Spyder.
Why do malicious cyber-criminals always have such silly names?
Spyder is the name left behind, possibly deliberately, by the person who allegedly wrote the script of the pernicious “Love Bug” worm that wiped out computers across Europe, Asia, and North America with lightning-like speed since its detection sometime Wednesday.
According to the source code of the worm, which has been traced to the Philippines, Spyder left his email address (go ahead, send him a love letter) and an important political message: “i hate go to school.”
It’s not much in the way of forensic evidence. But experts say it’s a start.
“There’s some evidence in the code, but not a whole lot,” said former Department of Defense security specialist Amit Yoran.
Yoran, now president of security company RIPTech, said it was very likely that the handle and the email address were spoofed and not real.
“I would be very surprised if the person was that goofy,” he said.
Matt Yarbrough, former chief cybercrimes prosecutor for the U.S. Attorney’s Office for the Northern District of Texas, said even if the address and name were spoofed, they could provide a clue as to where the virus came from.
But first investigators will have to recover the server logs.
“Good luck — it’s in a foreign country,” he said. “The FBI can no longer just turn around and ask for it.”
Luckily for the FBI, the Philippines is an MLAT country, meaning it has entered into a mutual legal assistance treaty with the United States.
Yarbrough said this will make the feds’ job a bit easier. That is, if the cracker hasn’t already gone in and changed the logs, a difficult but doable task.
“It takes time to cover your tracks,” he said. “It’s more than wearing gloves when you’re planning on murdering someone. You have to make sure you don’t drop a piece of hair or leave a piece of DNA behind.”
Mafiaboy, the Canadian teen charged with a recent DOS attack on CNN.com, got busted because he left behind that kind of evidence. Experts say, however, that the person behind the worm is no “script kiddie,” a derogatory name used for malicious hackers who use existing code to create mischief.
“This is a new script,” Yarbrough said. “Every single thing (Mafiaboy) used had been on the market for years,” he said.
The “Love Bug” virus isn’t considered complex by security experts. It is, however, clearly written by someone who knew what he was doing.
The source code of the virus shows it may be able to steal passwords and send them to an email account in the Philippines. If infected users don’t change their passwords once their systems are back up, they could risk further damage and possible theft of any information stored in their computer files.
“It could be economic espionage,” Yarbrough said. “Business trade-secrets have a lot more value in the open market than most nukes do. There could be all sorts of motivations.”
Whoever did it is likely to face harsh prosecution if caught.
“There’s real dollar-loss associated with this virus,” Yoran said. “This is crashing computers, this is crashing mail systems.
“This will be like a Melissa type of investigation,” Yoran said. “My guess is that it won’t be taken lightly.”
Experts say the “Love Bug” is most comparable to the Melissa virus, which infected about 1 million computers and caused more than $80 million in damage in early 1999.
The love virus is said to be worse though, because Melissa only targeted the first 50 people on a user’s Outlook email list, whereas the love virus sends it to everyone on a user’s Outlook email list.
One industry analyst predicted that the damage caused by this latest virus would exceed $1 billion by Monday.
Legal experts say that’s not good news for Spyder.
“Money damages equal jail time,” Yarbrough said.
