Experts at SophosLabsâ„¢, Sophos's global
network of virus, spyware and spam analysis centers, have
questioned whether courts are giving consistent sentences to
hackers following the ruling against a 38-year-old British man who
broke into a dating agency website and distributed computer
viruses.
Matthew Byrne, from Kirkby-in-Ashfield, Nottinghamshire, has
been given an eight month sentence, suspended for two years, after
pleading guilty to writing the Mirsa viruses which posed as
messages from the Fathers 4 Justice campaign group, and hacking
accounts belonging to users of dating website loveandfriends.com.
As the sentence is suspended Byrne has walked free and avoided
jail.
"The Computer Crime Unit at Scotland Yard should be
congratulated for bringing another hacker to justice, but one must
question whether the legal system is dealing with virus writers in
a consistent fashion," said Graham Cluley, senior
technology consultant for Sophos. "In 2003, 21-year-old Welsh virus
writer Simon Vallor received a
two year jail sentence from the same judge, and more recently
the British Government has approved the extradition to the USA of
alleged NASA hacker Gary McKinnon. Is there a danger that
conflicting messages are being sent to the hacking community by
Byrne escaping jail time?"
The W32/Mirsa-A
and W32/Mirsa-B
worms arrive as an attached file in an email. The emails sent
containing the Mirsa-A variant pretend that the malicious
attachment is a resume or curriculum vitae, whereas the Mirsa-B
variant uses subject lines such as "How NOT to get Promotion",
"Memorandom to all staff", "Urgent Document", "Extremely
Important", and "Private and personal".
If the attached file is run, the worm will email itself out to
addresses found in the Windows Address Book and copy itself into
files on the infected user's hard drive. The worms also attempt to
drop a section of text onto the user's hard drive.
Text dropped by W32/Mirsa-A into a Word document:
Fathers 4 Justice
Coded by UK Digital Binary Division
UK Government will listen Fathers 4 Justice
respect to:
RanSid
DILENGER
NEWORDER
KJ
VosLar
Text dropped by W32/Mirsa-B into a Word document:
We are NOW supporting Fathers 4
Justice
Tony Blair: you really should LISTEN to us or we will take
further action
LeftPara
VosLar
ManTak
DILENGER
A file called Fathers4Justice.txt is created on the
user's desktop by W32/Mirsa-B containing the following text:
UK Digital Binary Division
MRSA: coded by the UK Digital Binary Division
we support Fathers-4-Justice
W32/Mirsa-B also creates an internet link on the user's desktop
to the Fathers 4 Justice website.
A clue in the code
Sophos reported in
January 2005 about a clue buried inside one of the Mirsa worms
which suggested the author was from the Sheffield area. Hidden
inside the W32/Mirsa-A virus, and not normally displayed to the
infected user, is a section of text: "sheffield hallam university
is corrupt".
"It was a stupid message for Byrne to include inside his worm.
Sure enough, at the time of his arrest, he was living in
Sheffield," continued Cluley.
|
| Hidden inside the W32/Mirsa-A worm is a message
about Sheffield Hallam University |
Sophos recommends companies automatically update their corporate
virus protection, and run a consolidated
solution at the email gateway to defend against viruses,
spyware and spam.
More than 100 million users in 150 countries rely on Sophos as the best protection against complex threats and data loss. Sophos is committed to providing security and data protection solutions that are simple to manage, deploy and use and that deliver the industry's lowest total cost of ownership. Sophos offers award-winning encryption, endpoint security, web, email, and network access control solutions backed by SophosLabs - a global network of threat intelligence centers. With more than two decades of experience, Sophos is regarded as a leader in security and data protection by top analyst firms and has received many industry awards.
Sophos is headquartered in Boston, US and Oxford, UK. More information is available at www.sophos.com.