Home » Data Protection » Malware/Cybercrime

Searching for Internet Perpetrators

Trying to trace Internet attacks backward to find the perp is an interesting exercisebut potentially fruitless.

Indeed, a sophisticated attacker can fake practically any kind of information that’s used for traceback. This point is made in great detail by Richard Clayton’s recently completed PhD thesis at Cambridge University in England. For example, many dial-up ISPs record the caller ID of every person who calls up to get Internet access. But caller ID can be faked by anyone who has control of a PBX that connects to the public telephone system over a digital interface. Indeed, it turns out that faking caller ID is a great way to frame somebody, although I’ve never heard of a case in which this was actually done. In his thesis, Clayton shows how everything from Ethernet addresses to DSL records can be forged—and in most cases, it’s impossible to detect that the forgery actually took place.

Fortunately, even if the traceback turns up empty, you still have a few other tries to find the perp.

Beyond Traceback

If you have a Microsoft Office file from the attacker’s computer, you might hire an expert in computer forensics. Until a few years ago, every file created by Microsoft Office contained a globally unique identifier (GUID) belonging to the computer that created the file. By looking at the file’s GUID, it was possible to learn things about the computer that created the file. (Several years ago computer security expert Richard Smith used this technique to hunt down the author of the Melissa computer worm.) Modern versions of Office no longer stamp the GUID into every file, but there are other telltale traces that might be left behind—starting with things like the document’s “properties,” document changes and even Microsoft version numbers. Finally, there are linguistic models that can tell you if the writing of a particular document is similar to other documents written by one of your suspected perpetrators. Such models shouldn’t be admissible under the Daubert guidelines that govern the use of scientific testimony in U.S. courts, but they can nevertheless help you guide your own investigation.

If you are being attacked by someone who is using custom-written software, you might hire a specialist in software forensics to analyze the program. Software forensics is even less of a respected art than document forensics, but a good practitioner might be able to tell you if the code that’s in question is similar to other programs by known bad guys.

You might decide to engage the attacker or even infiltrate the attacker’s organization. Infiltration is a bit of a stretch but perhaps isn’t as hard as it seems. There are many cases of system administrators and security consultants engaging attackers over Internet chat. Many attackers are proud of their abilities, dismissive of their victims, and all too willing to taunt the subject of their assault. Others are willing to brag about their exploits on underground websites or meeting locations. Every time they communicate with the outside world, there’s a chance that they will make a mistake and reveal their location or their identity. If you find somebody who is willing to chat, keep it up and build a rapport. Who knows? The bad guy might even take you into his confidence; there are precedents for this. Depending on who your attacker is, you might even be able to meet him in person at one of the numerous “hacker conventions” that routinely take place in Las Vegas, New York or Germany. You’ll have more luck if you are a twentysomething with a few tattoos and piercings than if you are a fiftysomething in a business suit. And truth be told, you’ll probably have more luck if you’re female—or if you hire somebody who is. Still, this “human intelligence” is always available and frequently underutilized.