How Do Virus Hunters Track Their Prey?

Mikko Hypponen and his band of Finnish computer virus hunters know the odds are stacked against them in the Web's wild frontier. Creators of only 10 of the roughly 200 viruses damaging computers around the world have been caught. Even investigations into high-profile viruses, such as the trio that hit the Internet over the past three weeks, rarely turn up a culprit. "Tracking down a virus is rare," says Vincent Gullotto, vice-president for the anti-virus research lab at software maker Network Associates Inc. (NET ). "Someone getting caught is even rarer."

So you'll have to pardon Hypponen, the anti-virus research manager at Helsinki-based software company F-Secure Corp., if he got a little excited when he and his team were able to crack the SoBig virus before it finished doing whatever it was meant to do. Thanks to research from F-Secure, a 300-employee company known for cracking tough computer problems, virus experts and government investigators in several countries were able to shut down a network of computers hijacked by the virus on Aug. 22, just minutes before SoBig was to launch what was expected to be the next phase of its attack. "It was a very close call," says Hypponen. "The virus writers will make sure it's not as easy next time."

It was a partial yet rare victory for the good guys. The first line of defense in the exploding war against viruses, only about 500 virus hunters exist worldwide. They face a daunting task: keeping tabs on the more than 10,000 virus creators worldwide. And if being outnumbered wasn't enough, the jobs of such cybersleuths are getting harder as virus writers use ever more sophisticated encryption. "Whoever is doing [SoBig] has been good at covering their tracks," says J. Michael Gibbons, managing director at consultant BearingPoint Inc. and a former FBI investigator.

Searching for that culprit is a patchwork of corporate computer experts, academics, and law enforcers. With no real governing body telling them what to do, the researchers act like cyber-bounty hunters in a field generating more than $2 billion a year in software and consulting sales for companies such as Symantec Corp. and Network Associates Inc. The sleuths range from a wunderkind from Moosejaw, Saskatchewan, who went to work for Network Associates fresh out of high school to people such as Dr. Peter Tippett, a 50-year-old with both a PhD and an M.D. who is chief technology officer for TruSecure Corp., a consultant in Herndon, Va.

Coordinating the counterattack are federal agencies. Two months ago, the Homeland Security Dept. opened the National Cyber Security Div., a 60-employee unit drawn from several different federal computer-security groups. The unit is responsible for sending out computer security alerts, as it did on July 14, when Blaster hit. "The purpose of what we are to combine cyber and physical security," says Robert L. Liscouski, assistant Homeland Security secretary.

So how do virus hunters go after their elusive prey? A combination of computer expertise and old-fashioned detective work. First, researchers attempt to isolate and crack the code of the virus. This helps develop an antidote -- and can yield clues about its author. Second, researchers scour for clues on Internet message boards frequented by virus writers. For researchers at anti-virus companies, getting credit for solving a virus can lend great cachet to sales. And for small companies such as F-Secure, getting credit for their work can land big consulting contracts with clients such as banks. But for the hunters themselves, like virus writers, getting credit for being smarter than the other guys is the ultimate goal.

But sometimes, even when the feds get their perp, they can be stymied by virus writers working abroad. Four years ago, the FBI managed to trace a virus called LoveLetter to a college student in Manila. But because the Philippines had no laws making what he did illegal, he was never prosecuted.

That's not to say virus creators can't be caught. In March, 1999, the Melissa virus caused just as much damage as SoBig. But its author was a braggart. Virus hunters at TruSecure combed through huge volumes of messages on Internet chat sites and found a virus writer using the code name "VicodinES" who alluded to writing Melissa. VicodinES also had a habit of saying "hello" to his cats at the end of his messages. Then, a man using the name Doug Winterspoon in another chat room repeatedly mentioned the same cats. By combing through the chat-site traffic, "we were able to figure out what ISP he was using, what kind of browser, his e-mail client, even what bars he went to," says TruSecure's Tippett.

Doug Winterspoon turned out to be David L. Smith. Using information gathered by TruSecure and an ISP account in New Jersey, the FBI tracked Smith down. Melissa, it turns out, was a stripper of whom he was fond. Eight months later, Smith pleaded guilty to causing more than $80 million in damage to computers and was sentenced to 20 months in prison. Since then, security experts say the savviest virus writers have gone underground, avoiding the chat sites. Virus hunters can only hope the ego of SoBig's author inflates along with his increasingly troublesome virus.

By Jim Kerstetter in San Mateo, Calif., with Paul Magnusson in Washington

    Before it's here, it's on the Bloomberg Terminal.