Got a Virus? Don’t Call a Doctor, Call a Cop  

 

 

 

A virus or a worm?
Officers serving in local jurisdictions must know the differenceBy: Cmdr. Dave Pettinari
Pueblo County Sheriff's Office

A virus?
A worm?
A Trojan horse?
A hacker tool?
A dedicated denial of service attack?

What is it that we are confronted with in this investigation?

As a local or state peace officer, do we really need to be concerned with these details? Don’t the feds handle all and criminal hacker forays and Internet attacks?

Not really. Most investigations of this type will either be handled at the local level, or no one will work them. Federal authorities have their hands full with digital investigations with much more at stake, such as national security issues, international terrorism, and protection of critical infrastructure.

This perspective – that local law enforcement must ratchet up to competently handle digital investigations -- became quite clear to me when I was asked to investigate and later testify in the first hacking trial in Pueblo, where I serve in a medium-sized sheriff’s office. Prior to my involvement, the newspaper headlines screamed, “Virus attack at the Pueblo library.” A young, 16-year-old man was arrested by Pueblo police as he sat at a library computer after the library’s network alerted on files he had downloaded to a floppy disk.

When I came to court to testify, the judge, prosecutor and defense attorney all were talking in terms of this being a “virus case.” My testimony was that I didn’t see a virus anywhere near the case. What had occurred is that the young man was downloading some fairly potent but relatively unsophisticated hacker tools from the “Hackers Encyclopedia” CD ROM to floppy disks when the library network system spotted a win nuke (denial of service) program on the floppy disk.

Also on the floppy were tools a hacker could use to scan a network or the Internet looking for vulnerable systems to penetrate, password-defeating tools, keystroke loggers and the like. The investigative theory was that he was trying to “recon” the library system to find a way to latch onto these resources so that he could indulge himself in his hobby, phone phreaking, or using another’s telecommunications assets to make free phone calls to hopscotch around the world getting into other people’s forbidden computer systems.

A virus is computer code with a mission (delete files, corrupt data, send data) that is propagated with a triggering mechanism (a certain event, such as turning a computer on or firing up a browser, that will awaken the virus; or a certain time that will activate it). A criminal might use a virus to damage data or cause panic among targeted computer users who depend on data in that system.

A worm acts like a virus in that it uses network connections, such as a Local Area Network (LAN) and the Internet, to replicate itself from computer to computer on the network. It differs from generic viruses in that it is a self-contained program that does not need to attach itself to another application or file as viruses do. Worms spread from host to host over a network, consuming resources and often culminating in a denial of service for network users. A criminal might use a worm to take down a certain local area network, or, as has been tried in the past, in an attempt to bring the entire Internet to its knees.

A Trojan horse is NOT a virus, but a remote administration tool if used without criminal purpose. But if used with intent to deceive, the Trojan is generally disguised as a benign utility, helpful program, or cute screensaver or joke. Trojans cannot replicate themselves, but are often installed on a system because they were payloads delivered by true viruses. Covertly installed Trojan horse programs allow hackers to monitor everything going on in your computer, and even take control of the system from a remote location. Back Orifice and Netbus are two examples of Trojan horse programs. A criminal might use a Trojan horse as a remote access tool on an executive’s personal computer to extort money from the company.

A denial of service attack is a hacker’s means for using several thousand other computers (called slaves or zombies) to simultaneously send data or e-mail to servers or people’s individual computers to bog them down and bring them to a screeching halt. They are also employed to flood web sites with data requests that outstrip their capacity to deal with the requests. Yahoo, eBay, and Amazon.com were attacked in this fashion. A DOS program often gets a toehold in an innocent computer user’s system because the hacker-perpetrators use a Trojan horse to access the innocent user’s system, then employ that computer and thousands of others to launch the attack. Would-be intruders do not have to learn technical aspects of Windows vulnerabilities or TCP/IP security flaws. With no training or complex software techniques to learn, the hacker can steal his way into some business or university computer system and launch a massive denial-of-service attack. A criminal might use a denial of service attack to deny other people use of their computers, or to blackmail the threatened party into paying money to be left alone.

To further complicate things, there are now newer hacking programs that combine the characteristics of the virus, the Trojan horse and the worm, making them even more sinister and effective.

Trojans are swept out and kept out of networks by properly configured firewalls, and, if antiviral software fails to detect them, eliminated by programs such as Trojan Remover. They are also prevented by regularly downloading security patches, and by being careful when downloading files and opening attachments from unknown people.

An investigator not knowing the difference between a virus, worm or hacker tool can be compared to an officer who mixes up the elements of burglary and robbery. Without being able to articulate the difference, the investigator working on the cybercrime case could file the wrong charges against the cybercriminal, or, worse yet, work diligently on a case that will never stand up in court.

Knowing what you are up against is half the battle in getting a toehold in digital investigations. Here are some things to consider if, indeed, the case you investigate really does involve a virus, and not one of these other tools of the digital criminal.

Investigating true virus cases

How often will you encounter a virus case? While a large percentage of reported cybercrimes are frauds, thefts and cases of unauthorized access, the most frequently reported cybercrime is child pornography. Next in order of frequency of reporting are hacker intrusions, which often involve attempts to plant Trojan horses or introduce viruses.

Your first investigative step is to make sure it is a virus and not one of the other threats mentioned above. Again, viruses, often self-replicating, are malicious program segments that attach themselves to an application program or other executable system component and leave no obvious signs of their presence. Viruses not only can destroy files, but cause systems to crash, or damage data on hard drives to the extent that no one can use the computer.
Computer viruses can be compared to biological viruses. Not strictly alive in their own right, they need a living host in order to operate. Biological viruses infect healthy living cells and cause them to replicate the virus. In this way, the virus spreads to other cells. In a computer, a virus is a program that modifies other programs so they replicate the virus.

Viruses are mainly a problem with IBM-compatible personal computers and Macintoshes. Virus infection is fortunately hard to accomplish on UNIX systems and mainframes. Viruses don't infect networks in the way worms do. However, if a virus infects a program that is copied to a disk and transferred to another computer, it could also infect programs on that computer. This is how a computer virus spreads.

To detect and prevent these problems, we use software programs called virus scanners (or anti-virus software) such as McAfee Antivirus (Network Associates) and Norton Antivirus (Symantec) to search out, locate, and remove or isolate a virus.

What will I charge the suspect with?

Though it is technically legal to write a virus, distributing one can be illegal if it causes damage, such as destroying property or preventing people from using their computers (denial of service). Most state computer crime statutes have some catch-all language that will get you in the ballpark, such as intruding into another’s computer system without permission with the intent to “use, alter or destroy” information on that system.

Where can the victim report a digital crime?

They can report any infection that has a potential criminal intent to a law enforcement high-tech crimes unit in the city or county where they live, or contact the local FBI office.

Types of viruses

File infector or program virus – This variety acts directly on executable files, generally inserting its code at the beginning of executable files. Each time the program executes, the various codes place a copy of themselves in another executable file. This results in a large number of files being infected system-wide. The virus is also written with a certain payload that describes the damage that the virus was written to cause – display a message, delete files, format the hard drive, or disable an operating system or program. Once the virus has replicated itself into several different files, it is ready to release its payload.

Boot sector infector -- Infects the hard drive's master boot record, which means it will continue to infect any floppy disk that is placed in this computer.

Stealth virus - A virus that can hide from detection. While very hard to detect, several common ones are detectable by most effective virus scanners.

Polymorphic virus -- Able to evade detection by changing or "morphing" itself into what appears to be a different virus.

Macro virus – A macro is a set of instructions (“applets”) that a program can use repeatedly to automate performing some task or sequence of events. Microsoft’s Word and Excel use them extensively, so they are the most often infected programs. The macro virus infects a common template in these programs so that every new document or spreadsheet created -- and every older file opened with the program -- is also infected with the macro virus.

Common viruses you may have heard of:

Viruses come in literally thousands of varieties, with new and more sinister strains continually being invented as previous releases are countered by antivirus companies. Here are a few that cause or continue to cause major mayhem:

Chernobyl Appearing in April 1999 on the anniversary of the Chernobyl nuclear disaster, it destroyed software-sensitive chips in thousands of computers running on Windows.

Happy99 – Sported the infamous happy-face attachment.

Klez An Outlook or Outlook Express e-mail worm that spread throughout the Internet in 2001 and 2002.

Love Bug Appearing in May 2000, this virus, a variation of Melissa, spread faster and did more damage than any bug before it.

Melissa A nasty pest of a worm that finds a person’s address book in their Outlook or Outlook Express e-mail programs, snags 50 names to e-mail a tantalizing message to. The subject line of the e-mail reads: “Important Message From (you, a name your 50 address book friends already know). Here is the document you asked for…Don’t show anyone else." It then displayed a file of porno web sites.

Michelangelo Overwrites all data on hard disk with random characters making retrieval of data impossible. This virus, which erases hard drives, was triggered when the computer’s internal clock reached March 6 in any given year, the anniversary of the birth of Michelangelo.

Morris Worm Reproduced wildly and choked traffic on the Pentagon’s Arpanet in 1988.

Three Tunes Plays three German folk tunes when launched. Not particularly threatening unless you are one who detests German folk music!

Remote Explorer (RICHS) Selects files, compresses and/or encrypts them, making them unusable.

Wazzu Its creator designed it to insert the word “Wazzu” randomly into text documents.

W97m macro Still around and still infecting lots of computers, this virus latches onto the user name in the computer, and repeats an insulting message with the user's name attached every time it enters a new user's computer.

What do viruses do to a computer?

Once a virus has burrowed into a system, the most common impact is loss of productivity. People simply can't access their data; they can't pull up files. The computer locks up, corrupted files can't be opened, the user can’t get to the computer while the virus scanner is cleaning up, or, worse yet, the dreaded “Blue Screen of Death” sets in.

What will this particular virus do?

If you suspect your computer or your victim’s computer might have a virus, how do you find out for sure? One good way is to have your virus scanner read it and tell you what it is. Norton Antivirus takes the additional precaution of quarantining viruses and letting you decide what to do with them.
How would you know if an attacker actually succeeded in placing the virus on the victim's system?

You would see some telltale traces of it. in the System folder (c:\WINDOWS\SYSTEM). If it were, say, the Happy99 virus, you would spot the file wsock32.dll in the System folder. Both Norton Antivirus and McAfee Antivirus have detailed explanations at their web sites on what the thousands of different viruses do, how to detect them, and how to neutralize them.

Where to research particular viruses and other Internet threats:

Norton Antivirus site (Network Associates Inc.)
http://www.symantec.com/nav/index.html, or
http://www.nai.com

Computer Emergency Response Team at Carnegie Mellon University
http://www.cert.org

Virus hoaxes such as GOOD TIMES
http://www.hr.doe.gov/goodtime.html

National Infrastructure Protection Center (NIPC)
http://www.nipc.gov

Isolating the infection source

As an investigator, you’ll want to track down the source of infection if you suspect malicious intent. Could the virus have come from:

  • A diagnostic disk from the PC tech support team?
  • A floppy from co-worker?
  • A suspect-introduced disk?

Forensic processing of suspected viruses

If you are examining a floppy disk, write-protect the floppy, then use DOS to do a diskcopy to get an exact, bit-by-bit, byte-by-byte copy of the floppy. Diskcopy a: a: is the command to use. After copying the source diskette to the target diskette, set aside the original, and work on the copy.

Use a virus scanner that will allow you to quarantine the virus without cleaning or deleting it. Allow your virus protector to tell you what the virus is.

If the virus must be shared with the defense in a case, provide a copy of the floppy with a warning label that it contains an active virus that could infect their system, along with a copy of instructions for processing.

Presenting in court

If a demonstration is needed, take in a laptop with current virus protection, and allow it to find the virus on the copy of the original evidence.

Rules of thumb for preventing virus infections

  • Install, update, and religiously use one of the major anti-virus software packages. They can prevent downloading viruses as well as disinfect files once you have a virus.
  • If you receive an e-mail message or download a posting from an Internet newsgroup that contains an attached program or document, before you open it, be sure of what it is and who posted it. DO NOT EVER CLICK ON ATTACHMENTS THAT YOU AREN'T SURE ABOUT!
  • In the case of executable programs such as Happy99.exe, don't run the program! If you do, you will be infected. Always look at the attachment to be sure it doesn’t have an .exe extension. Visual Basic Script (.vbs) files are also particularly troublesome. Watch out for them.
  • Scan every incoming program before you run it, no matter who sent it to you, even if you have to save the file onto your hard drive and run the scanner on it directly.
  • Don't let other people use your personal computer. They might not be as careful as you are about virus issues.
  • Avoid using files and floppies from communal PCs.
  • Employees who bring software to the office from their home machines (usually free software they have downloaded from the Internet) are the greatest threat. Don't allow them to demonstrate or to give you files on a floppy.
  • Successful recovery from a virus attack depends on early detection. As soon as your PC starts acting suspiciously (e.g., if your PC suddenly slows to a crawl or programs take an inordinately long time to load), you will want to check for a virus. Also be alert for unexplained changes to your computer’s configuration, loss of system memory, files that all of a sudden come up missing, and unexpected messages or sounds.

If you should run into a bona fide hacker case…

Users who do not have a robust firewall program or intrusion detection system installed on their computers or networks would be surprised at how many hackers are methodically probing their computers on a daily basis. Automatic port-scanning software makes this possible. Using these tools, hackers can probe hundreds of thousands of computers in a single hour, with the scanning programs reporting back to them on the vulnerabilities of each individual computer. Systems administrators use these tools regularly to look for problems on networks, but hackers and Internet criminals use them to crack into forbidden systems.

So how do you spot and stop them? Space does not permit a rehash of how local police can investigate hacking incidents.

Want to find out what you’re up against with the type of hacking you are encountering in this investigation? Then hang out where the bad boys of the ‘net hang out – the hacker sites. As you lurk and learn, though, don’t let your guard down. Remember, you are on their turf!

AntiOnline News on all the ins and outs of hacker activity.
http://www.antionline.com

BugNet The top unofficial watchdog group overseeing hackerdom.
http://www.bugnet.com

Computer Security Institute Research and hints for businesses on how to prevent hacker attacks.
http://www.gosci.com

Hackers.com Tools that hackers share with each other are downloadable here, along with explanations of what they do.
http://www.hackers.com

L0pht Heavy Industries A very strident hackers group that releases hacker tools such as L0phtCrack, used to crack passwords.
http://www.l0pht.com

SecurityFocus.com Up-to-date news about the latest hack attacks.
http://www.securityfocus.com

Investigative checklist

Beyond the basic information you would gather in any investigation (date and time, victim operating system and network information, IP address of attacker and victim, details of what occurred, damage done, point of contact, etc.), the following are checklist items to logically handle a digital investigation, whether it involves a virus, worm, or hack attack.

Type of incident

  • Denial of service
  • Attack/intrusion
  • Virus
  • Trojan horse
  • Worm
  • Probe or scan (information gathering, not malicious)

How detected

  • Unusual computer behavior
  • Intrusion detection system
  • Computer user
  • Packet sniffer
  • Log files
  • Incident response team

Possible source

  • Downloading software
  • E-mail attachment
  • Floppy diskette

Method of operation

  • Type of virus – stealth, polymorphic, macro, etc.
  • Payload
  • E-mail propagating
  • Infected programs
  • Erased/modified/deleted/encrypted files
  • Other changes you can detect

Means of attack

  • Hacker tool/tactic (e.g., Trojan horse, IP spoofing, packet flood)
  • Targeting of network utility or port
  • Vulnerability exploit
  • Access to trusted host
  • Social engineering
  • Cracked, guessed or sniffed password

Possible suspect

  • Insider
  • Domestic
  • Foreign
    
 
 
Home | About PFI | NewsLetter | Futures Research | Conferences | Join PFI | Contact PFI | Site Map
 
© 2002 Police Futurists International
www.policefuturists.org
Privacy Statement
 
Website Design by InfrontWEB