denbeste@BBN.COM (Steven Den Beste) (12/19/89)
Like everyone who's heard of this thing, we here have been asking "What are they trying to accomplish that makes them willing to spend this much money?" I've come up with a model for their motivation which I think explains everything. I'd be very interested in any reactions to it: 1. They deliberately distributed two versions of the program. One version fires immediately, while the other stays silent for 90 reboots. I'll call these "scrambled" and "infected" systems respectively. 2. It is my guess that there are very few copies of the fire-immediately version. It is my guess that this version was deliberately mailed later than the others. 3. The purpose of the fire-immediately version is to make an example of a few users. It is my guess that the authors thought they had hidden things sufficiently well that a person who knew his system was infected still could not find and remove the infection. This then explains why the scrambled systems indentify clearly which program caused the scrambling. 4. Therefore: A lot of people receive the disks "for free" and install immediately. Infection becomes rampant. 5. A few people get their systems scrambled immediately. Word gets out that the program is dangerous - but not immediately in most cases. 6. People with infected systems are given 90 reboots (presumably at least a couple of months under normal usage) to send in their money and get a dis-infector disk back. 7. Each system derives part of its encryption key from local information. Thus the dis-infector disk can only be used on the system for which it was returned. An organization with 10 infected systems has to pay 10 times, and receive 10 disks. 8. The money must be sent through a dummy corporation in Panama, with its notoriously unstrict banking laws. Payment is in US dollars because that's what Panamanian banks deal in. 9. For a person whose system is infected but not yet scrambled, an obvious tactic is to do a file-by-file backup onto disks or tape (as opposed to a block-level backup), followed by a disk reformat and rebuild, and restoration of the files. To thwart that end, I predict that the trojan has inserted itself into one or more executable files which would be expected to be retrieved in the backup. This may not include the full encryption algorithm - a simple "destroy all data and make the disk image unusable" would do. If several people get nailed in this way, word spreads and most people won't try to escape this way anymore. [If one is careful about what is restored and what gets recovered from original release disks, this approach should be pretty safe. But the kind of people who would routinely install a program like this in the face of a "shrink-wrap" license are likely to have other software they use for which original release disks are not readily available. It would be my guess that such programs would be particularly inviting targets. Likewise, the process of a file-by-file backup and restore on an almost full 100 MB. disk is not a pleasant prospect. It might actually cost more in floppy disks and time than the decryptor costs.] 10. The reason the disk was not distributed in the US and that the "license" doesn't allow it to be used here is that the behavior of this program is in direct violation of the federal "virus" law. It would be very interesting to know if there are any directly applicable statute in Great Britain preventing this kind of activity. If not, then the authors of this would be outside of the purvue of criminal law, and protected against civil suit by their "license". They might actually get away with it. 11. The motivation behind all this, then, is extortion. The cover story of an AIDS database may or may not be a sick attempt at an analogy. It may instead be a deliberate choice of a subject likely to intrigue many people into installing the program on their systems. (No-one has made any comment about what, if any, cover program is on the distribution disk. Does it really contain an AIDS database?) 12. Lastly, it is my guess that the authors have badly underestimated both the quantity and quality of the effort which has been and will be applied to defending against this trojan (see point 3 above). This story is not yet completely written, though - it may be that only the first layer of defenses have been opened to our vision, and that this thing runs much deeper (see point 9 above). 13. How do we find them? a. Follow the bank accounts from which the mailing lists were bought and from which the rent money in London was paid. (Probably tough.) b. Follow the bank accounts in Panama. (Forget it!) c. Send in your money and try to figure out where the decryptor disk was sent. (IF it gets sent. There is no guarantee that they'll follow through on the bargain.) d. Try to trace where they bought their computers originally to do the development. (Sure thing.) e. Just where DO we (editorial "we") start looking, and what do we do with them when they're found? Is there actually any way to bring these guys to justice under British, Swedish or West German law? Could they be extradited from Nigeria or somewhere like that? Steven C. Den Beste || denbeste@bbn.com (ARPA/CSNET) BBN Communications Corp. || {apple, usc, husc6, csd4.milw.wisc.edu, 150 Cambridge Park Dr. || gatech, oliveb, mit-eddie, Cambridge, MA 02140 || ulowell}!bbn.com!denbeste (USENET)