Bug Watch: Is cyber-crime above the law?

With two new virus codes hitting the wild this week, many are left remembering previous destructive examples such as Love Bug, Anna Kournikova and Naked Wife.

Matt Tomlinson, business development director at MIS Corporate Defence Solutions, looks at what is happening to the makers and breakers of these viruses and the most recent developments in the law, which might help to bring justice against those that revel in the underground world of cyber-crime.

Last week week an updated version of the virus kit used to set forth Anna was detected. The first Anna kit virus, created by selecting a couple of boxes and clicking the generate button, was utilised in a couple of minutes by a teenager needing no previous knowledge of virus programming.

Available via the internet, kits to develop viruses are broadening the serious potential viruses have to decimate businesses around the world. The latest version to hit makes the birth of a virus even simpler to set in motion and includes features to speed up processes and infect more efficiently. This is worrying news when it is estimated that it took the Anna virus just 30 seconds to fully generate.

The security market has also seen a new release of the old SubSeven backdoor program, version 2.2, into the wild. Version 2.2 brings with it the increased risk of virus movement into networks, through Visual Basic Script Worm Generator. This powerful programme allows the infiltrator to gain access to all areas, taking data ranging from personal information to saved files.

Version 2.2 of SubSeven also has the potential to perform denial of service attacks (DoS). DoS attacks can disrupt services such as email, cause temporary loss of all network connectivity or even destroy programming and files on a network. In the worst case a business's website may be forced to temporarily shut down, costing the infected person or company valuable time and money.

With cyber-terrorists hitting the headlines in droves, most of us are asking what can be done about the apparent lack of punishment that these types of enthusiasts receive. Is it fair that those freely reeking havoc on our systems seem to get away scot-free? Of course not; but what needs to be understood is cyber-crime is just that, a crime, no matter whether it is a defacement or the more damaging execution of a virus.

Some would argue that the term 'cyber-terrorists' is slightly extreme when evidence shows that the people very often responsible for these crimes are nothing more than kids, playing about on their PCs at home. However, on the other hand, many would strongly disagree with this train of thought, believing that actions punishable in the real world, but that take place in the virtual, are no different, other than the medium that has been used to execute them. Adding insult to injury, there is evidence that many dabbling in this sphere are leaving the hacker community with an employment contract.

For example, look at OnTheFly, teenage creator of the Anna Kournikova virus. This has been the biggest virus to hit in 2001, infecting systems due to the same old story of exploiting human nature through promising explicit photographs of the Russian tennis star. What has incensed many is the fact that the Dutch mayor of OnTheFly's home town has apparently suggested that he be offered a job within the local authorities after he finishes studying.

Similarly, the 22-year-old Filipino responsible for releasing the Love Bug in May 2000, Onel de Guzman, although maintaining he's not the author of the Love Bug, did openly admit to "unwittingly" releasing the virus into the wild. The most disastrous virus to date, causing millions of pounds worth of damage in it's first day alone, its writer will never be tried or face punishment, because Philippine law does not specifically cover computer crime. Again, receiving numerous job offers, Guzman perhaps even more disturbingly was promoted to national hero status for this crime.

On 19 February the Terrorism Act 2000 became law in the UK, clamping down on actions that have the intention of threatening, disrupting or influencing the government or public via electronic methods. Even if the source of the disruption comes from outside the country, if it effects the UK, the perpetrator, if caught, can be taken to court and tried as a terrorist. Strong stuff for the average teenage hacker, but in the view of many essential in view of the rapid increase of the tools, such as virus kits, flooding onto the scene.

The government's website providing information on single currency for Europe, Euro.gov.uk, was defaced last week, and although in this case not by a virus, the result was the posting of insulting messages about the Queen and country. The question now is to see whether the government is going to practise what its policies are preaching and take action against those who are setting out to disrupt the workings of everyday life.

Could these types of cyber-enthusiasts be prosecuted for infecting or disrupting our systems? There is of course much debate in this area and as people await for evidence, the only answer is that time will tell.

Next edition: 23 March