Become a fan of Slashdot on Facebook


Forgot your password?
Microsoft Operating Systems Security Software Windows

Sasser Author Under Arrest, Say German Police 549

Apogee writes "A number of german news websites, like n-tv, or the german yahoo news site (courtesy of the german press agency, lending this some credibility) (web sites in german) report that the programmer of the Sasser worm has been arrested by German police. The Sasser author is an 18-year-old man who was arrested on Friday in Rotenburg, Germany. With the Sasser worm being the latest among worms that spread like wildfire among unpatched windows boxes, and apparently also caused serious computer outages and cost to the economy, how will this be transformed into an indictment?" Update: 05/08 18:41 GMT by T : SexySas writes "As the German news site heise reports, the 18-year-old author of Sasser is responsible for Netsky, too. The German police is talking about 'a milestone in war against cybercrime'."
This discussion has been archived. No new comments can be posted.

Sasser Author Under Arrest, Say German Police

Comments Filter:
  • by ReallyQuietGuy ( 683431 ) on Saturday May 08, 2004 @09:04AM (#9092759)
    they shoulda waited until MS announced a reward for it first!

    • by j.leidner ( 642936 ) <leidner.acm@org> on Saturday May 08, 2004 @09:43AM (#9093017) Homepage Journal
      they shoulda waited until MS announced a reward for it first!

      Hardly likely to have happened, since according to the Yahoo! Germany newswire, Microsoft gave the vital hint to the German police that led to the arrest. Which makes you wonder whether they scanned their Apache..erm..IIS server logfiles to see who was reading about certain security alerts.

    • by gnu-generation-one ( 717590 ) on Saturday May 08, 2004 @10:44AM (#9093421) Homepage
      So when will the LSASS author be under arrest?
    • According to the German article [], the Sasser author was arrested after someone who knew him contacted Microsoft, showing authentic part of the source code.

      Microsoft then called the German police.

      they shoulda waited until MS announced a reward for it first!

      I am sure the person who called Microsoft was doing this because s/he wanted the reward. Otherwise s/he would have gone directly to the police.

      Translated quote from the article:

      The first pointer to the writer came from the direct environment

  • Not framed? (Score:2, Flamebait)

    by Luguber123 ( 203502 )
    How can one make sure he was not framed?

    Also what international terrorist law is he going to be tortured for?
    • Re:Not framed? (Score:3, Insightful)

      by rduke15 ( 721841 )
      Also what international terrorist law is he going to be tortured for?

      I hope that they don't do this sort of thing in Germany. But I wouldn't bet on it. Military and police have a tendency to be the same sort of people in all countries.
      • Forgot to add: it's the politicians role to keep the military and the police under control, and make sure they behave. Unfortunately, politicians mostly also tend to be the same sort of people in all countries...
        • Re:Not framed? (Score:5, Informative)

          by zazzel ( 98233 ) on Saturday May 08, 2004 @09:28AM (#9092936)
          Obviously, you don't know much about the german judicial system, nor about our police.

          The boy is already back at home (no risk of escape) until he'll be tried. He'll probably get probation, at most. He'll MOST probably be tries under juvenile laws, which have the overruling goal of "educating" young people.

          However, he'll be held responsible for the financial damages he's done.
  • by Anonymous Coward on Saturday May 08, 2004 @09:05AM (#9092767) iew/83848/1/.html

    The motives of the alleged Sasser author were still unclear, but Der Spiegel suggested the teen may have wanted to drum up business for his mother, who owns a company offering assistance to computer owners.
  • by taran9000 ( 466823 ) on Saturday May 08, 2004 @09:05AM (#9092772)
    they were also arrested on Friday.
  • Articles in English (Score:5, Informative)

    by metlin ( 258108 ) * on Saturday May 08, 2004 @09:06AM (#9092774) Journal
    Here is Reuter's take [] on this and the news release at Biz Ink [].

  • I'm kinda curious (Score:5, Insightful)

    by defile39 ( 592628 ) on Saturday May 08, 2004 @09:06AM (#9092778)
    How did they find this guy? Was it that he was bragging like in the former MS worm cases, or was there a "higher technological power" involved?
    • Re:I'm kinda curious (Score:3, Informative)

      by mfh ( 56 )
      > How did they find this guy? Was it that he was bragging like in the former MS worm cases, or was there a "higher technological power" involved?

      From Reuter []: "Spokesman Frank Federau for Lower Saxony police said the man was arrested on Friday. He did not have the name of the suspect but said he was a schoolboy who lived with his parents near the central German town of Rotenburg.

      "He is the programmer of the first version of the worm," said Federau. He said he did not have any details of how the suspect
    • Probably Bragging (Score:5, Insightful)

      by msgmonkey ( 599753 ) on Saturday May 08, 2004 @09:17AM (#9092864)
      However I am basing this on that fact he is 18 and on the assumption that he fits a profile of some kid who does n't have many friends and needs attention. I'm not saying I'm right, just my take as you'd be amazed on how many criminals get caught simply on the inability to keep their mouths shut.
    • If you read the book "The Hacker Crackdown" (free at, you'll find the FBI know that once they catch most crackers, they can't get them to shut the hell up afterwards.

      I think most of it is "bragging rights". Which is why you notice the most successful psychopaths in history are the quiet ones....
    • Most criminals, espically the non-organized ones, suffer from a problem of running-of-the-mouth. Almost all of us do, actually. We like to brag about the things we've achieved to friends. However, when you are braging about legal exploits like winning the pot at the last card game, it's fine. Thing it most crooks also brag about their illegal exploits too. This is fine, until one of their friends (or friends of friends) turns them in.

      Also most script kiddies/crackers run their mouth when they get caught. W
  • by Lxy ( 80823 ) on Saturday May 08, 2004 @09:07AM (#9092783) Journal
    find it ironic that an ad for Microsoft security services accompanies this story?
  • Easy enough (Score:2, Insightful)

    IF that person is found to be guilty ( Remember kids, innocent until proven guilty! ) than that person wil be solely held responsible for all damages Sasser has caused, is causing and will cause in the future.

  • Was just about to submit this story. I see my lins are different, so you may find them useful too (they are in English):

    An 18 year old has been arrested in Germany, suspect of being the creator of the Sasser [] worm, as reported by Yahoo news [] and many others []. Sophos believes he may also be the author of Netsky [].
  • About time (Score:4, Interesting)

    by Falconpro10k ( 602396 ) <{moc.liamg} {ta} {2kramj}> on Saturday May 08, 2004 @09:07AM (#9092789) Homepage
    granted, im no microsoft lover, but im also kind of against punks like this guy... he has probably cost me almost $500 since this worm started in my PERSONAL services to my friends and family in order to get this all cleared up..

    as for ms, they should be considered just as guilty, with such a large corporate juggernaught they have, they should be able to look for these vulnerabalities early, and maybe go through some more extensive testing.. or at the VERY LEAST spend a million or so and tell they public they messed up, and how to fix it... (run windows update) at least this way, you have a educated public... ignornance is NOT strength.
  • by bezza ( 590194 ) on Saturday May 08, 2004 @09:07AM (#9092790)
    He got me an afternoon off work!

  • by foidulus ( 743482 ) on Saturday May 08, 2004 @09:08AM (#9092796)
    In other countries? He did damage in more than one country, but with the tangled web of extradition treaties etc, how will other countries deal with his arrest? Will they demand justice?
    I guess the fact that he was in Germany, a country with a modern justice system and extradition treaties, will help. They have had a hell of a time in the past getting police in places like Russia and the Phillipines to co-operate.
    Just another interesting adventure in the globalized, internet-driven world I guess.
  • by smk ( 41995 ) <> on Saturday May 08, 2004 @09:09AM (#9092798) Homepage
    See here in german [] and the google translation []. Official say, there is no connection. Well ...
  • by Coryoth ( 254751 ) on Saturday May 08, 2004 @09:09AM (#9092799) Homepage Journal
    Excellent, hopefully they can ask hima simple question and we can put another argument to rest - Was he aware of the exploit from his own hacking, or being told about it by someone, or did he just read the exploit advisory from Microsoft when they released the patch?

    Realistically odds have to favour just reading the advisory, but there have been plenty of claims to the contrary.

    The next question is, will any media actually bother to find out and publish the answer to that question. I'm guessing "absolutely no chance in hell".

  • Two possibilities (Score:5, Interesting)

    by scum-e-bag ( 211846 ) on Saturday May 08, 2004 @09:09AM (#9092800) Homepage Journal
    Two possibilities as I see them. First the kid was stupid enough to write and release the worm from his own machine leaving behind traces or was not careful enough hiding his tracks. Second, the kids' machine was hacked and used to hide the real creator of the worm while releasing the worm. I haven't RTA but I think these two conclusions are logical.
    • by Alomex ( 148003 )
      First the kid ..

      He's old enough to drive, work, vote, own a gun, go to war and die on the service of his country, and be elected to office.

      That makes him a young man, not a kid.

  • The article also referred to Der Spiegel
    As reported in Der Spiegel []
  • by m00nun1t ( 588082 ) on Saturday May 08, 2004 @09:10AM (#9092810) Homepage
    Make him explain to my mother what a worm is, what he made it, and how to enable a firewall. That'd be punishment enough.
    • That would be OK so long as he makes sure she really gets it. A simple explanation is not enough, your mom needs to really understand and be able to secure her own network in the future.

      If he can do that, I'd consider his debt paid. Then I'd consider hiring him as a consultant.
  • Cyber-terrorism (Score:3, Informative)

    by amichalo ( 132545 ) on Saturday May 08, 2004 @09:11AM (#9092815) will this be transformed into an indictment?
    It looks like the Cyber-terrorism [] laws are used (in the US) primary for this type of "cyber joyrider"
  • Melissa Virus (Score:3, Interesting)

    by CptChipJew ( 301983 ) * <michaelmiller@g[ ] ['mai' in gap]> on Saturday May 08, 2004 @09:14AM (#9092838) Homepage Journal
    Didn't the creator of the Melissa virus get his sentence removed in exchange for helping the government with security stuff?

    If so, the same thing could happen to this guy with the German government.
  • by Qbertino ( 265505 ) <> on Saturday May 08, 2004 @09:14AM (#9092845)
    We've got a few (3?) Rothenburg's in Germany. The one americans probably know the best is Rothenburg op der Tauber.
    Rothenburg a. d. Wümme is not the medival postcard town, it's just a small boring northern german town. :-)
    BTW: Wümme and Tauber are both rivers. German cities with same names ofter difference themselves by the rivers they lie at.
  • by Sun ( 104778 ) on Saturday May 08, 2004 @09:17AM (#9092859) Homepage
    not really an important one, but still.

    Sasser broke a new record in the time it took to find the worm, from the time the hole on which the worm was based was issued a public patch. Now that we, allegedly, have the worm's author, we can ask him whether it was rev-enged from the patch, or whether he had prior knowledge of the hole.


    I would wager the former, but still interesting to get an authorative answer.
  • Sentencing... (Score:2, Interesting)

    by Ianoo ( 711633 )
    Much as I'm pissed off with Microsoft for putting out software with so many holes, I think virus writers still have a lot to answer for.

    I reckon he should get 10 minutes of prison time for every machine his trojan infected, since this is the time it probably takes someone on average to clean up the mess.

    1,000,000 * 10 minutes = 166,667 hours = 6944 days = 19 years.

    Seems fair to me, anyways...
    • by Councilor Hart ( 673770 ) on Saturday May 08, 2004 @11:30AM (#9093687)
      Give him an alternative sentence, like cleaning up computers as the next virus/worm hits. Or deny him computeracces for some time.
      nothing worse for a nerd then no computer.

      Sending him to prison only makes him meet the really bad guys.
      Jail is not the solution to everything. It denies you normal live, far beyond the duration of incarceration.

  • by mst76 ( 629405 ) on Saturday May 08, 2004 @09:23AM (#9092905)
    Sure, these worms did cause a lot of inconvenience and downtime and such. But a (probably unintended) benefit of their outbreaks was that many vulnerable machines are now actually patched. Without these worms, if you hit a random 2K/XP machine on the net, there is a very good chance that you can take over the machine through either DCOM or LSASS (port 135 and 445 IIRC). Essentially, everyone can gain access to millions of machines, and the owners would probably be totally unaware. I'm not trying to defend the worm writer, but we all know that millions of people simply wouldn't patch until the machines keeps rebooting every few minutes.
  • Idiot (Score:4, Insightful)

    by Pedrito ( 94783 ) on Saturday May 08, 2004 @09:25AM (#9092916)
    I'm sorry, but any virus or worm writer that gets busted is just plain stupid. It's so simply to NOT get caught:

    Step 1: Write virus/worm without your name, intials, alias, or any other identifying info.

    Step 2: Release your virus/worm from an internet cafe, preferably one far from home, even a different city or country.

    Step 3: Keep your mouth shut!!!

    I mean, how hard can it be to avoid getting caught? I think most of these morons have the most trouble with steps 1 & 3, even if they're smart enough to manage step 2.
    • If it becomes that easy, and people don't get caught, then governments will have to react. Government might force an identification system where there will be no anonymity. They might have closed networks, where countries that don't agree with us are shut out. 1984 is going to happen because of these people. And givernment will use it as a legitimate reason to take away freedom from the rest of us. The .0001% of people who are anti-social criminals are going to cause the other 99% of us to lose freedom. Tha
    • Re:Idiot (Score:3, Insightful)

      If virus and worm writers followed these guidelines, then I doubt there would be as many problems as there is now:
      1. Authors like to stamp the worms with their own signiture, as then they can boast about it with proof.
      2. I agree you with this, releasing it from a traceable system is stupid.
      3. If the authors did this, then a major benifit of them releasing the worm/virus is gone. Most of these things are done for bragging rights, and are not malicious. How many worms etc actually cause permanent damage to da
    • Re:Idiot (Score:3, Interesting)

      Step 1.5: Compile your virus/worm with something that doesn't uniquely identify your computer, like Visual Studio.
  • by darth_silliarse ( 681945 ) on Saturday May 08, 2004 @09:26AM (#9092925) Homepage
    ...I think he should be locked in a padded cell with a 486-SX and a copy of Windows v3.1 for company, I'd sooner have my left nut crushed in a vice rather than face that
  • by Freston Youseff ( 628628 ) on Saturday May 08, 2004 @09:35AM (#9092974) Homepage Journal
    how some of these so-called "genius" worm authors always manage to get busted. If any of them had a brain in their head and assuming they're not bed-ridden, they would stop being so headstrong and arrogant, and release the worm from an internet café. They could even wear a disguise, dye/cut their hair, or walk funny just in case the place had surveillance cameras about. It just seems to me that it would be so simple not to get caught at all.
  • come down hard (Score:4, Insightful)

    by KrisCowboy ( 776288 ) on Saturday May 08, 2004 @09:38AM (#9092988) Journal
    He should be punished to the maximum extent permitted by law - I don't care under which law. People who can't respect computers should not be allowed to (ab)use them. If he screws up his computer, it's his problem. But the moment he screws up boxes over internet, he's got to be punished hard. The punished should be harsh so that no other individual will ever attempt to write a virus. Microsoft users are already suffering with poor quality, tech-support and other stuff, guess they don't need viruses.
    • Re:come down hard (Score:5, Insightful)

      by Tin Foil Hat ( 705308 ) on Saturday May 08, 2004 @10:26AM (#9093309)
      Bullshit. Harsh penalties do *nothing* to deter crime.

      Texas is the death penalty capital of the world. By your logic that would also make it the safest place in the world, yet people are murdered here every day. A person can be imprisoned for years (years!) if caught with trace amounts of cocaine, yet the crack epidemic is as strong as ever. Community services do more for crime prevention than the prison system can ever do. Prisons are necessary of course, if only to separate the truly incalcitrant, but the current reliance on them as a deterance is simply pig-headed.

      The point is, discipline is necessary, but not without compassion. Strict adherance to discipline for the sake of revenge mearly engenders hatred in those being disciplined. Unless you kill that person, he will always be a problem. Compassion can divert that hatred so that lessons can truly be learned. Community based organizations can provide that, the prison system cannot.

      They should just give the boy (if proven guilty) an appropriate penalty followed by a period of community service. Get the boy involved in his community and he will not be such a problem. That is the only answer to such things.

      (Hey mods, mod the parent underrated. His opinion may be wrong, but it is valid non-the-less. It doesn't deserve a troll mod.)
      • Re:come down hard (Score:3, Interesting)

        by KrisCowboy ( 776288 )
        Well, thanks for the insightful info. Guess I just got carried away. You cannot compare a guy's drug problem to his computer problem. Addiction to drugs only shows that he's weak-willed. Writing viruses shows that he's not disciplined, or, he's watching matrix too many times :). You are right, a period of community service is going to help him. But not a short period of one month or year. I'd say, the period should be of (no of effected computers)*(2) days. That should keep him out of mischief for nearly 5-
      • Re:come down hard (Score:3, Insightful)

        by nyseal ( 523659 )
        Oh please. Long gone are the days where prisons are considered 'rehabilitation institutions' for possible release of criminals back into 'productive' society. Prisons exist for the sole purpose of keeping criminals off the street and (hopefully) not getting a chance to perpetuate their crimes. As far as I'm concerned, the longer the better. You're right that harsh penalties don't deter crime, however I for one sleep much better at night knowing that they're not out in the public on some socially accepte
      • Re:come down hard (Score:5, Insightful)

        by Alomex ( 148003 ) on Saturday May 08, 2004 @12:40PM (#9094100) Homepage
        Harsh penalties do *nothing* to deter crime.

        Actually, you are wrong on that one. Your rebuttal argument is flawed:

        Texas is the death penalty capital of the world. By your logic that would also make it the safest place in the world, yet people are murdered here every day.

        You are using a flawed control group: other random places in the world. For the control group to be valid you have to find a place with similar socio-economic characteristics *and* similar prison conditions but laxer sentencing practices.

        Moreover, save for hardened criminals which tend not to act rationally, studies *have* shown that the common folk tend to adjust their rates of criminal behaviour in proportion to (a) likelihood of being caught (b) harshness of the penalty if caught and (c) potential reward as compared to living a straight life.

        For example in a jurisdiction when a specific crime is suddenly punished in a much harsher way, criminals gravitate to less harshly punished activities.

        Same studies have shown that a certain percentage of the drop in crime rates of that type are due to the simple reason that criminals are out of comission longer, due to the longer jail sentences (duh!). So even among the hardened criminals we see a reduction in crime rates, simply because they are in prison and off the streets.

  • hmmm (Score:3, Funny)

    by Knights who say 'INT ( 708612 ) on Saturday May 08, 2004 @09:39AM (#9092994) Journal
    Slashdotters blaming someone other than Billy G or Stevie B for bad things.

    In other news, Osama Bin Laden renounces Islam and donates his fortune to the James Randi organisation.
  • Not to nitpick.... (Score:5, Insightful)

    by nobodyman ( 90587 ) on Saturday May 08, 2004 @09:43AM (#9093020) Homepage
    ...but this man is the suspected author of the worm. The authorities haven't released his identity, nor how they arrived at the determination that he is the author.

    Btw, Here'a an english [] version of the story.
  • by stock ( 129999 ) <> on Saturday May 08, 2004 @10:18AM (#9093259) Homepage
    Remember Minister Otto Schilly signing a security deal with Microsoft ?

    "Microsoft signs security pact with Germany" []

    That was on may 4th... Today THEY GOT HIM. Thats quite a remarkable effort from the Private Secret Police of Microsoft.


  • by stock ( 129999 ) <> on Saturday May 08, 2004 @10:58AM (#9093517) Homepage
    its rather striking that winME win95 win98 win98se are not harmed by sasser, they only help spreading. Only damage is done to win2k and higher. From which i conclude, that these windows versions are just security breaches, and only have such hookups for spyware and other "activities". Thats to be read here : []
    "According to anti-virus firms machines running Windows 95, 98 and Millennium Edition can help spread Sasser even though they cannot be infected by it."

    The 18 year old kid, (his name is Sven?) really hit Microsoft windows at its weakest sweetspot: Federal ordered builtin hookups for "remote security management" and other "activities" as e.g. Spyware.


  • Germany eh? (Score:4, Interesting)

    by Bazman ( 4849 ) on Saturday May 08, 2004 @11:21AM (#9093637) Journal
    Interesting. We had a machine fall over last week during the height of the Sasser panic. Norton AV had caught an installation of a Windows rootkit, and when we got to it (holiday weekend, so took three days), it had an FTP server installed with 19Gb of German-subtitled Moviez. Kill Bill 2 et al.

    We found various infection scripts lying around, because Norton's quarantine seemed to have stopped the infection script in its tracks. One thing it did was to take the machine's details and upload them to an FTP server. A server in .de of all places.

    We don't know if this invasion used the same exploit as Sasser, or if a small number of Sassered boxes get FTP status or what. But the German moviez + German FTP dropbox seems suspicious.

    Luckily we had the IP-address, username, and password in the script, and were suprised to find we could login there and delete the info. Hopefully the hacker hadn't copied it, but the box has been re-installed from scratch.

    And the user is now seriously contemplating Linux, after losing two days...

  • by Medievalist ( 16032 ) on Saturday May 08, 2004 @08:37PM (#9096808)
    Sasser showed me which windows machines did not have their auto-patch routines working.

    Since the PC support group had recently reported that all machines were now in the auto-patch system, we were quite suprised to see almost 1% (which is a lot of machines, around here) get sasser.

    Incidentally, a crude way to scan your network for sasser (let's just say you've got a linux box handy with samba,nmap,bash, grep and gawk and that your network is composed of three class C segments numbered,, for the sake of example) is:

    nmap -p 5554 -oG '-' 10.0.1-3.1-254 |gawk '/^Host.+5554\/open\/tcp/{print "nmblookup -A " $2}'|bash |grep "<00>"|grep -v GROUP

    If your machines have useful netbios names (such as their location, for instance) and/or you know the names of your users, that should give you all the info you need.

    Thank you Mr. Sasser author! You the man! Your non-destructive code was a public service from where I'm sitting (yes I know others feel differently - the real universe is subjective, neh?).
  • by damian ( 2473 ) on Sunday May 09, 2004 @05:41AM (#9098960) Homepage
    Maybe we find out about the real names and versions of all the Sasser and Netsky variants now. The ones we know now are just made up by the anti virus guys after all. today mentions that Microsoft will pay $250000 to the (less than five) informants.

The world is coming to an end--save your buffers!