denbeste@BBN.COM (Steven Den Beste) (12/19/89)
Like everyone who's heard of this thing, we here have been asking
"What are they trying to accomplish that makes them willing to spend
this much money?"
I've come up with a model for their motivation which I think explains
everything. I'd be very interested in any reactions to it:
1. They deliberately distributed two versions of the program. One
version fires immediately, while the other stays silent for 90
reboots. I'll call these "scrambled" and "infected" systems
respectively.
2. It is my guess that there are very few copies of the
fire-immediately version. It is my guess that this version was
deliberately mailed later than the others.
3. The purpose of the fire-immediately version is to make an example
of a few users. It is my guess that the authors thought they had
hidden things sufficiently well that a person who knew his system was
infected still could not find and remove the infection. This then
explains why the scrambled systems indentify clearly which program
caused the scrambling.
4. Therefore: A lot of people receive the disks "for free" and install
immediately. Infection becomes rampant.
5. A few people get their systems scrambled immediately. Word gets out
that the program is dangerous - but not immediately in most cases.
6. People with infected systems are given 90 reboots (presumably at
least a couple of months under normal usage) to send in their money
and get a dis-infector disk back.
7. Each system derives part of its encryption key from local
information. Thus the dis-infector disk can only be used on the system
for which it was returned. An organization with 10 infected systems
has to pay 10 times, and receive 10 disks.
8. The money must be sent through a dummy corporation in Panama, with
its notoriously unstrict banking laws. Payment is in US dollars
because that's what Panamanian banks deal in.
9. For a person whose system is infected but not yet scrambled, an
obvious tactic is to do a file-by-file backup onto disks or tape (as
opposed to a block-level backup), followed by a disk reformat and
rebuild, and restoration of the files. To thwart that end, I predict
that the trojan has inserted itself into one or more executable files
which would be expected to be retrieved in the backup. This may not
include the full encryption algorithm - a simple "destroy all data and
make the disk image unusable" would do. If several people get nailed
in this way, word spreads and most people won't try to escape this way
anymore. [If one is careful about what is restored and what gets
recovered from original release disks, this approach should be pretty
safe. But the kind of people who would routinely install a program
like this in the face of a "shrink-wrap" license are likely to have
other software they use for which original release disks are not
readily available. It would be my guess that such programs would be
particularly inviting targets. Likewise, the process of a file-by-file
backup and restore on an almost full 100 MB. disk is not a pleasant
prospect. It might actually cost more in floppy disks and time than
the decryptor costs.]
10. The reason the disk was not distributed in the US and that the
"license" doesn't allow it to be used here is that the behavior of
this program is in direct violation of the federal "virus" law. It
would be very interesting to know if there are any directly applicable
statute in Great Britain preventing this kind of activity. If not,
then the authors of this would be outside of the purvue of criminal
law, and protected against civil suit by their "license". They might
actually get away with it.
11. The motivation behind all this, then, is extortion. The cover
story of an AIDS database may or may not be a sick attempt at an
analogy. It may instead be a deliberate choice of a subject likely to
intrigue many people into installing the program on their systems.
(No-one has made any comment about what, if any, cover program is on
the distribution disk. Does it really contain an AIDS database?)
12. Lastly, it is my guess that the authors have badly underestimated
both the quantity and quality of the effort which has been and will be
applied to defending against this trojan (see point 3 above). This
story is not yet completely written, though - it may be that only the
first layer of defenses have been opened to our vision, and that this
thing runs much deeper (see point 9 above).
13. How do we find them?
a. Follow the bank accounts from which the mailing lists were bought
and from which the rent money in London was paid. (Probably tough.)
b. Follow the bank accounts in Panama. (Forget it!)
c. Send in your money and try to figure out where the decryptor
disk was sent. (IF it gets sent. There is no guarantee that
they'll follow through on the bargain.)
d. Try to trace where they bought their computers originally
to do the development. (Sure thing.)
e. Just where DO we (editorial "we") start looking, and what do we
do with them when they're found? Is there actually any way to
bring these guys to justice under British, Swedish or West German
law? Could they be extradited from Nigeria or somewhere like that?
Steven C. Den Beste || denbeste@bbn.com (ARPA/CSNET)
BBN Communications Corp. || {apple, usc, husc6, csd4.milw.wisc.edu,
150 Cambridge Park Dr. || gatech, oliveb, mit-eddie,
Cambridge, MA 02140 || ulowell}!bbn.com!denbeste (USENET)