Sasser Author Under Arrest, Say German Police

Apogee writes "A number of german news websites, like n-tv, or the german yahoo news site (courtesy of the german press agency, lending this some credibility) (web sites in german) report that the programmer of the Sasser worm has been arrested by German police. The Sasser author is an 18-year-old man who was arrested on Friday in Rotenburg, Germany. With the Sasser worm being the latest among worms that spread like wildfire among unpatched windows boxes, and apparently also caused serious computer outages and cost to the economy, how will this be transformed into an indictment?" Update: 05/08 18:41 GMT by T : SexySas writes "As the German news site heise reports, the 18-year-old author of Sasser is responsible for Netsky, too. The German police is talking about 'a milestone in war against cybercrime'."

phatbot authors busted too

[taran9000]

they were also arrested on Friday.

Articles in English

[metlin]

Here is Reuter's take [reuters.co.uk] on this and the news release at Biz Ink [prnewswire.com].

Phatbot comes from Germany, too

[smk]

See here in german [heise.de] and the google translation [google.com]. Official say, there is no connection. Well ...

Referenced Story in Der Spiegel

[RidiculousPie]

The article also referred to Der Spiegel
As reported in Der Spiegel [spiegel.de]

Cyber-terrorism

[amichalo]

...how will this be transformed into an indictment?

It looks like the Cyber-terrorism [etsu-tn.edu] laws are used (in the US) primary for this type of "cyber joyrider"

Re:Articles in English

[Zocalo]

And a few more at The BBC [bbc.co.uk], Sky News [sky.com], CNN... None of them have a great deal of detail yet though, nor is there any mention of the connection between Sasser and Skynet alledged in the code of one of the varients. [cnn.com]

Rothenburg an der Wümme.

[Qbertino]

We've got a few (3?) Rothenburg's in Germany. The one americans probably know the best is Rothenburg op der Tauber.
Rothenburg a. d. Wümme is not the medival postcard town, it's just a small boring northern german town. :-)
BTW: Wümme and Tauber are both rivers. German cities with same names ofter difference themselves by the rivers they lie at.

Re:I'm kinda curious

[mfh]

> How did they find this guy? Was it that he was bragging like in the former MS worm cases, or was there a "higher technological power" involved?

From Reuter [reuters.co.uk]: "Spokesman Frank Federau for Lower Saxony police said the man was arrested on Friday. He did not have the name of the suspect but said he was a schoolboy who lived with his parents near the central German town of Rotenburg.

"He is the programmer of the first version of the worm," said Federau. He said he did not have any details of how the suspect was found.

Police did not know if the suspect had also created other versions of the worm. They took all the teenager's computers from his parents' house, Federau said.

"He is still free. He is not in custody. There will now be a court case," he added."

Re:Will he go on trial

[Star_Gazer]

Since both Sasser and Phatbot developers are native germans, they will never be extradited. German constitution luckily forbids it. Only foreigns can be extradited to other countries and only if they don't have to fear death penalty and will get a fair trial.

Re:Will he go on trial

[rduke15]

Why would he have to be extradited? If he is guilty, he can be judged in Germany. And one cannot be judged more than once for the same crime.

Re:Not framed?

[zazzel]

Obviously, you don't know much about the german judicial system, nor about our police.

The boy is already back at home (no risk of escape) until he'll be tried. He'll probably get probation, at most. He'll MOST probably be tries under juvenile laws, which have the overruling goal of "educating" young people.

However, he'll be held responsible for the financial damages he's done.

Re:Will he go on trial

[frost22]

will never be extradited. Constitution luckily forbids it. FWIW, that article got a few exemptions recently for purposes of EU harmonisation. I don't know if they apply here, though,

Re:Liability

[varmit poontang]

If someone sets fire to a house. Are they not responsible for it burning down, whether or not it has sprinkler system or not. This tried to set a fire to all the computers in the world that didn't have their patches yet or sprinklers on. Its a simple thought. He set the fire, it destroyed the city, he is liable for what he has done. I'm just getting pissed that the virus writers are turning out to be teenagers. I mean, come on, go out on dates, go to the movies, play sports or something, why the hell are they staying home and doing this crap. And Microsoft, just start having your patches work, I'm sick of the patch for the patch for the patch because you couldn't get it right the first time.

Re:Not framed?

[zazzel]

To answer two posts in one:

- he cannot be extradited. The German constitution forbids that.
- juvenile laws *can* be applied for ages 18-21 (and very often are), and they have to be applied below.

My guess: juvenile law, probation and probably several 100 hours of social service. And financial damages, of course.

Anyways, shouldn't Microsoft be in his place?

Re:phatbot authors busted too

[Vlad_the_Inhaler]

Loerrach (where that article says the Agobot/Phatbot author comes from) is on the German/Swiss border and around 10 miles from the French border. The programmer was also apparently part of a group - others helped him write it.

Loerrach is about as far as you can get from the village the Sasser author came from and still be in Germany.

US authorities helped the German police in both cases.

Re:Not framed?

[Sique]

A german court can't award financial damage during a criminal process. If you want to claim financial damage, then you have to enter the trial as a "Nebenklaeger" (secondary plaintiff) and prove that you were financially damaged by the actions of the defendant.

I guess most people will be afraid to fully disclose in court how their IT management works and how their other business processes run to prove the amount of money they have lost due to Sasser.

Re:The auther prolly used WinXP

[cubic6]

Take your paranoid fantasies somewhere where people don't know enough to refute them.

First, when you compile an EXE file with MS tools, it follows a format called the Portable Executable format[1]. You can verify this by opening up the EXE in a hex editor. There are a few headers, a few sections for code and data, and maybe a debug section. There isn't a section called ".backdoor" or ".spyonuser". By examining it very carefully, it might be possible to determine which version of Windows produced it and what compiler, but you aren't going to find your MAC address, name, street address, and favorite color anywhere.

Second, if you're talking about a network backdoor, that's extremely unlikely also. You can see someone using a backdoor on a Backdoors aresimple packet dump. Set up a packet sniffer between your computer and your internet connection and watch for strange packets. Write a virus or something, and see if someone from MS makes a connection to your computer. If you're so paranoid as to think that MS has trojaned all the routers, switches and hubs in the world so as to make it completely impossible to trace, go see a psychiatrist.

[1] - Reference for the PE format: here [csn.ul.ie]

Microsoft was involved in getting him arrested

[falonaj]

According to the German Heise.de article [heise.de], the Sasser author was arrested after someone who knew him contacted Microsoft, showing authentic part of the source code.

Microsoft then called the German police.

they shoulda waited until MS announced a reward for it first!

I am sure the person who called Microsoft was doing this because s/he wanted the reward. Otherwise s/he would have gone directly to the police.

Translated quote from the article:

The first pointer to the writer came from the direct environment of the arrrested. In a phone call to Microsoft a person claimed to know the identity of the Sasser-author. After requests s/he also delivered parts of the source code, which Microsoft categorised as authentic in forensic analysis.

Probably ran his mouth

[Sycraft-fu]

Most criminals, espically the non-organized ones, suffer from a problem of running-of-the-mouth. Almost all of us do, actually. We like to brag about the things we've achieved to friends. However, when you are braging about legal exploits like winning the pot at the last card game, it's fine. Thing it most crooks also brag about their illegal exploits too. This is fine, until one of their friends (or friends of friends) turns them in.

Also most script kiddies/crackers run their mouth when they get caught. We had one on campus, he was using some program (I forget the name) that tried to spoof itself as the default gateway so all traffic would go through him and he could sniff passwords. He couldn't get it working right and it kept bringing down a part of the network. Well when we caught him he instantly confessed everything to us, then to the police.

The thing is that he (and those like him) are so convinced of their invenurability because of their anaonymity, that they are just totally unprepared to get caught. So when it does happen, they usually just break down and confess everything.