Experts at SophosLabs™, Sophos's global network of virus, spyware and spam analysis centers, have questioned whether courts are giving consistent sentences to hackers following the ruling against a 38-year-old British man who broke into a dating agency website and distributed computer viruses.
Matthew Byrne, from Kirkby-in-Ashfield, Nottinghamshire, has been given an eight month sentence, suspended for two years, after pleading guilty to writing the Mirsa viruses which posed as messages from the Fathers 4 Justice campaign group, and hacking accounts belonging to users of dating website loveandfriends.com. As the sentence is suspended Byrne has walked free and avoided jail.
"The Computer Crime Unit at Scotland Yard should be congratulated for bringing another hacker to justice, but one must question whether the legal system is dealing with virus writers in a consistent fashion," said Graham Cluley, senior technology consultant for Sophos. "In 2003, 21-year-old Welsh virus writer Simon Vallor received a two year jail sentence from the same judge, and more recently the British Government has approved the extradition to the USA of alleged NASA hacker Gary McKinnon. Is there a danger that conflicting messages are being sent to the hacking community by Byrne escaping jail time?"
The W32/Mirsa-A and W32/Mirsa-B worms arrive as an attached file in an email. The emails sent containing the Mirsa-A variant pretend that the malicious attachment is a resume or curriculum vitae, whereas the Mirsa-B variant uses subject lines such as "How NOT to get Promotion", "Memorandom to all staff", "Urgent Document", "Extremely Important", and "Private and personal".
If the attached file is run, the worm will email itself out to addresses found in the Windows Address Book and copy itself into files on the infected user's hard drive. The worms also attempt to drop a section of text onto the user's hard drive.
Text dropped by W32/Mirsa-A into a Word document:
Fathers 4 Justice
Coded by UK Digital Binary Division
UK Government will listen Fathers 4 Justice
Text dropped by W32/Mirsa-B into a Word document:
We are NOW supporting Fathers 4 Justice
Tony Blair: you really should LISTEN to us or we will take further action
A file called Fathers4Justice.txt is created on the user's desktop by W32/Mirsa-B containing the following text:
UK Digital Binary Division
MRSA: coded by the UK Digital Binary Division
we support Fathers-4-Justice
W32/Mirsa-B also creates an internet link on the user's desktop to the Fathers 4 Justice website.
A clue in the code
Sophos reported in January 2005 about a clue buried inside one of the Mirsa worms which suggested the author was from the Sheffield area. Hidden inside the W32/Mirsa-A virus, and not normally displayed to the infected user, is a section of text: "sheffield hallam university is corrupt".
"It was a stupid message for Byrne to include inside his worm. Sure enough, at the time of his arrest, he was living in Sheffield," continued Cluley.
|Hidden inside the W32/Mirsa-A worm is a message about Sheffield Hallam University|
Sophos recommends companies automatically update their corporate virus protection, and run a consolidated solution at the email gateway to defend against viruses, spyware and spam.
Sophos is headquartered in Boston, US and Oxford, UK. More information is available at www.sophos.com.