Good bug beats spy's worm

For those who believe corporate hacking and espionage only happens in Hollywood films, think again. The following story is a real-life example that just occurred in Australia. Evidence of the hacking is held by the author; however, names and details have been withheld due to an agreement that was finalised between the two parties involvedA week before Christmas, an old school chum rang me up to let me know that he would be enjoying his holiday, but he had to take work home. Every time he logs onto the Internet, there is a lot of hard-disk activity and he had to wait several minutes before he could do anything. The helpdesk at work was also on holiday so he thought I might be able to help him.

As the legal adviser to an investment syndicate, Joel (not his real name) has sensitive information on his computer and was worried that a computer virus was trying to delete his files. I went around for a quick look, and sure enough he had a virus - well actually a worm - that was doing the rounds at the time. The worm scanned the hard disk and sent documents back to a particular IP address. However, the worm's payload had been modified so that it did a couple of things differently:n It scanned the hard disk for both documents and spreadsheets; andn Then sent them to an address that was different to the worm that antivirus vendors had.

When I explained what I found a look of panic spread across Joel's face. He said that he had spent the last couple of months preparing secret documentation for his clients relating to two matters: a tax office investigation and a company takeover (both were closely guarded secrets at the time and the takeover has only just hit the press). He also explained that the computer had been doing the same thing for a few days before got around to ringing me.

Joel rang the company's CFO, who said he was having the same problem. After a rather irritating telephone call - that's why I'm not the helpdesk - we found out that he also had the modified worm. The worm was later found on computers belonging to three of the company's executives.

Joel's clients were extremely worried that either the Tax Office or a corporate spy were now in possession of the secret documents - either one could cost them millions. They wanted me to track down what documents were sent, who was receiving them and who installed the worm.

I had a better idea. Joel and I spent several days creating a special set of files. The files were watermarked, so they could be easily identified either electronically or by printouts and they contained a special Web bug that would allow me to track the files as they were sent around. The information in the files was cleverly fabricated so that it would be apparent if the Tax Office used it in their investigation or if someone else used it to thwart the takeover.

That Saturday we dialled Joel's ISP and watched as the worm sent the files out. The Web bugs soon reported that the files were received at the modified IP address. On Monday morning, the Web bug reported that the files were sent somewhere else. It didn't take long to work out which organisation the recipient worked for and who was responsible for the corporate theft.

Several days later, Joel's clients received some paperwork from the organisation responsible. It was apparent that the fabricated information had been used in the paperwork. The trap worked and as a result Joel was able to present evidence of the worm and the fabricated files to the organisation responsible. Being careful not to blackmail them, Joel also pointed out that it would be rather embarrassing if his clients started court action against the organisation responsible for installing the worm and extracting the real files. Soon after that a settlement was reached and the organisation's shady activities came to an abrupt end. w* The author is a security specialist whose name is withheld for obvious reasons. Comments on this article should be sent to the News editor, Sandra_Rossi@idg.com.au.

Join the newsletter!

Error: Please check your email address.
Show Comments

Market Place