The Worm That Turned: A New Approach To Hacker Hunting
To beat a super-sophisticated computer worm back in June 2000, Bob Gerber of the FBI’s National Infrastructure Protection Center broke new ground in fighting cybercrime by gathering top security experts from government and industry and letting them tackle the problem with little supervision.
The worm, dubbed “Leaves,” sought out computers whose security was already compromised by Trojan programs, and enabled its inventor to coordinate a large-scale denial of service attack via the infected computers, all from a single Internet connection.
The think tank Gerber organized had to overcome mistrust between the private and federal experts; the Pentagon’s Marcus Sachs eased relations by demonstrating his knowledge of worms and hacker savvy.
Participants took a sample of the worm back home, where they deconstructed it individually while sharing their discoveries with each other via email and telephone; letting them work unsupervised ensured that “Egos didn’t get in the way of progress,” according to Sachs.
This approach helped shed light on the methodology of Leaves’ creator, which generated leads and counter-strategies for federal agents to follow. Such moves included shutting down the Web sites that the zombie computers used to receive orders, and planting devices to trace the hacker’s whereabouts, but as time went on Leaves’ zombie ranks swelled while the worm’s inventor got cagey and used more creative infection techniques.
The think tank’s activities were interrupted by the outbreak of the Code Red virus, which took priority while federal agent Michelle Jupina found a hot lead when she discovered an address used by the Leaves perpetrator in a cache she pulled off an Oklahoma server; she tracked the address to Britain, and worked with U.K. authorities to apprehend the hacker the next time he attempted to connect to the server.
Although the hacker’s motives remain undisclosed, the incident as well as Code Red allowed Gerber’s think tank to prove its mettle.
Abstracted by the National Law Enforcement and Corrections Technology Center(NLECTC) from Government Executive (02/03) Vol. 35, No. 2,; Harris, Shane .