Sasser Author Under Arrest, Say German Police

Apogee writes "A number of german news websites, like n-tv, or the german yahoo news site (courtesy of the german press agency, lending this some credibility) (web sites in german) report that the programmer of the Sasser worm has been arrested by German police. The Sasser author is an 18-year-old man who was arrested on Friday in Rotenburg, Germany. With the Sasser worm being the latest among worms that spread like wildfire among unpatched windows boxes, and apparently also caused serious computer outages and cost to the economy, how will this be transformed into an indictment?" Update: 05/08 18:41 GMT by T : SexySas writes "As the German news site heise reports, the 18-year-old author of Sasser is responsible for Netsky, too. The German police is talking about 'a milestone in war against cybercrime'."

He was just helping his mother

[Anonymous Coward]

http://www.channelnewsasia.com/stories/afp_world/v iew/83848/1/.html

The motives of the alleged Sasser author were still unclear, but Der Spiegel suggested the teen may have wanted to drum up business for his mother, who owns a company offering assistance to computer owners.

About time

[Falconpro10k]

granted, im no microsoft lover, but im also kind of against punks like this guy... he has probably cost me almost $500 since this worm started in my PERSONAL services to my friends and family in order to get this all cleared up..

as for ms, they should be considered just as guilty, with such a large corporate juggernaught they have, they should be able to look for these vulnerabalities early, and maybe go through some more extensive testing.. or at the VERY LEAST spend a million or so and tell they public they messed up, and how to fix it... (run windows update) at least this way, you have a educated public... ignornance is NOT strength.

So, how did he find the exploit?

[Coryoth]

Excellent, hopefully they can ask hima simple question and we can put another argument to rest - Was he aware of the exploit from his own hacking, or being told about it by someone, or did he just read the exploit advisory from Microsoft when they released the patch?

Realistically odds have to favour just reading the advisory, but there have been plenty of claims to the contrary.

The next question is, will any media actually bother to find out and publish the answer to that question. I'm guessing "absolutely no chance in hell".

Jedidiah.

Two possibilities

[scum-e-bag]

Two possibilities as I see them. First the kid was stupid enough to write and release the worm from his own machine leaving behind traces or was not careful enough hiding his tracks. Second, the kids' machine was hacked and used to hide the real creator of the worm while releasing the worm. I haven't RTA but I think these two conclusions are logical.

It is all a lie!

[Anonymous Coward]

The Sasser author is an 18 year old man who was arrested on Friday in Rotenburg, Germany.

There is no such thing as an 18 year old man. Only somewhat a slashdot would think such a thing. This is clearly an atempt to get someone to trip up and admit to it. It is a trap people, dont believe it!

So basically, what's happened here was...

[Anonymous Coward]

A program exploits the extremely poor security track record of Microsoft products to spread itself. In my eyes, the provider of the broken software (=Microsoft) is just as much guilty as the person who made the self-disseminating program.

But history has shown that Microsoft cannot be sued while expecting to win. It's too big. In other words, Microsoft is above the law.

Melissa Virus

[CptChipJew]

Didn't the creator of the Melissa virus get his sentence removed in exchange for helping the government with security stuff?

If so, the same thing could happen to this guy with the German government.

I wonder if we can settle a small question

[Sun]

not really an important one, but still.

Sasser broke a new record in the time it took to find the worm, from the time the hole on which the worm was based was issued a public patch. Now that we, allegedly, have the worm's author, we can ask him whether it was rev-enged from the patch, or whether he had prior knowledge of the hole.

Shachar

P.S.
I would wager the former, but still interesting to get an authorative answer.

Sentencing...

[Ianoo]

Much as I'm pissed off with Microsoft for putting out software with so many holes, I think virus writers still have a lot to answer for.

I reckon he should get 10 minutes of prison time for every machine his trojan infected, since this is the time it probably takes someone on average to clean up the mess.

1,000,000 * 10 minutes = 166,667 hours = 6944 days = 19 years.

Seems fair to me, anyways...

Re:Was it a big joke / mistake?

[Tango42]

It has the feel of a proof on concept to me. It distributes fine, but doesn't actually do anything (the crashing appears to be a bug, and the CPU usage is an unavoidable consequence of the distribution process). I wouldn't be suprised if a version with a payload is released soon.

Re:Liability

[Rolo Tomasi]

This comparison is misleading. You can't physically hurt people through computers. In fact, the damage caused is rather hard to assess ... most is just a few hours of peoples' time. Now, you could sum up all the work hours and arrive at a huge amount, but then what about the other things that steal workers' time, like rebooting the OS, messing around with driver problems or application bugs that cause work to be lost? The software vendors aren't held responsible for these.

Times will change...

[John Seminal]

If it becomes that easy, and people don't get caught, then governments will have to react. Government might force an identification system where there will be no anonymity. They might have closed networks, where countries that don't agree with us are shut out. 1984 is going to happen because of these people. And givernment will use it as a legitimate reason to take away freedom from the rest of us. The .0001% of people who are anti-social criminals are going to cause the other 99% of us to lose freedom. That is why they should be punished harshly when they get caught.

You know, I really don't understand

[Freston Youseff]

how some of these so-called "genius" worm authors always manage to get busted. If any of them had a brain in their head and assuming they're not bed-ridden, they would stop being so headstrong and arrogant, and release the worm from an internet café. They could even wear a disguise, dye/cut their hair, or walk funny just in case the place had surveillance cameras about. It just seems to me that it would be so simple not to get caught at all.

Re:phatbot authors busted too

[Anonymous Coward]

it's only in german:

http://www.heise.de/newsticker/meldung/47209

While the sasser author comes from the northern part of Germany at least one of the phatbot writers is from the southern part of Germany. They don't seem to have any direct connection.

cb

Microsoft involvement [Re:they caught him...]

[j.leidner]

they shoulda waited until MS announced a reward for it first!

Hardly likely to have happened, since according to the Yahoo! Germany newswire, Microsoft gave the vital hint to the German police that led to the arrest. Which makes you wonder whether they scanned their Apache..erm..IIS server logfiles to see who was reading about certain security alerts.

Re:MS

[Anonymous Coward]

Whoa!

I agree that worm writers are scum. They shouldn't be excused because someone else left a vulnerabilty for them to exploit.

But, especially at this point, I DO think that Microsoft deserves some blame too. SASSER follows in the wake of SQL Slammer and MSBlaster, arguably 2 of the most damaging buffer overflow exploits in many years. IIS has been repeatedly compromised by buffer overrun problems since its initial release.

It isn't hard to code an automated test for buffer overrun vulnerabilities. I have done it myself for embedded designs that I have done with TCP/IP capabilties. Admittedly, it was a much simpler task for my circumstances since my products support a very limited subset of TCP/IP, but then I don't have a legion of progranmmers at my disposal either.

Here' my point: given that you had a product that had suffered buffer overrun problems for yeras, wouldn't you test specifically for buffer overrun problems before release? Maybe I would give NT and win 2000 problems a pass but win2k3 and XP were both released after a long history of buffer overrun problems. Why didn't Microsoft test specifically for buffer overrun problems before releasing them?

The Microsoft Secret Police caught this kid

[stock]

Remember Minister Otto Schilly signing a security deal with Microsoft ?

"Microsoft signs security pact with Germany" http://news.com.com/2100-7343-5204643.html [com.com]

That was on may 4th... Today THEY GOT HIM. Thats quite a remarkable effort from the Private Secret Police of Microsoft.

Robert

Re:come down hard

[KrisCowboy]

Well, thanks for the insightful info. Guess I just got carried away. You cannot compare a guy's drug problem to his computer problem. Addiction to drugs only shows that he's weak-willed. Writing viruses shows that he's not disciplined, or, he's watching matrix too many times :). You are right, a period of community service is going to help him. But not a short period of one month or year. I'd say, the period should be of (no of effected computers)*(2) days. That should keep him out of mischief for nearly 5-8 years. Because, when a drug-addict says clean for a month, there's always chance of his getting back to business on the 31st day. If he stays clean for 5 years, it's difficult to get back. Or, when a security vulnerability is detected, those rich bastards at M$ should pay a reward to the guys who fix it, and fix it effectively in a short time.

Sven hit Windows at questionable sweetspot

[stock]

its rather striking that winME win95 win98 win98se are not harmed by sasser, they only help spreading. Only damage is done to win2k and higher. From which i conclude, that these windows versions are just security breaches, and only have such hookups for spyware and other "activities". Thats to be read here :

http://news.bbc.co.uk/1/hi/technology/3687583.stm [bbc.co.uk]
"According to anti-virus firms machines running Windows 95, 98 and Millennium Edition can help spread Sasser even though they cannot be infected by it."

The 18 year old kid, (his name is Sven?) really hit Microsoft windows at its weakest sweetspot: Federal ordered builtin hookups for "remote security management" and other "activities" as e.g. Spyware.

Robert

Germany eh?

[Bazman]

Interesting. We had a machine fall over last week during the height of the Sasser panic. Norton AV had caught an installation of a Windows rootkit, and when we got to it (holiday weekend, so took three days), it had an FTP server installed with 19Gb of German-subtitled Moviez. Kill Bill 2 et al.

We found various infection scripts lying around, because Norton's quarantine seemed to have stopped the infection script in its tracks. One thing it did was to take the machine's details and upload them to an FTP server. A server in .de of all places.

We don't know if this invasion used the same exploit as Sasser, or if a small number of Sassered boxes get FTP status or what. But the German moviez + German FTP dropbox seems suspicious.

Luckily we had the IP-address, username, and password in the script, and were suprised to find we could login there and delete the info. Hopefully the hacker hadn't copied it, but the box has been re-installed from scratch.

And the user is now seriously contemplating Linux, after losing two days...

Baz

Re:Idiot

[Elwood P Dowd]

Step 1.5: Compile your virus/worm with something that doesn't uniquely identify your computer, like Visual Studio.

Re:Idiot

[Anonymous Coward]

Specifically, it is rumored that the Phatbot source code was released because those who ordered the worm did not pay and the author tried to render the already delivered worm unusable by giving anti-virus companies a chance to create signatures before or quickly after it was used.

Re:Sentencing...

[Jo_2521]

19 years...

Sure, murderers get 25 years, so why should someone who caused no physical harm to humans but inconvinience and loss of money be fined for much less?

Funny that this is the same slashdot that also rejects the idea of 5 years in jail for copyright infringment (at least when it's about music).

Get some principles, people.

An 18 year old?

[Anonymous Coward]

An 18 year old with enough skill to find a buffer overflow exploit in WIndows RPC, and then to write shell code (it's pure x86 asm) so that it can spread like wild fire...

this kid is either an experienced systems programmer,
a skript kiddie (just unleashed it through out the world),
or a scapegoat.

C'mon, I thought slashdotters were KNOWLEDGEABLE about this kinda shit. You people taking this at face value?

ugh.

Re:I'm kinda curious

[Dark Paladin]

If you read the book "The Hacker Crackdown" (free at peanutpress.com), you'll find the FBI know that once they catch most crackers, they can't get them to shut the hell up afterwards.

I think most of it is "bragging rights". Which is why you notice the most successful psychopaths in history are the quiet ones....

Re:they caught him too soon

[daviddennis]

It was an exaggeration to make a point: That people whose computers get broken into or hit by virus and worm attacks feel real suffering and pain from the experience, as I did.

A computer system is not a unique person, but nowadays it's very much an extension of one. It has things I've written, things I've done, and important stuff I need to remember. If it's lost, a whole chunk of my life goes away.

I think the preoccupation society as a whole has with people breaking into computers is sick, especially considering that many people are on the side of the person doing the attacks. And that disgusts me since I've seen what a horrible pain it is to recover from an attack.

It frustrates me that people deliberately and maliciously seek out to cause uncountable numbers of innocent people pain. I think people who are sick enough to act that way deserve to be weeded out and removed from society.

For all the outrage I've gotten from my analogy, nobody's put a serious dent in my point: That people who do these things get away with it all the time, and that they somehow need to be stopped.

If you want to counteract my feelings and my analogy, let's hear some positive recommendations on how to deal with these people. What would you do to put the point in their heads that this kind of conduct hurts real people and has enormous costs?

D

Re:they caught him too soon

[badasscat]

"No due process, no suspect's rights, no Miranda warning, no 5th amendment, no court-appointed attorney, no judge, no jury, no appeals, no comfy jail cell, etc, etc, etc...."

No apology if they got the wrong guy.....

Saturday on Slashdot seems to bring out an even higher proportion of anti-government conspiracy theorists than usual (I'm using your post as an example, but there are dozens of others in the thread below this). Sometimes I wonder how many of the posters here actually are script kiddies themselves.

The fact is this guy confessed [yahoo.com]. And not only did he confess, he apparently provided great detail on various worms that he's created. They also found the source code on his PC. That seems like pretty compelling evidence to back up his confession.

I was surprised to read he's only eligible for 5 years in prison. My wife joked "well, he'll get a free dorm room for college". I'm sorry, but this is not a deterrent, which is the point of having criminal penalties in the first place. From the news article, it sounds like he's clearly not very scared. They need to extradite him somewhere where he can really be forced to pay the price for the damage he's caused.

Everybody here should support throwing the book at guys like this. This is the internet we're talking about here, and worms like sasser at best make it harder to use, at worst can take down corporate networks (which sasser did) and even 911 systems, defense networks, hospital networks, etc.

Re:He was just helping his mother

[CowboyNick]

Um no, typical broken window fallacy... [wikipedia.org]

Re:The auther prolly used WinXP

[cubic6]

As a sibling poster mentioned somewhat rudely, yes, it's entirely possible to embed information in an EXE file using steganographic techniques. I retract any part of my statements which attempts to deny that.

I would like to say that my post was in reply to a post claiming that the virus author was captured because of a Microsoft backdoor in their own compiler products. He did not specify that the virus author had a trojaned copy, or that his compiler was altered in any way from one I might install. He implied that there was a backdoor in the standard installation of MS tools and Windows which inserted enough personal information for tracking. I'd simply like to state that under the conditions stated by original poster, that technique is not practical, and extremely unlikely.