Why CIH culprit will never be found

Don't expect a quick, high-profile arrest for the suspected writer of the damaging CIH virus.
Written by ZDNet Staff, Contributor

It's almost certain a culprit won't be caught any time soon -- perhaps never. "Ninety-nine percent of virus writers won't ever be found," said Dan Takata, senior software support engineer with computer management firm Data Fellows Inc. "For CIH ... the writer knows a lot. No way [he's going to be found]."

Two variants of the CIH virus struck on Monday, reformatting the hard drives of over 300,000 computers in Turkey and 240,000 computers in Korea. Reports from the United States have been scattered with perhaps 10,000 users - mainly academic and home users -- affected. Other countries have reported hundreds and thousands of cases as well.

Despite the widespread outbreak, CIH is not a new virus -- that makes its creator hard to find, said Dan Schrader, director of product marketing for anti-virus firm Trend Micro Inc. "When we first encountered this virus last May, it wasn't in the wild, and we didn't know it was going to be a big deal," he said, adding that the virus was just one of more than 30,000 known viruses. "When it started to get big, the trail was pretty old, and that makes it pretty hard to track down any details."

In addition, the CIH virus infects executable files, which don't have the unique serial number that helped investigators connect several Web sites with the creator of the Melissa virus, said Schrader. "Executable files don't have the same global unique identifier as the Word documents that were infected by the Melissa virus," he said. The global unique identifier included in many documents created with Microsoft applications includes the unique address of the network interface card on computers equipped with such devices. That means that documents can be linked back to the PC that created them.

The degree to which law enforcement used the identifier to track down the Melissa virus is not known, though Michael Vatis, director of the National Infrastructure Protection Centre, characterised it as very little during a press conference after the arrest. In fact, it may be less a question of what the writer of CIH did right and more a question of what the writer of Melissa did wrong.

For one, the Melissa writer lived in the United States, making it very easy for the FBI and New Jersey officials to home in on him. The writer of the CIH virus is believed to be living in Taiwan, adding international jurisdiction to the list of issues with which law enforcement will have to deal. The writer of Melissa was also sloppy, said Data Fellows' Takata. "Melissa virus was posted from a home computer to a news group, which is not hard to track," he said. "There is also a time difference. The FBI immediately went after the Melissa writer; they had him a week later."

Editorial standards