Cyber-terrorist or publicity-seeker?
7th January 2003 (The Star)
By RASLAN SHARIF

A purportedly Malaysian virus writer has threatened to unleash a "megavirus" if the United States attacks Iraq, but experts say his track record in developing viruses is poor and described it as a low threat.

Several observers have also questioned the virus writer's Malaysian nationality, which was first reported by IT publication Computerworld in November last year.

In an exclusive interview with the trade paper, "Vladimor Chamlkovic" said he had written a worm -  codenamed Scezda - that incorporated the features of the Sircam, Klez and Nimda worms.

Chamlkovic, who also uses the nickname or handle "Melhacker," said then that the worm was tested and ready to be released.

He warned that "I will ... launch this worm if America attacks Iraq."

News of the threat spread, but virus experts were quick to question Chamlkovic's ability to develop a highly destructive virus.

Although he is believed to be the writer of several worms that have been unleashed over the last few years, they have been lightweight fodder for most antivirus software in use today.

Antivirus company Symantec Corp lists worms that Chamlkovic claims to have written or bear his handle, but all have been found by the company to have had low geographical distribution, and have been rated as threats that are "easy" to contain and remove.

A posting on the Internet Security News mailing list hosted by computer security website Attrition.org described Chamlkovic's work as "five or six of the most pathetic worms you could (probably) find on Symantec's site."

Others found that the announcement of an impending "megavirus" release too good to be taken seriously.

"Scezda ... don't you just love it when hackers pre-announce their diabolical creations," said Rob Rosenberger, editor of security website Vmyths.com and a virus expert.

Rosenberger was invited by the US Government to give his views at the first White House Internet security summit called by former president Bill Clinton two years ago.

Not losing sleep

Several antivirus and network security companies said that while a "megavirus" of the sort Chamlkovic claims to have developed could be written, it would not represent an uncontrollable threat.

"It is possible to combine the techniques of different viruses ... (but) these kinds of viruses are no more difficult to detect than other viruses," said Sophos AntiVirus Plc senior technology consultant Graham Cluley.

He added that "just because a virus-writer screams and shouts about his upcoming virus does not necessarily mean we should be losing sleep."

e-Cop.net Surveillance Sdn Bhd CEO Alan See said that although "virus threats are very common, our company takes all security threats seriously until they have been classified as harmless." Local security expert Dinesh Nair said: "One must always take threats like this seriously, (but) let's look at this with a cool head ... all he's done is to make a threat, and for all we know, this could be the screams of an attention-seeker."

He added that "by glorifying him and increasing the press coverage on this issue, you're all playing into his hands."

Chamlkovic already got his share of attention from the US media, from trade publications like Computerworld and Wired, as well as tabloids like The New York Post, which also ran an "exclusive" interview with him in December.

Computerworld described him as being "sympathetic to the cause of the al-Qaeda and Iraq."

Antivirus software providers McAfee Security and Trend Micro Inc reported the presence of what might have been an early version of Scezda last November.

McAfee said that Chamlkovic had submitted the virus in early November and referred to the threat he had made in his Computerworld interview.

Both companies said the Scezda version they had did not work due to bugs and errors in the code.

What's in a name

Of more interest locally is the question of Chamlkovic's purported nationality. Vladimor Chamlkovic is not, by any stretch of imagination, a typical Malaysian name.

Some local newsgroups greeted Computerworld's story with scepticism, largely due his Slavic-sounding name, possibly Russian.

"Does the writer even know where in the world Malaysia is?" asked one incredulous user on an Open Source newsgroup two days after the story was published.

On the same newsgroup then, Dinesh had speculated that Chamlkovic was a "Russian virus writer who has (either) compromised a server located in Malaysia from which he launches his viruses, or has a local accomplice to distribute the code and translate his website."

A few things could be used to support the latter view. Chamlkovic maintains a website, Melhacker Inc, in both English and Bahasa Malaysia, although only the latter is accessible, with a Russian version supposedly in the works.

Attempts to access the English version is met with a statement from Melhacker, Chamlkovic's handle, saying that it is being updated.

His Bahasa Malaysia website has no mention of the name Vladimor Chamlkovic, only Melhacker, although an earlier English version, which was cached by search engine Google, states matter-of-factly that his "realname (sic) is Vladimor Chamlkovic."

The Bahasa Malaysia website is currently hosted by web services provider Netlux, believed to be based in the Ukraine.

The website was written by someone with a good command of the language, and the chances of a Russian virus-writer possessing those skills is probably slim.

In addition, Computerworld quoted US-based security company IDefense as claiming that Chamlkovic maintained close ties with a person named Nur Mohammad Kamil, which at least, could be a Malaysian name.

Besides bearing the name of Osama bin Laden and containing text glorifying God, some of the viruses attributed to Chamlkovic provide hints of their origin – part of a text string in the VBS.Melhack@mm worm says "Made in Malaysia," while another in the VBS.OsamaLaden@mm virus says "Create (sic) by Vladimor Chamlkovic & Nur Mohammad Kamil."

Antivirus companies have also pinned down several of his viruses as having originated from Malaysia, including the "early" Scezda virus.

This evidence strengthens Dinesh's belief that Chamlkovic has a local accomplice, namely Kamil. A brilliant disguise

But several questions could still be asked of Chamlkovic's true identity, and the parties claiming that he is Malaysian could be right after all, despite the Russian-sounding name.

Chamlkovic said in his interview with Computerworld that he has "close ties with Russian hackers." Local observers asked why a Russian virus-writer would want to claim close ties with his peers, who are more renowned than Malaysian ones.

On the other hand, a glory-seeking but relatively unknown and low-skilled Malaysian virus-writer would probably seek help from, and publicise his ties with, others who were better known for their expertise in the field.

"(Skills-wise), Malaysia isn't in any way disadvantaged, (but) there will be a lot of people who (would) claim competencies they do not have," said Dinesh.

More significantly, ethnic Russian virus-writers sympathetic to the al-Qaeda would probably be just as hard to find as Bahasa Malaysia-literate ones.

"I have no doubt that there are enough people here who, if they want, can create such malware," said Dr Nah Soo Hoe, a Malaysian National Computer Confederation council member who is involved in drawing up information security standards for the country.

However, he added that time should not be spent debating on whether the virus-writer was a Malaysian or not.

Meanwhile the National ICT Security and Emergency Response Centre (Niser) said it was aware of the threat and that it was currently being investigated by the relevant authorities.

Niser director Maj. Husin Jazri advised that the issue not be highlighted as "it gives the world a wrong impression of Malaysia, and may jeopardise the investigation."

He declined to comment further. - With additional reporting by H. AMIR KHALID & RAVIND RAMESH