by RSS Axelle Apvrille  |  Mar 09, 2009  |  Filed in: Security Research

It looks like we might have the Flocker virus writer's name, age, gender, address, picture, e-mail addresses, IM logins and nicknames. How? Using Google.

It all started when we found a nickname in the EPOC executable of the sample. I simply searched for that nickname on Google, and -- coincidence ? -- ran into Indonesian cyberphreaking and mobile phone communities.

Digging in that area, it seemed I got really lucky:

  1. The person's nickname is the one in the EPOC executable

  2. The person''s last name or pseudonym is another word found in the EPOC executable

  3. SymbOS/Flocker targets Indonesian IM3 pre-paid card holders, and -- surprise -- the name used is Indonesian

  4. The person showed some knowledge in mobile phones, mobile viruses and mobile anti-viruses. A virus writer would typically test his 0r her sample against a few anti-viruses and see if it gets through.

  5. The dates we find the person talking on the Internet about mobile viruses approximately match the time the new Flocker samples were found in the wild

Of course, this is not set in stone, and we're not vigilantes so we'll keep the name private (those who have the sample can likely figure out the same, however). Also, there are plenty of other scenarios: the person in question could have had his identity stolen (by a "friend," an enemy or randomly chosen by the real virus writer); he could have written some non-malicious Symbian code that the real virus writer used; the name and addresses we have might be completely fake, etc.

Indeed, it just looks too easy. Why send a virus into the wild with your nickname in it? If you are a virus writer, why provide your real identity on online communities? This is so naive. I probably won't know the end of the story, but regardless, I just hope he has a good story in case he gets picked up by Indonesian authorities.

As a side note, all of this is really scary. How accessible and trackable we all are via Google and how easy it is to use someone else's identity on the Web. It's nothing new, but this really shows there is a tremendous need for privacy on the Internet. I don't mind virus writers being sentenced -- but I would hate an innocent to be caught. And, whatever circumstances, I imagine people do not want their private live exposed. So why do they make it so easy for it to happen?

by RSS Axelle Apvrille  |  Mar 09, 2009  |  Filed in: Security Research