Tracking A Thief Via The Sircam Virus? 227
func writes with a rather strange situation: "Hey, my house was robbed, and they stole my computer, vcr, rc heli, and all my beer (!bastards!). But, on the positive side, the thief has been using the computer, and managed to infect himself with the Sircam virus. Now, some of my friends are getting virii sent to them by my stolen computer! Any way to track this guy via email, or even an ip or something stored in the virus code itself? And if I do find him, do I send the cops, or just my 6-foot-4, 260-lb ex-eastern-block buddy Radek?"
Since this virus' spread (cross fingers) seems to be slowing down a bit, this may take fast work. If you can reply with any suggestions for func, please include "Radek" or "Cops" in your subject line. (Just not the FBI.) Perhaps he could send a friendly letter to the thief offering free tech support?
Headers (Score:1)
Re:excuse me... (Score:1)
What, you mean you had Windows+Outlook installed to begin with? Then probably your beer was pee^H^H^Hcheap American beer too!
So... is it legal to infect YOUR OWN MACHINE? (Score:1)
Re:of course now it won't matter (Score:1)
And this is supposed to help me how? (Score:1)
Forget "Anti-Virus". . . (Score:1)
Re:Keep in contact with him! (Score:2)
Of course, the rest of us will probably all be dead by then...
HTML email? (Score:4)
Re:what an idiot. (Score:2)
If someone roots your box and you wanna know the IP's or even the dates/times it occurred, you can't do much without getting the law involved. In that case all we could tell you was that your machine was accessed by an IP other then the one(s) that were assigned to you.
Re:IP address in mail header (Score:1)
[1] It was fun to able to say 'I'm a Hooker!'
re car theives (Score:1)
Re:Headers (Score:2)
Headers (Score:3)
Of course, email MUST be copied in the form it was received, not mutilated by Outlook or other kind of garbage. If the recipient is unlucky enough to use Exchange, enable POP or IMAP support and download email from it using fetchmail or pine.
Even easier/quicker (Score:3)
Why not bypass the ISP (and the accompanying red-tape) entirely? If the laptop is using a modem to connect to the net, send the thief a binary which would cause the modem to call your home or work number and immediately play a sound clip that you can identify. When you receive a call that plays the sound clip, look on your caller ID and then use a reverse directory to map the phone number to a physical address.
If the laptop is using ethernet to connect... well, that's a bit tougher. I'm not sure how to track it without the assistance of the ISP it in that case.
Re:IP address in mail header (Score:2)
--
Re:IP address in mail header (Score:2)
--
Nope, no open containers (Score:1)
Good judgement comes from experience, and experience comes from bad judgement.
Re:excuse me... (Score:1)
Don't be so quick to insult someone for their choice of software when you don't even know what you're talking about.
Contact the isp (Score:2)
Now, this device could have a local (192.168.* or 10.*) address, but the address should be your mail provider. Here's to hoping you use somebody's SMTP mail service! Anyway, you need to contact your mail provider, and find out from which IP address he sent the message from. Then, do a reverse name lookup, and contact his ISP.
Now, as someone mentioned earlier, if he is using your dialup service, this is even easier. However, I'm going to guess that he is using something like DSL, where you can connect multiple computers. That is just a guess, I'd just like to show that it is possible even if that is the case.
Regardless or how you find this guy, involve the police. I don't know what country you live in, but most police around here (Minnesota) don't appreciate you doing their job for them. Nor do the courts.
Re:Some laptops phones home (Score:2)
If you stole someone's computer, wouldn't it be somewhat wise to trash the data on it as soon as possible? That way it'd be harder to prove its not yours. Furthermore, why on earth would you start connecting to the internet with someone else's computer? That isn't very smart.
Your idea sounds good except that it'd have to be done in software. Or it'd have to be integrated into the operating system and done every single time the laptop connects. Sounds like a great idea? Sounds just like putting an unquie ID on a Penitum 3.......
---
Jeezus that is a scary thought (Score:2)
Hidden Bomb? (Score:4)
Although, the first thing I would do if someone handed me a computer is format and reload all the drives...
Keep in contact with him! (Score:5)
make sure to print full headers (Score:2)
If files are being attached, print out the messages in their normal format in Outlook/Netscape (i.e. human readable), then view source and print the headers too...
Re:Keep in contact with him! (Score:2)
I'm gonna have to start stealing computers; this is how I wanna go :) Poor funeral director won't be able to wipe the shit-eating grin off my face.
Re:Yes. (Score:5)
Cop paranoia of a lesser kind (Score:3)
Somewhat related...
A long time ago a friend of mine ran a BBS on his Amiga. He had the startup rigged with a boot-meny containing a fake "Start BBS"-entry as a default, which - if chosen - would encrypt the RDB (Rigid Disk-Block) and reset. Or something to that effect.
Hey, don't look at me, it wasn't my computer, nor my idea.
Re:Hidden Bomb? (Score:2)
Probably a bit illegal as well.
it depends (Score:5)
If it was good beer, leave the cops out of it. If it was bad beer, sic the law on him.
If it was BUD, have Radek slap some sense into you.
Radek! (Score:3)
I assume he disabled your security. And not that you forgot to secure it.
Re:Bear in mind (Cops) (Score:2)
You CAN, however, be charged with Break and Enter for getting in to take what's legally yours.
Of course, if you grab the wrong hot computer, you're in double doo-doo. Best to let the cops handle it for you. 4 times out of 5, the crook will cop a plea bargin and your stuff will be available to you before the CPU is completely obsolete.
If you want the data off of the laptop, it may be possible to get permission from the police to make a backup. (this is a guess. I've never tried it).
--
Re:Fuck the police, get some vengence (Score:3)
If you walk in to your local PD and say "I 0wn h1m! j00 cl00less fux0rz list3n 2 m33!", yeah, they'll get snitty.
If you walk in, and behind closed doors (or cubicles :), outline how you solved it, in such a way that the officer you're talking to also has enough of an understanding on how to solve it, you've just taught a cop a new way to solve crime that none of his buddies know, and you've probably just made a friend.
Beat a man over the head with a fish, and he'll slap you across the face with one. Teach a man to fish and you're both fed for life.
Re:Im not so sure this will help (Score:4)
IANAL, but ISTR that in these cases, the used computer store (pawnshop) is guilty of "posession of stolen property". As is, for that matter, the innocent sucker who walks in off the street and buys it. As such, you can still get your computer back.
Option 1: (There's only one bad guy, the thief.) The guy who bought the computer will be pissed, he'll be pissed at the computer store. The guy who runs the computer store will be really pissed, and he'll be pissed at the guy who sold it to him. End result -- the thief loses his ability to sell stuff at that store.
Option 2: (There's another bad guy, in that there's a store or pawnshop operating as a "fence", that is, reselling goods they know are stolen). The guy who bought the computer will be pissed. The cops will have evidence to use in their (likely ongoing) case against the fencing operation. End result -- the thief may get away, but the fencing operation goes down.
Either way, by providing evidence to the cops, you increase the odds of getting your stuff back and cleaning up your town.
Re:Cops can help... (Score:5)
Very true, the trick is to get someone at your local PD interested in the case. Routine burglaries are, well, routine. Just as the FBI laughs if the losses are less than $BIGNUM, your local cops generally don't give a damn about property theft, because the odds are slim and the cases are boring as hell.
1) So don't call - show up in meatspace at your local police department. (Or if you've filed a police report on the burglary, you probably have an officer's business card. In that case, call and try to set up a 15-minute appointment.)
2) You may want to talk to a detective, rather than the beat cop. Dunno how lucky you'll be at finding one. Might be worth a shot. Go through channels.
3) (Here's the kicker). YOU know how to solve the crime. The cops don't. So YOU explain it to the cop or detective - in detail. Bring printouts. Use highlighters. Emphasize the point that even though you did the legwork, you don't want credit - you want the cop to get credit for solving the "high-tech" case. This means career advancement to the cop/dick, and ought to interest him, even if the dollar value of the case is peanuts.
"My house was broken into and bad guys stole my stuff" - a boring case, like dozens of others, involving all the paperwork with no chance of recovering the goods.
"Here's an open-and-shut case on how to track a thief through cyberspace" - something new, possibly a promotion for finding a new way to solve cases, and a reputation within the department as "the guy who knows how to track criminals through cyberspace, he's even smarter than that moron the Feds send us every few months".
If you're helpful your local cops, they just might be able to help you.
Forget Radek. . . (Score:2)
Re:Hidden Bomb? (Score:2)
Re:Use his stupidity against him... (Score:2)
Not even necessary. That info is in the e-mail header anyways, unless your friends goofed and saved the mails without their headers.
Re:Should be pretty easy. (Score:4)
No, that's not the worst case. Worst case is that the virus didn't actually infect the stolen computer, but rather the replacement computer that you're using now...
Re:Fuck the police, get some vengence (Score:5)
Nowthat'sacruelandunusualpunishment!
Re:IP address in mail header (Score:2)
spewing out buzzwords. Most dial-up terminal systems have a pool of IP addresses that are assaigned to the unit itself, when someone dials
in their username/password is checked against a radius server, if it is correct the same packet
contains information about their IP address, static or dynamic, if it is dynamic then the terminal server will look at its pool, pick one, send an ARP request to the network to make sure another unit/machine/etc is not using it, then give it to the client and reply to any ARP requests for it on the lan side. None of this involves DHCP.
FYI, I know the previous to be true on Ascend and Livingston equipment, others are unknown, but likely the same or similar.
Re:you were warned..... (Score:2)
you were warned..... (Score:5)
Use his stupidity against him... (Score:3)
Re:Hidden Bomb? (Score:3)
Re:excuse me... (Score:2)
Open source beer! [umich.edu]
RE: Tracking A Thief Via The Sircam Virus? (Score:3)
Given what I know from my own Eastern block friends.
If you ever want to see your beer again... send the cops:)
Re:Bear in mind (Radek) (Score:2)
Sure, they don't know how it was stolen, or who it was stolen from. However, there is never any doubt that this "great deal" is a "hot deal".
-Steve
Re:Bear in mind (Cops) (Score:2)
That's the way the law works here in the states too, but you still have to consider that the person using it bought the computer and didn't know it was stolen. In the Radek situation, to them, a big Eastern block guy is coming over and demanding them to give the computer. This can get Radek in a lot of trouble. In the case where the cops are involved, you'll get it back legally.
Plus, you'll probably need the cops involved anyways, to get the location of the person in possession of the computer.
Re:Bear in mind (Cops) (Score:2)
Re:Radek! (Score:3)
Note: I do disable VBS files (by associating them with notepad) on my home WinME machine, but this isn't common practice. I do it because many people use my home machine. Disabiling VBS files like this isn't considered "security enablement" in the sense of updating patches and locking down ports.
Re:Hidden Bomb? (Score:4)
Yeah, I heard about that program. It's called Microsoft Windows.
-Martin
heh, tempting... (Score:3)
Re:Yes. (Score:2)
If the ISP has logs, then they are legally required to participate fully in any investigation. Furthermore, in Canada at least they would be REQUIRED BY LAW to go to the police if they had evidence or reason to believe that a crime had occurred. (In this case, phoning the ISP and explaining the thing would qualify) Not doing so is considered Aiding and Abetting.
Don't know if the same law exists in the US, but I suspect that an ISP that refused to help you would face charges.
[COPS}Re:Another approach... (Score:2)
Re:Contact the isp (Score:2)
It is not possible to forge these headers, he may be able to add extra bogus headers, but his IP *will* be in there.
This is way easy... (Score:2)
Re:Trace account, then trace to phone # (Score:2)
Re:Use his stupidity against him... (Score:2)
of course now it won't matter (Score:2)
Re:Bear in mind (Score:2)
i still vote for the eastern block buddy...something i`ll be employing when GPS systems become small and cheap enough to fit inside tv`s and computers.
Bear in mind (Score:4)
Fake contest/prize sting operation (Score:2)
Cable companies do something related to combat illegal access to cable service. They broadcast an ad that only the illegal boxes can get which says send in for a prize, says you won a contest, etc. Those that reply are prosecuted.
It is like a social engineering hack right on the thief's mind.
Re:Bear in mind (Radek) (Score:2)
Re:Bear in mind (Score:2)
Never underestimate stupidity.
Re:what an idiot. (Score:2)
Mental Note: if I ever get desperate enough to steal someone's computer and use it, be sure to reformat the HD.
--
About Ztrace (Score:2)
Either its loaded itself after Windows and then it's ll be erased if the FAT/NTFS partition is deleted, or it installs in the MBR, and then it's deleted if LILO or whatever erase the bootloader.
Anyway, since it's a *software* protection it is very likely to be circumvented (IMHO), by reinstalling Windows or installing Linux.
Re:Hidden Bomb? (Score:2)
Re:Your ISP?? (Score:2)
I can imagine having this conversation with ATT tech support... the pain! I think I'd rather just buy a new computer. Once a company gets past a certain size, it is like a black hole -- no customer service can escape.
For all intents and purposes, customer service is dead.
Re:Should be pretty easy. (Score:2)
Sacrasm aside, I think the FBI is only interested in high-dollar cases. On GRC.com the dude talks about how he couldn't get the FBI interested in the DoS attacks on him -- the damages weren't high enough to matter to them.
Re:Should be pretty easy. (Score:2)
No no, this thread was about the guy with a stolen computer. The FBI doesn't care about THAT. How did this turn into the DMCA?
This is what I was taking issue with:
Yeah -- just get the full headers to your local police and/or the FBI. I should think they'd be happy to get this kind of slam dunk to clear a case.
Call Microsoft (Score:2)
Re:what an idiot. (Score:3)
Did they act on this? No way.
The thief was basically handed to the OTTAWA POLICE on a silver platter, but apparently donut eating and beating defenceless women's heads against cars was more important.
I'd say send Radek, that is if the ISP will tell you who it is...
Re:Hidden Bomb? (Score:2)
I think that's how the new Windows XP works, sans the 'secure location' part.
Re:Yes. (Score:2)
Re:what an idiot. (Score:3)
besides if you have home owners insurance you could still collect the value of the computer, then use that cash to upgrade to a better system, or use it to put out a contract on the thiefs head. either way.
Your ISP?? (Score:5)
If it was one of my local ISP's I'd take about 1 case of beer with you as a small incentive.
Re:Hidden Bomb? (Score:2)
Re:Bear in mind (Score:2)
Re:Hidden Bomb? (Score:2)
Although, the first thing I would do if someone handed me a computer is format and reload all the drives
Lucky for the poster he got such a stupid thief. I guess a system based on something like CPUID or NIC MAC address would work better; it'd have to be part of the OS though, and pretty well-secured too.
better yet (Score:3)
what an idiot. (Score:5)
Re:Some laptops phones home (Score:3)
http://www.theregister.co.uk/content/archive/2002
And a link to the company doing it: http://www.ztrace.com/ [ztrace.com]
Re:Yes. (Score:2)
Re:Yes. (Score:2)
Do I understand this well? If so...proceed.
If not...
Is this big enough that we need to ram it over to the couple of computer guys we have? (child porn, theft, hacking...ohh, if it's hacking, we'd better set up a big stake and some firewood too) If so, send it over...
If not...
If not, then it gets stale. I know that the cops are SUPPOSED to represent the public, but let's be realistic. I've seen cops unwilling to even make a report of a crime, a multi-thousand dollar property crime, even just for the sake of a number that was needed by the victim to file an insurance claim. And it's clear common knowledge that even the FBI doesn't want to hear about hacking cases unless the damage caused exceeds a rather large sum, typically about $10K now.
The bottom line is, this is the real world, and most cops are intimidated by technology. They are also not willing to admit to that in front of civilians. And I'm willing to bet that the sort of person who would think to trace a thief by taking advantage of a SirCam infection is also quite computer literate. I bet dollars to doughnuts (no pun intended ) that he can get this accomplished in far less time than it would take a police officer. If I were him, I'd do it out of civic duty, just to make it easier on the already-overloaded police force where I live (in Washington, DC).
Yes. (Score:5)
Get an attorney, and file a "John Doe" lawsuit against the thief...the goal here is to get a lawsuit, so that you can get a subpoena. And who are you subpoena'ing, and for what? The ISP the thief uses, for the logs of the phone number that was connected at that time, and the account information of the owner of that account. Turn that over to the police, and you should be good to go. That information is sufficient (explain it well to them) to get a search warrant and...voila! He's crispy.
Happy hunting!
Re:IP address in mail header (Score:2)
___
Re:Cops (Score:2)
Kind of reminds me of in Big Lebowski when The Dude asks the cop of they have any 'leads' about who stole his car. The cop custs up laughing and says "leads? not yet. the chief has us working in shifts to solve this one though!"
seriously, how many local police depts have a computer crimes division?
___
Re:Use his stupidity against him... (Score:2)
___
Re:IP address in mail header (Score:2)
___
Re:IP address in mail header (Score:2)
Here is a repost (orriginally by user poptix@work):
You were pretty clear about 'DHCP Client' and 'DHCP Server', FYI a DHCP server is quite different, and uses different protocols than a PPP+Radius+Ascend connection.. You don't see me calling you a dog or cat simply because you're a carbon based lifeform that eats vegetables and meat.
As a side note, if you don't know what the word means either look it up (http://www.dictionary.com) or just don't use it.
___
Re:Hidden Bomb? (Score:2)
Re:Yes. (Score:2)
Take the method outlined in that well-modded-up post to the police. Tell them that this guy stole your computer and these emails are proof. The Authorities can deal with the supboenas, warrants, etc., and you won't have to pay a lawyer.
--Blair
"Or explain layer-3 semantics to him."
Re:Yes. (Score:2)
Don't talk to the desk sargeant. Ask to talk to a detective. They certainly have heard about tracing people on the net, and if they're the first in their jurisdiction to succeed at it, all the better.
The point is, when you are the victim of criminal acts, the state is your lawyer. You shouldn't investigate your own case until after the state tells you to get lost.
--Blair
just a thought? (Score:2)
radek, however appealing his deadly skills may be, is not the right answer. get the cops. if it is the thief, have him taken out in prison for 4 cases of cigarettes
Should be pretty easy. (Score:5)
If you could post the Headers of the offending emails, I'll bet most people here could tell you where the thief is in 5 minutes.
D - M - C - A
Re:Your ISP?? (Score:2)
Re:Bear in mind (Score:2)
Re:IP address in mail header (Score:2)
Not in any commercial dialup gear I have used. Generally, the PPP termination gear in a rack is assigned a pool of addresses to assign, or in some cases an IP is assigned to each modem. IP addresses for those with static IPs on a dialup (sort of rare) is generally obtained from a RADIUS server.
I can't even see why anyone would want to add the overhead of DHCP to this scenario. It would be a pretty precarious situation where a modem rack would not be assigned enough IPs to handle maxed out capacity, and this would be best handled internally within the concentrator's PPP termination s/w, why throw another protocol and server into the fray.
I am not real sure how a typical Linux PPP daemon handles this, but that would be kind of irrelevant to this topic as few ISPs of any size use a Linux based PPPd, they use dedicated racks like 3Com, Lucent or Cisco primarily.
For the point of this article, I think this is irrelevant anyway. If the victim can get a couple IP addresses and exact times (probably from an intermediate SMTP host to ensure accuracy) the ISP, if they are cooperative and competent, can probably (with considerable work) get the CID data. You want multiples as you want to see the same CID info from several calls. There is a high risk of this not being fruitful though, as many ISPs do not log CID (or don't even get it), and it is often in a different log (call logs vs. radius) so they need to be cross-referenced.
Re:You sound like PD telling us "comply with robbe (Score:2)
Wow, does this include Jehovah's Witnesses? People selling magazines "just working my way through college"? People distributing those annoying pizza flyers always stuck in my door?
MMmm. My lawn will be littered with bodies.
excuse me... (Score:5)