Sasser Author Under Arrest, Say German Police 549
Apogee writes "A number of german news websites, like n-tv, or the german yahoo news site (courtesy of the german press agency, lending this some credibility) (web sites in german) report that the programmer of the Sasser worm has been arrested by German police. The Sasser author is an 18-year-old man who was arrested on Friday in Rotenburg, Germany.
With the Sasser worm being the latest among worms that spread like wildfire among unpatched windows boxes, and apparently also caused serious computer outages and cost to the economy, how will this be transformed into an indictment?"
Update: 05/08 18:41 GMT by T : SexySas writes "As the German news site heise reports, the 18-year-old author of Sasser is responsible for Netsky, too. The German police is talking about 'a milestone in war against cybercrime'."
they caught him too soon (Score:5, Funny)
Microsoft involvement [Re:they caught him...] (Score:5, Interesting)
Hardly likely to have happened, since according to the Yahoo! Germany newswire, Microsoft gave the vital hint to the German police that led to the arrest. Which makes you wonder whether they scanned their Apache..erm..IIS server logfiles to see who was reading about certain security alerts.
Re:The auther prolly used WinXP (Score:5, Informative)
Take your paranoid fantasies somewhere where people don't know enough to refute them.
First, when you compile an EXE file with MS tools, it follows a format called the Portable Executable format[1]. You can verify this by opening up the EXE in a hex editor. There are a few headers, a few sections for code and data, and maybe a debug section. There isn't a section called ".backdoor" or ".spyonuser". By examining it very carefully, it might be possible to determine which version of Windows produced it and what compiler, but you aren't going to find your MAC address, name, street address, and favorite color anywhere.
Second, if you're talking about a network backdoor, that's extremely unlikely also. You can see someone using a backdoor on a Backdoors aresimple packet dump. Set up a packet sniffer between your computer and your internet connection and watch for strange packets. Write a virus or something, and see if someone from MS makes a connection to your computer. If you're so paranoid as to think that MS has trojaned all the routers, switches and hubs in the world so as to make it completely impossible to trace, go see a psychiatrist.
[1] - Reference for the PE format: here [csn.ul.ie]
Re:The auther prolly used WinXP (Score:3, Insightful)
Re:The auther prolly used WinXP (Score:3, Interesting)
I would like to say that my post was in reply to a post claiming that the virus author was captured because of a Microsoft backdoor in their own compiler products. He did not specify that the virus author had a trojaned copy, or that his compiler was altered in any way from one I might install. He i
Re:they caught him too soon (Score:5, Funny)
Microsoft was involved in getting him arrested (Score:3, Informative)
Microsoft then called the German police.
I am sure the person who called Microsoft was doing this because s/he wanted the reward. Otherwise s/he would have gone directly to the police.
Translated quote from the article:
Re:they caught him too soon (Score:4, Insightful)
No apology if they got the wrong guy.....
Re:they caught him too soon (Score:3, Interesting)
No apology if they got the wrong guy.....
Saturday on Slashdot seems to bring out an even higher proportion of anti-government conspiracy theorists than usual (I'm using your post as an example, but there are dozens of others in the thread below this). Sometimes I wonder how many of the posters here actually are script kiddies the
Re:they caught him too soon (Score:3, Insightful)
Computers can be formatted, and the whole deal mostly forgotten. Human lives don't exactly work the same way.
Re:they caught him too soon (Score:3, Insightful)
Re:they caught him too soon (Score:3, Interesting)
A computer system is not a unique person, but nowadays it's very much an extension of one. It has things I've written, things I've done, and important stuff I need to remember. If it's lost, a whole chunk of my life goes away.
I think the preoccupation society as a whole has with people breaking into computers is sick, especially c
Re:they caught him too soon (Score:4, Insightful)
Same with my house. When I leave my house, I lock the door. When I'm *home* I usually have the door locked too (this is more my husband's idea, though). Fortunately, Schlage generally has a good track record on not having easily-broken locks.
I think the preoccupation society as a whole has with people breaking into computers is sick, especially considering that many people are on the side of the person doing the attacks. And that disgusts me since I've seen what a horrible pain it is to recover from an attack.
Same with having your house burglarized. And yet, if you used a luggage lock to secure your front door, and your front door was right on the street, and there was no street lighting, neighborhood watch, etc., people would have a hard time sympathizing with you when you got ripped off. Especially if it was widely known that people keep getting broken into when they only use luggage locks to secure their personal belongings, and they're easily defeated (since they all pretty much have the same key).
For all the outrage I've gotten from my analogy, nobody's put a serious dent in my point: That people who do these things get away with it all the time, and that they somehow need to be stopped.
It's the risk-vs.-reward ratio. If you want to make it less attractive, the first thing to do is make it *harder*. When stealing someone's belongings doesn't require any breaking, just entering, it is more likely to happen. If you're homeless, your stuff gets stolen all the frickin' time. See how much the police care about tracking down the guy who stole it in *that* case. But a mansion in Beverly Hills with 24-hour armed response, noise- and motion-sensitive lighting and alarms, and guard dogs... sure they want to find out who did it, because that guy is *really* dangerous.
If you want to counteract my feelings and my analogy, let's hear some positive recommendations on how to deal with these people. What would you do to put the point in their heads that this kind of conduct hurts real people and has enormous costs?
First of all, you need to meet them halfway. People who keep their windows installs updated didn't get hit by Sasser. I'm one of them, and I don't even have automatic updates enabled... I just go there every so often and get what's critical (after actually deciding if I agree that it's critical... Outlook Express is NOT). That's basic. Using a firewall will also protect you from Sasser, as will using a non-Windows operating system.
People don't have much sympathy here for victims of these worms because they generally painted a big target on themselves and said "come and get me." That's the difference between how much we care about catching the perps in this case and in others... in a sense, these guys are doing us all a favor, because they're reminding people to lock their doors with something more than an ounce of cheap metal.
Re:they caught him too soon (Score:4, Funny)
<TINFOIL-HAT>
No, the police want to find out who did it, because the BH guy happens to play golf with the Mayor, who pressures the Chief of Police to "catch the bastards who did this". Has nothing to do with the percieved danger of the burglar.
</TINFOIL-HAT>
Not framed? (Score:2, Flamebait)
Also what international terrorist law is he going to be tortured for?
Re:Not framed? (Score:3, Insightful)
I hope that they don't do this sort of thing in Germany. But I wouldn't bet on it. Military and police have a tendency to be the same sort of people in all countries.
Re:Not framed? (Score:2)
Re:Not framed? (Score:5, Informative)
The boy is already back at home (no risk of escape) until he'll be tried. He'll probably get probation, at most. He'll MOST probably be tries under juvenile laws, which have the overruling goal of "educating" young people.
However, he'll be held responsible for the financial damages he's done.
Re:Not framed? (Score:4, Informative)
- he cannot be extradited. The German constitution forbids that.
- juvenile laws *can* be applied for ages 18-21 (and very often are), and they have to be applied below.
My guess: juvenile law, probation and probably several 100 hours of social service. And financial damages, of course.
Anyways, shouldn't Microsoft be in his place?
Re:Not framed? (Score:5, Informative)
I guess most people will be afraid to fully disclose in court how their IT management works and how their other business processes run to prove the amount of money they have lost due to Sasser.
Re:Not framed? (Score:2)
Maybe he only wrote a variant - according to the articles he also admitted doing a netsky variant.
As for punishment, if the charges proves to be reasonable, expect him to be tried in juvenile court.
He was just helping his mother (Score:5, Interesting)
The motives of the alleged Sasser author were still unclear, but Der Spiegel suggested the teen may have wanted to drum up business for his mother, who owns a company offering assistance to computer owners.
Re:He was just helping his mother (Score:5, Funny)
phatbot authors busted too (Score:5, Informative)
Re:phatbot authors busted too (Score:4, Informative)
Loerrach is about as far as you can get from the village the Sasser author came from and still be in Germany.
US authorities helped the German police in both cases.
Articles in English (Score:5, Informative)
Re:Articles in English (Score:5, Informative)
I'm kinda curious (Score:5, Insightful)
Re:I'm kinda curious (Score:3, Informative)
From Reuter [reuters.co.uk]: "Spokesman Frank Federau for Lower Saxony police said the man was arrested on Friday. He did not have the name of the suspect but said he was a schoolboy who lived with his parents near the central German town of Rotenburg.
"He is the programmer of the first version of the worm," said Federau. He said he did not have any details of how the suspect
Probably Bragging (Score:5, Insightful)
Re:I'm kinda curious (Score:3, Interesting)
I think most of it is "bragging rights". Which is why you notice the most successful psychopaths in history are the quiet ones....
Probably ran his mouth (Score:3, Informative)
Also most script kiddies/crackers run their mouth when they get caught. W
does anyone... (Score:5, Funny)
Re:does anyone... (Score:5, Funny)
Easy enough (Score:2, Insightful)
IF that person is found to be guilty ( Remember kids, innocent until proven guilty! ) than that person wil be solely held responsible for all damages Sasser has caused, is causing and will cause in the future.
Re:Easy enough (Score:2)
More links (Score:2)
An 18 year old has been arrested in Germany, suspect of being the creator of the Sasser [sophos.com] worm, as reported by Yahoo news [yahoo.com] and many others [google.com]. Sophos believes he may also be the author of Netsky [sophos.com].
About time (Score:4, Interesting)
as for ms, they should be considered just as guilty, with such a large corporate juggernaught they have, they should be able to look for these vulnerabalities early, and maybe go through some more extensive testing.. or at the VERY LEAST spend a million or so and tell they public they messed up, and how to fix it... (run windows update) at least this way, you have a educated public... ignornance is NOT strength.
Re:About time (Score:5, Funny)
Set the man free!!! (Score:5, Funny)
Will he go on trial (Score:3)
I guess the fact that he was in Germany, a country with a modern justice system and extradition treaties, will help. They have had a hell of a time in the past getting police in places like Russia and the Phillipines to co-operate.
Just another interesting adventure in the globalized, internet-driven world I guess.
Re:Will he go on trial (Score:5, Informative)
Re:Will he go on trial (Score:3, Informative)
Re:Will he go on trial (Score:3, Informative)
Phatbot comes from Germany, too (Score:4, Informative)
So, how did he find the exploit? (Score:5, Interesting)
Realistically odds have to favour just reading the advisory, but there have been plenty of claims to the contrary.
The next question is, will any media actually bother to find out and publish the answer to that question. I'm guessing "absolutely no chance in hell".
Jedidiah.
Two possibilities (Score:5, Interesting)
Re:Two possibilities (Score:3, Insightful)
He's old enough to drive, work, vote, own a gun, go to war and die on the service of his country, and be elected to office.
That makes him a young man, not a kid.
Referenced Story in Der Spiegel (Score:2, Informative)
As reported in Der Spiegel [spiegel.de]
Ultimate punishment (Score:5, Funny)
Re:Ultimate punishment (Score:3, Insightful)
If he can do that, I'd consider his debt paid. Then I'd consider hiring him as a consultant.
Cyber-terrorism (Score:3, Informative)
Melissa Virus (Score:3, Interesting)
If so, the same thing could happen to this guy with the German government.
Rothenburg an der Wümme. (Score:5, Informative)
Rothenburg a. d. Wümme is not the medival postcard town, it's just a small boring northern german town.
BTW: Wümme and Tauber are both rivers. German cities with same names ofter difference themselves by the rivers they lie at.
Re: Muprjys law and net.spelling (Score:3, Funny)
I propose that this corollary be named "Muprjys law".
I wonder if we can settle a small question (Score:4, Interesting)
Sasser broke a new record in the time it took to find the worm, from the time the hole on which the worm was based was issued a public patch. Now that we, allegedly, have the worm's author, we can ask him whether it was rev-enged from the patch, or whether he had prior knowledge of the hole.
Shachar
P.S.
I would wager the former, but still interesting to get an authorative answer.
Sentencing... (Score:2, Interesting)
I reckon he should get 10 minutes of prison time for every machine his trojan infected, since this is the time it probably takes someone on average to clean up the mess.
1,000,000 * 10 minutes = 166,667 hours = 6944 days = 19 years.
Seems fair to me, anyways...
Prison is not the solution (Score:5, Insightful)
nothing worse for a nerd then no computer.
Sending him to prison only makes him meet the really bad guys.
Jail is not the solution to everything. It denies you normal live, far beyond the duration of incarceration.
A benefit of Sasser/Blaster (Score:4, Insightful)
Idiot (Score:4, Insightful)
Step 1: Write virus/worm without your name, intials, alias, or any other identifying info.
Step 2: Release your virus/worm from an internet cafe, preferably one far from home, even a different city or country.
Step 3: Keep your mouth shut!!!
I mean, how hard can it be to avoid getting caught? I think most of these morons have the most trouble with steps 1 & 3, even if they're smart enough to manage step 2.
Times will change... (Score:3, Interesting)
Re:Idiot (Score:3, Insightful)
Re:Idiot (Score:3, Interesting)
If he is guilty... (Score:3, Funny)
You know, I really don't understand (Score:3, Interesting)
come down hard (Score:4, Insightful)
Re:come down hard (Score:5, Insightful)
Texas is the death penalty capital of the world. By your logic that would also make it the safest place in the world, yet people are murdered here every day. A person can be imprisoned for years (years!) if caught with trace amounts of cocaine, yet the crack epidemic is as strong as ever. Community services do more for crime prevention than the prison system can ever do. Prisons are necessary of course, if only to separate the truly incalcitrant, but the current reliance on them as a deterance is simply pig-headed.
The point is, discipline is necessary, but not without compassion. Strict adherance to discipline for the sake of revenge mearly engenders hatred in those being disciplined. Unless you kill that person, he will always be a problem. Compassion can divert that hatred so that lessons can truly be learned. Community based organizations can provide that, the prison system cannot.
They should just give the boy (if proven guilty) an appropriate penalty followed by a period of community service. Get the boy involved in his community and he will not be such a problem. That is the only answer to such things.
(Hey mods, mod the parent underrated. His opinion may be wrong, but it is valid non-the-less. It doesn't deserve a troll mod.)
Re:come down hard (Score:3, Interesting)
Re:come down hard (Score:3, Insightful)
Re:come down hard (Score:5, Insightful)
Actually, you are wrong on that one. Your rebuttal argument is flawed:
Texas is the death penalty capital of the world. By your logic that would also make it the safest place in the world, yet people are murdered here every day.
You are using a flawed control group: other random places in the world. For the control group to be valid you have to find a place with similar socio-economic characteristics *and* similar prison conditions but laxer sentencing practices.
Moreover, save for hardened criminals which tend not to act rationally, studies *have* shown that the common folk tend to adjust their rates of criminal behaviour in proportion to (a) likelihood of being caught (b) harshness of the penalty if caught and (c) potential reward as compared to living a straight life.
For example in a jurisdiction when a specific crime is suddenly punished in a much harsher way, criminals gravitate to less harshly punished activities.
Same studies have shown that a certain percentage of the drop in crime rates of that type are due to the simple reason that criminals are out of comission longer, due to the longer jail sentences (duh!). So even among the hardened criminals we see a reduction in crime rates, simply because they are in prison and off the streets.
hmmm (Score:3, Funny)
In other news, Osama Bin Laden renounces Islam and donates his fortune to the James Randi organisation.
Not to nitpick.... (Score:5, Insightful)
Btw, Here'a an english [cnn.com] version of the story.
The Microsoft Secret Police caught this kid (Score:5, Interesting)
"Microsoft signs security pact with Germany" http://news.com.com/2100-7343-5204643.html [com.com]
That was on may 4th... Today THEY GOT HIM. Thats quite a remarkable effort from the Private Secret Police of Microsoft.
Robert
Sven hit Windows at questionable sweetspot (Score:4, Interesting)
http://news.bbc.co.uk/1/hi/technology/3687583.stm [bbc.co.uk]
"According to anti-virus firms machines running Windows 95, 98 and Millennium Edition can help spread Sasser even though they cannot be infected by it."
The 18 year old kid, (his name is Sven?) really hit Microsoft windows at its weakest sweetspot: Federal ordered builtin hookups for "remote security management" and other "activities" as e.g. Spyware.
Robert
Germany eh? (Score:4, Interesting)
We found various infection scripts lying around, because Norton's quarantine seemed to have stopped the infection script in its tracks. One thing it did was to take the machine's details and upload them to an FTP server. A server in
We don't know if this invasion used the same exploit as Sasser, or if a small number of Sassered boxes get FTP status or what. But the German moviez + German FTP dropbox seems suspicious.
Luckily we had the IP-address, username, and password in the script, and were suprised to find we could login there and delete the info. Hopefully the hacker hadn't copied it, but the box has been re-installed from scratch.
And the user is now seriously contemplating Linux, after losing two days...
Baz
Sasser is my friend. (Score:3, Insightful)
Since the PC support group had recently reported that all machines were now in the auto-patch system, we were quite suprised to see almost 1% (which is a lot of machines, around here) get sasser.
Incidentally, a crude way to scan your network for sasser (let's just say you've got a linux box handy with samba,nmap,bash, grep and gawk and that your network is composed of three class C segments numbered 10.0.1.0, 10.0.2.0, 10.0.3.0 for the sake of example) is:
nmap -p 5554 -oG '-' 10.0.1-3.1-254 |gawk '/^Host.+5554\/open\/tcp/{print "nmblookup -A " $2}'|bash |grep "<00>"|grep -v GROUP
If your machines have useful netbios names (such as their location, for instance) and/or you know the names of your users, that should give you all the info you need.
Thank you Mr. Sasser author! You the man! Your non-destructive code was a public service from where I'm sitting (yes I know others feel differently - the real universe is subjective, neh?).
Names & Reward (Score:3, Funny)
heise.de today mentions that Microsoft will pay $250000 to the (less than five) informants.
Re:MS (Score:3)
Re:MS (Score:2, Funny)
Re:MS (Score:3, Interesting)
I agree that worm writers are scum. They shouldn't be excused because someone else left a vulnerabilty for them to exploit.
But, especially at this point, I DO think that Microsoft deserves some blame too. SASSER follows in the wake of SQL Slammer and MSBlaster, arguably 2 of the most damaging buffer overflow exploits in many years. IIS has been repeatedly compromised by buffer overrun problems since its initial release.
It isn't hard to code an automated test for buffer overrun vulnerabilities. I hav
Re:MS (Score:4, Funny)
Someone would complain the default colour scheme was crap.
Re:MS (Score:2)
Re:MS (Score:2)
I -- Am -- Canadian!
> There is no such thing as a perfect system, in any engineering discipline.
By perfect, I meant: without bugs. I wasn't talking about features. Sorry for the confusion.
Re:Liability (Score:2, Funny)
the responsibility lies with vehicle manufacturers for not fitting tyres with kevlar inserts in the side walls as standard; and with motorists for not fitting them themselves.
Re:Liability (Score:2)
Re:Liability (Score:3, Interesting)
Re:Liability (Score:5, Insightful)
People lock their doors because they realize there is a threat, if they don't realize there is a threat, they lose stuff, but it is still criminal. Hopefully after the 5th time someone gets their house broken into they will realize that they need a lock, same goes with computers.
I'm no microsoft fanboy(I don't even use windows), but blaming them is like blaming a car manufacturer because your car got totaled when some jackass rear-ended you. You should have done your homework before you bought the car, and that still does not absolve the jackass.
Re:Liability (Score:3, Insightful)
The car manufacturer analogy still works, as they knowingly sold you the car without appropriate safety features. Do your homework -- yes -- but you can not expect people to know everything about a car or a computer.
Re:Liability (Score:5, Insightful)
This is more like just leaving your doors unlocked. There is no protocol for a system to advertise it's vulnerabilities.
Without regard to whether your doors were locked it is illegal to steal things from your house.
Re:Liability (Score:3, Insightful)
Re:Liability (Score:2)
Your insurer might not pay up but the police will still arrest the guy for theft, criminal damage, or whatever it is he did while inside. The only difference is that he won't be done for breaking and entering.
NB: IANAL
Re:Liability (Score:5, Insightful)
That's ridiculous - people who don't wear bullet proof vests aren't "as liable" as the people who shoot them.
If you leave the doors to your house open, and a large neon sign over the threshold saying 'WELCOME', you'll be *damned* lucky if your insurer would pay up.
No, but you could press charges for burglary if somebody came into your house and stole something. Insurance is a matter of commercial contracts - we're talking about the law here.
If he hadn't exploited it, someone else would have, and the result would have been the same.
No, if someone else had exploited it, then the gentleman under discussion here most probably wouldn't be in police custody facing criminal charges right now.
The reponsibility lies with microsoft, for creating shite software, with inherent vulnerabilities, and with the users, for not bothering to have any kind of protection.
What kind of a world do you live in where the people who write and send out a virus are not liable for the damage it causes?
Re:Liability (Score:3, Insightful)
Re:Liability (Score:5, Insightful)
Actually, those are two completely separate issues.
Let's say you left your house and left your door unlocked. If a thief happened by, saw that it was unlocked, and came in and stole all of your belongings, the law in every jurisdiction that I know of is unequivocal: the thief is solely to blame.
On the other hand, if you put up a sign that said "welcome", then that could be construed as an explicit invitation to enter and the corresponding legal judgement would be less clear. You may recall cases way back when when some FTP sites said "Welcome To Private FTP site! Username: Password: ".. well.. some were broken into using brute force un pw attacks. The attackers were subsequently found and based their (largely successful) defense on the fact that it said "welcome!"
Now, about the rest of your point: about people being liable and microsoft being liable; basically, it's wishful thinking from you, who knows nothing. I dare you to build me a house that can not be broken into. It is NOT possible. the windows OS has arguably hundreds of thousands of parts and interfaces and it is not reasonable to expect that every aspect has been checked for every possible potential flaw. I remind you that but a few weeks ago, a new flaw was found in TCPIP, arguably one of the most "eyeballed" standards in the history of computing.
every window in your house can be broken, and a thief can enter by breaking it. the lock on your front door can be opened with a jimmy tool, your electric garage door opener signal can be captured and copied. your hidden key under the bushes can be found. your chimney may be a more or less perpetually open entrance, and yet nobody blames house builders or even home owners of gross negligence in such cases.
the fact is that in a society we recognize the inherent limits of any sort of physical protection. as many on slashdot here have observerd in other contexts (DRM), "if it can be broken, it will be" and "there are no unbreakable protection schemes."
Therefore, we must resort to law and the threat of punishment. It's not perfect, but it's what we have to do.
Re:Liability (Score:3, Informative)
Re:Liability (Score:3, Funny)
Using my brain I have worked out that he was meaning 'surely wrong'.
Re:Was it a big joke / mistake? (Score:3, Interesting)
Re:18 year old kid (Score:3, Insightful)
The kid.
Re:18 year old kid (Score:3, Funny)
The same people who don't teach students the difference between transitive and intransitive verbs?
Re:German police admit corporate control of courts (Score:3)
It's standard procedure for the police to work with external specialists.
The idiot who wrote that worm was released later that day and his trial will be in a couple of months where all kind of evidence is used to see if he is guilty or not.
Yes, most likely the statements of said specialists will be heard by the judge but wh