Sasser Author Under Arrest, Say German Police

Apogee writes "A number of german news websites, like n-tv, or the german yahoo news site (courtesy of the german press agency, lending this some credibility) (web sites in german) report that the programmer of the Sasser worm has been arrested by German police. The Sasser author is an 18-year-old man who was arrested on Friday in Rotenburg, Germany. With the Sasser worm being the latest among worms that spread like wildfire among unpatched windows boxes, and apparently also caused serious computer outages and cost to the economy, how will this be transformed into an indictment?" Update: 05/08 18:41 GMT by T : SexySas writes "As the German news site heise reports, the 18-year-old author of Sasser is responsible for Netsky, too. The German police is talking about 'a milestone in war against cybercrime'."

they caught him too soon

[ReallyQuietGuy]

they shoulda waited until MS announced a reward for it first!

Microsoft involvement [Re:they caught him...]

[j.leidner]

they shoulda waited until MS announced a reward for it first!

Hardly likely to have happened, since according to the Yahoo! Germany newswire, Microsoft gave the vital hint to the German police that led to the arrest. Which makes you wonder whether they scanned their Apache..erm..IIS server logfiles to see who was reading about certain security alerts.

Re:The auther prolly used WinXP

[cubic6]

Take your paranoid fantasies somewhere where people don't know enough to refute them.

First, when you compile an EXE file with MS tools, it follows a format called the Portable Executable format[1]. You can verify this by opening up the EXE in a hex editor. There are a few headers, a few sections for code and data, and maybe a debug section. There isn't a section called ".backdoor" or ".spyonuser". By examining it very carefully, it might be possible to determine which version of Windows produced it and what compiler, but you aren't going to find your MAC address, name, street address, and favorite color anywhere.

Second, if you're talking about a network backdoor, that's extremely unlikely also. You can see someone using a backdoor on a Backdoors aresimple packet dump. Set up a packet sniffer between your computer and your internet connection and watch for strange packets. Write a virus or something, and see if someone from MS makes a connection to your computer. If you're so paranoid as to think that MS has trojaned all the routers, switches and hubs in the world so as to make it completely impossible to trace, go see a psychiatrist.

[1] - Reference for the PE format: here [csn.ul.ie]

Re:The auther prolly used WinXP

[cubic6]

The nice part about bringing steganography into the argument is that it has deniability: It's pretty much impossible to prove that something does *not* contain steganography. I can't argue that it's impossible for EXE files to contain steganographic information, but I will argue that it's extremely unlikely given the specific circumstances in original parent.

Re:The auther prolly used WinXP

[cubic6]

As a sibling poster mentioned somewhat rudely, yes, it's entirely possible to embed information in an EXE file using steganographic techniques. I retract any part of my statements which attempts to deny that.

I would like to say that my post was in reply to a post claiming that the virus author was captured because of a Microsoft backdoor in their own compiler products. He did not specify that the virus author had a trojaned copy, or that his compiler was altered in any way from one I might install. He i

Re:they caught him too soon

[gnu-generation-one]

So when will the LSASS author be under arrest?

Microsoft was involved in getting him arrested

[falonaj]

According to the German Heise.de article [heise.de], the Sasser author was arrested after someone who knew him contacted Microsoft, showing authentic part of the source code.

Microsoft then called the German police.

they shoulda waited until MS announced a reward for it first!

I am sure the person who called Microsoft was doing this because s/he wanted the reward. Otherwise s/he would have gone directly to the police.

Translated quote from the article:

The first pointer to the writer came from the direct environment

Re:they caught him too soon

[d'fim]

"No due process, no suspect's rights, no Miranda warning, no 5th amendment, no court-appointed attorney, no judge, no jury, no appeals, no comfy jail cell, etc, etc, etc...."

No apology if they got the wrong guy.....

Re:they caught him too soon

[badasscat]

"No due process, no suspect's rights, no Miranda warning, no 5th amendment, no court-appointed attorney, no judge, no jury, no appeals, no comfy jail cell, etc, etc, etc...."

No apology if they got the wrong guy.....

Saturday on Slashdot seems to bring out an even higher proportion of anti-government conspiracy theorists than usual (I'm using your post as an example, but there are dozens of others in the thread below this). Sometimes I wonder how many of the posters here actually are script kiddies the

Re:they caught him too soon

[lpangelrob2]

I don't think you can make that comparison at all.

Computers can be formatted, and the whole deal mostly forgotten. Human lives don't exactly work the same way.

Re:they caught him too soon

[klui]

I would slightly disagree with your analogy. Being a victim of these worm attacks is more like having your car keyed. Having your system cracked personally by an individual is more like rape. Especially if the system has a lot of your personal files on it and you know the cracker has gone through/downloaded them. Nonetheless, it's not the same as physically-raped victims.

Re:they caught him too soon

[daviddennis]

It was an exaggeration to make a point: That people whose computers get broken into or hit by virus and worm attacks feel real suffering and pain from the experience, as I did.

A computer system is not a unique person, but nowadays it's very much an extension of one. It has things I've written, things I've done, and important stuff I need to remember. If it's lost, a whole chunk of my life goes away.

I think the preoccupation society as a whole has with people breaking into computers is sick, especially c

Re:they caught him too soon

[Ironica]

A computer system is not a unique person, but nowadays it's very much an extension of one. It has things I've written, things I've done, and important stuff I need to remember. If it's lost, a whole chunk of my life goes away.

Same with my house. When I leave my house, I lock the door. When I'm *home* I usually have the door locked too (this is more my husband's idea, though). Fortunately, Schlage generally has a good track record on not having easily-broken locks.

I think the preoccupation society as a whole has with people breaking into computers is sick, especially considering that many people are on the side of the person doing the attacks. And that disgusts me since I've seen what a horrible pain it is to recover from an attack.

Same with having your house burglarized. And yet, if you used a luggage lock to secure your front door, and your front door was right on the street, and there was no street lighting, neighborhood watch, etc., people would have a hard time sympathizing with you when you got ripped off. Especially if it was widely known that people keep getting broken into when they only use luggage locks to secure their personal belongings, and they're easily defeated (since they all pretty much have the same key).

For all the outrage I've gotten from my analogy, nobody's put a serious dent in my point: That people who do these things get away with it all the time, and that they somehow need to be stopped.

It's the risk-vs.-reward ratio. If you want to make it less attractive, the first thing to do is make it *harder*. When stealing someone's belongings doesn't require any breaking, just entering, it is more likely to happen. If you're homeless, your stuff gets stolen all the frickin' time. See how much the police care about tracking down the guy who stole it in *that* case. But a mansion in Beverly Hills with 24-hour armed response, noise- and motion-sensitive lighting and alarms, and guard dogs... sure they want to find out who did it, because that guy is *really* dangerous.

If you want to counteract my feelings and my analogy, let's hear some positive recommendations on how to deal with these people. What would you do to put the point in their heads that this kind of conduct hurts real people and has enormous costs?

First of all, you need to meet them halfway. People who keep their windows installs updated didn't get hit by Sasser. I'm one of them, and I don't even have automatic updates enabled... I just go there every so often and get what's critical (after actually deciding if I agree that it's critical... Outlook Express is NOT). That's basic. Using a firewall will also protect you from Sasser, as will using a non-Windows operating system.

People don't have much sympathy here for victims of these worms because they generally painted a big target on themselves and said "come and get me." That's the difference between how much we care about catching the perps in this case and in others... in a sense, these guys are doing us all a favor, because they're reminding people to lock their doors with something more than an ounce of cheap metal.

Re:they caught him too soon

[red floyd]

If you're homeless, your stuff gets stolen all the frickin' time. See how much the police care about tracking down the guy who stole it in *that* case. But a mansion in Beverly Hills with 24-hour armed response, noise- and motion-sensitive lighting and alarms, and guard dogs... sure they want to find out who did it, because that guy is *really* dangerous.

<TINFOIL-HAT>
No, the police want to find out who did it, because the BH guy happens to play golf with the Mayor, who pressures the Chief of Police to "catch the bastards who did this". Has nothing to do with the percieved danger of the burglar.
</TINFOIL-HAT>

Not framed?

[Luguber123]

How can one make sure he was not framed?

Also what international terrorist law is he going to be tortured for?

Re:Not framed?

[rduke15]

Also what international terrorist law is he going to be tortured for?

I hope that they don't do this sort of thing in Germany. But I wouldn't bet on it. Military and police have a tendency to be the same sort of people in all countries.

Re:Not framed?

[rduke15]

Forgot to add: it's the politicians role to keep the military and the police under control, and make sure they behave. Unfortunately, politicians mostly also tend to be the same sort of people in all countries...

Re:Not framed?

[zazzel]

Obviously, you don't know much about the german judicial system, nor about our police.

The boy is already back at home (no risk of escape) until he'll be tried. He'll probably get probation, at most. He'll MOST probably be tries under juvenile laws, which have the overruling goal of "educating" young people.

However, he'll be held responsible for the financial damages he's done.

Re:Not framed?

[zazzel]

To answer two posts in one:

- he cannot be extradited. The German constitution forbids that.
- juvenile laws *can* be applied for ages 18-21 (and very often are), and they have to be applied below.

My guess: juvenile law, probation and probably several 100 hours of social service. And financial damages, of course.

Anyways, shouldn't Microsoft be in his place?

Re:Not framed?

[Sique]

A german court can't award financial damage during a criminal process. If you want to claim financial damage, then you have to enter the trial as a "Nebenklaeger" (secondary plaintiff) and prove that you were financially damaged by the actions of the defendant.

I guess most people will be afraid to fully disclose in court how their IT management works and how their other business processes run to prove the amount of money they have lost due to Sasser.

Re:Not framed?

[frost22]

given the dubious record of the poilce to even understand such confessions I tend to hold judgement for now.

Maybe he only wrote a variant - according to the articles he also admitted doing a netsky variant.

As for punishment, if the charges proves to be reasonable, expect him to be tried in juvenile court.

He was just helping his mother

[Anonymous Coward]

http://www.channelnewsasia.com/stories/afp_world/v iew/83848/1/.html

The motives of the alleged Sasser author were still unclear, but Der Spiegel suggested the teen may have wanted to drum up business for his mother, who owns a company offering assistance to computer owners.

Re:He was just helping his mother

[Zocalo]

Well, if he gets sent to jail at least she should know how to bake him a CD with a file on it.

phatbot authors busted too

[taran9000]

they were also arrested on Friday.

Re:phatbot authors busted too

[Vlad_the_Inhaler]

Loerrach (where that article says the Agobot/Phatbot author comes from) is on the German/Swiss border and around 10 miles from the French border. The programmer was also apparently part of a group - others helped him write it.

Loerrach is about as far as you can get from the village the Sasser author came from and still be in Germany.

US authorities helped the German police in both cases.

Articles in English

[metlin]

Here is Reuter's take [reuters.co.uk] on this and the news release at Biz Ink [prnewswire.com].

Re:Articles in English

[Zocalo]

And a few more at The BBC [bbc.co.uk], Sky News [sky.com], CNN... None of them have a great deal of detail yet though, nor is there any mention of the connection between Sasser and Skynet alledged in the code of one of the varients. [cnn.com]

I'm kinda curious

[defile39]

How did they find this guy? Was it that he was bragging like in the former MS worm cases, or was there a "higher technological power" involved?

Re:I'm kinda curious

[mfh]

> How did they find this guy? Was it that he was bragging like in the former MS worm cases, or was there a "higher technological power" involved?

From Reuter [reuters.co.uk]: "Spokesman Frank Federau for Lower Saxony police said the man was arrested on Friday. He did not have the name of the suspect but said he was a schoolboy who lived with his parents near the central German town of Rotenburg.

"He is the programmer of the first version of the worm," said Federau. He said he did not have any details of how the suspect

Probably Bragging

[msgmonkey]

However I am basing this on that fact he is 18 and on the assumption that he fits a profile of some kid who does n't have many friends and needs attention. I'm not saying I'm right, just my take as you'd be amazed on how many criminals get caught simply on the inability to keep their mouths shut.

Re:I'm kinda curious

[Dark Paladin]

If you read the book "The Hacker Crackdown" (free at peanutpress.com), you'll find the FBI know that once they catch most crackers, they can't get them to shut the hell up afterwards.

I think most of it is "bragging rights". Which is why you notice the most successful psychopaths in history are the quiet ones....

Probably ran his mouth

[Sycraft-fu]

Most criminals, espically the non-organized ones, suffer from a problem of running-of-the-mouth. Almost all of us do, actually. We like to brag about the things we've achieved to friends. However, when you are braging about legal exploits like winning the pot at the last card game, it's fine. Thing it most crooks also brag about their illegal exploits too. This is fine, until one of their friends (or friends of friends) turns them in.

Also most script kiddies/crackers run their mouth when they get caught. W

does anyone...

[Lxy]

find it ironic that an ad for Microsoft security services accompanies this story?

Re:does anyone...

[rokzy]

no, I find it surprising that there are people on /. who still see ads and expect other people to see ads too.

Easy enough

[Dark Lord Seth]

IF that person is found to be guilty ( Remember kids, innocent until proven guilty! ) than that person wil be solely held responsible for all damages Sasser has caused, is causing and will cause in the future.

Re:Easy enough

[Tango42]

Are you an expert on German law?

More links

[rduke15]

Was just about to submit this story. I see my lins are different, so you may find them useful too (they are in English):

An 18 year old has been arrested in Germany, suspect of being the creator of the Sasser [sophos.com] worm, as reported by Yahoo news [yahoo.com] and many others [google.com]. Sophos believes he may also be the author of Netsky [sophos.com].

About time

[Falconpro10k]

granted, im no microsoft lover, but im also kind of against punks like this guy... he has probably cost me almost $500 since this worm started in my PERSONAL services to my friends and family in order to get this all cleared up..

as for ms, they should be considered just as guilty, with such a large corporate juggernaught they have, they should be able to look for these vulnerabalities early, and maybe go through some more extensive testing.. or at the VERY LEAST spend a million or so and tell they public they messed up, and how to fix it... (run windows update) at least this way, you have a educated public... ignornance is NOT strength.

Re:About time

[croddy]

on the bright side, he released it just a little too early... seeing as this is just the time for Windows users to do their yearly Spring Reinstall anyway.

Set the man free!!!

[bezza]

He got me an afternoon off work!

Will he go on trial

[foidulus]

In other countries? He did damage in more than one country, but with the tangled web of extradition treaties etc, how will other countries deal with his arrest? Will they demand justice?
I guess the fact that he was in Germany, a country with a modern justice system and extradition treaties, will help. They have had a hell of a time in the past getting police in places like Russia and the Phillipines to co-operate.
Just another interesting adventure in the globalized, internet-driven world I guess.

Re:Will he go on trial

[Star_Gazer]

Since both Sasser and Phatbot developers are native germans, they will never be extradited. German constitution luckily forbids it. Only foreigns can be extradited to other countries and only if they don't have to fear death penalty and will get a fair trial.

Re:Will he go on trial

[frost22]

will never be extradited. Constitution luckily forbids it. FWIW, that article got a few exemptions recently for purposes of EU harmonisation. I don't know if they apply here, though,

Re:Will he go on trial

[rduke15]

Why would he have to be extradited? If he is guilty, he can be judged in Germany. And one cannot be judged more than once for the same crime.

Phatbot comes from Germany, too

[smk]

See here in german [heise.de] and the google translation [google.com]. Official say, there is no connection. Well ...

So, how did he find the exploit?

[Coryoth]

Excellent, hopefully they can ask hima simple question and we can put another argument to rest - Was he aware of the exploit from his own hacking, or being told about it by someone, or did he just read the exploit advisory from Microsoft when they released the patch?

Realistically odds have to favour just reading the advisory, but there have been plenty of claims to the contrary.

The next question is, will any media actually bother to find out and publish the answer to that question. I'm guessing "absolutely no chance in hell".

Jedidiah.

Two possibilities

[scum-e-bag]

Two possibilities as I see them. First the kid was stupid enough to write and release the worm from his own machine leaving behind traces or was not careful enough hiding his tracks. Second, the kids' machine was hacked and used to hide the real creator of the worm while releasing the worm. I haven't RTA but I think these two conclusions are logical.

Re:Two possibilities

[Alomex]

First the kid ..

He's old enough to drive, work, vote, own a gun, go to war and die on the service of his country, and be elected to office.

That makes him a young man, not a kid.

Referenced Story in Der Spiegel

[RidiculousPie]

The article also referred to Der Spiegel
As reported in Der Spiegel [spiegel.de]

Ultimate punishment

[m00nun1t]

Make him explain to my mother what a worm is, what he made it, and how to enable a firewall. That'd be punishment enough.

Re:Ultimate punishment

[Tin Foil Hat]

That would be OK so long as he makes sure she really gets it. A simple explanation is not enough, your mom needs to really understand and be able to secure her own network in the future.

If he can do that, I'd consider his debt paid. Then I'd consider hiring him as a consultant.

Cyber-terrorism

[amichalo]

...how will this be transformed into an indictment?

It looks like the Cyber-terrorism [etsu-tn.edu] laws are used (in the US) primary for this type of "cyber joyrider"

Melissa Virus

[CptChipJew]

Didn't the creator of the Melissa virus get his sentence removed in exchange for helping the government with security stuff?

If so, the same thing could happen to this guy with the German government.

Rothenburg an der Wümme.

[Qbertino]

We've got a few (3?) Rothenburg's in Germany. The one americans probably know the best is Rothenburg op der Tauber.
Rothenburg a. d. Wümme is not the medival postcard town, it's just a small boring northern german town. :-)
BTW: Wümme and Tauber are both rivers. German cities with same names ofter difference themselves by the rivers they lie at.

Re: Muprjys law and net.spelling

[Anonymous Coward]

> According to one of thousands of corollaries to Murphy's Law, a spelling correction on the net is guaranteed to contain at least one spelling mistake as well.

I propose that this corollary be named "Muprjys law".

I wonder if we can settle a small question

[Sun]

not really an important one, but still.

Sasser broke a new record in the time it took to find the worm, from the time the hole on which the worm was based was issued a public patch. Now that we, allegedly, have the worm's author, we can ask him whether it was rev-enged from the patch, or whether he had prior knowledge of the hole.

Shachar

P.S.
I would wager the former, but still interesting to get an authorative answer.

Sentencing...

[Ianoo]

Much as I'm pissed off with Microsoft for putting out software with so many holes, I think virus writers still have a lot to answer for.

I reckon he should get 10 minutes of prison time for every machine his trojan infected, since this is the time it probably takes someone on average to clean up the mess.

1,000,000 * 10 minutes = 166,667 hours = 6944 days = 19 years.

Seems fair to me, anyways...

Prison is not the solution

[Councilor Hart]

Give him an alternative sentence, like cleaning up computers as the next virus/worm hits. Or deny him computeracces for some time.
nothing worse for a nerd then no computer.

Sending him to prison only makes him meet the really bad guys.
Jail is not the solution to everything. It denies you normal live, far beyond the duration of incarceration.

A benefit of Sasser/Blaster

[mst76]

Sure, these worms did cause a lot of inconvenience and downtime and such. But a (probably unintended) benefit of their outbreaks was that many vulnerable machines are now actually patched. Without these worms, if you hit a random 2K/XP machine on the net, there is a very good chance that you can take over the machine through either DCOM or LSASS (port 135 and 445 IIRC). Essentially, everyone can gain access to millions of machines, and the owners would probably be totally unaware. I'm not trying to defend the worm writer, but we all know that millions of people simply wouldn't patch until the machines keeps rebooting every few minutes.

Idiot

[Pedrito]

I'm sorry, but any virus or worm writer that gets busted is just plain stupid. It's so simply to NOT get caught:

Step 1: Write virus/worm without your name, intials, alias, or any other identifying info.

Step 2: Release your virus/worm from an internet cafe, preferably one far from home, even a different city or country.

Step 3: Keep your mouth shut!!!

I mean, how hard can it be to avoid getting caught? I think most of these morons have the most trouble with steps 1 & 3, even if they're smart enough to manage step 2.

Times will change...

[John Seminal]

If it becomes that easy, and people don't get caught, then governments will have to react. Government might force an identification system where there will be no anonymity. They might have closed networks, where countries that don't agree with us are shut out. 1984 is going to happen because of these people. And givernment will use it as a legitimate reason to take away freedom from the rest of us. The .0001% of people who are anti-social criminals are going to cause the other 99% of us to lose freedom. Tha

Re:Idiot

[Richard_at_work]

If virus and worm writers followed these guidelines, then I doubt there would be as many problems as there is now:

1. Authors like to stamp the worms with their own signiture, as then they can boast about it with proof.
2. I agree you with this, releasing it from a traceable system is stupid.
3. If the authors did this, then a major benifit of them releasing the worm/virus is gone. Most of these things are done for bragging rights, and are not malicious. How many worms etc actually cause permanent damage to da

Re:Idiot

[Elwood P Dowd]

Step 1.5: Compile your virus/worm with something that doesn't uniquely identify your computer, like Visual Studio.

If he is guilty...

[darth_silliarse]

...I think he should be locked in a padded cell with a 486-SX and a copy of Windows v3.1 for company, I'd sooner have my left nut crushed in a vice rather than face that

You know, I really don't understand

[Freston Youseff]

how some of these so-called "genius" worm authors always manage to get busted. If any of them had a brain in their head and assuming they're not bed-ridden, they would stop being so headstrong and arrogant, and release the worm from an internet café. They could even wear a disguise, dye/cut their hair, or walk funny just in case the place had surveillance cameras about. It just seems to me that it would be so simple not to get caught at all.

come down hard

[KrisCowboy]

He should be punished to the maximum extent permitted by law - I don't care under which law. People who can't respect computers should not be allowed to (ab)use them. If he screws up his computer, it's his problem. But the moment he screws up boxes over internet, he's got to be punished hard. The punished should be harsh so that no other individual will ever attempt to write a virus. Microsoft users are already suffering with poor quality, tech-support and other stuff, guess they don't need viruses.

Re:come down hard

[Tin Foil Hat]

Bullshit. Harsh penalties do *nothing* to deter crime.

Texas is the death penalty capital of the world. By your logic that would also make it the safest place in the world, yet people are murdered here every day. A person can be imprisoned for years (years!) if caught with trace amounts of cocaine, yet the crack epidemic is as strong as ever. Community services do more for crime prevention than the prison system can ever do. Prisons are necessary of course, if only to separate the truly incalcitrant, but the current reliance on them as a deterance is simply pig-headed.

The point is, discipline is necessary, but not without compassion. Strict adherance to discipline for the sake of revenge mearly engenders hatred in those being disciplined. Unless you kill that person, he will always be a problem. Compassion can divert that hatred so that lessons can truly be learned. Community based organizations can provide that, the prison system cannot.

They should just give the boy (if proven guilty) an appropriate penalty followed by a period of community service. Get the boy involved in his community and he will not be such a problem. That is the only answer to such things.

(Hey mods, mod the parent underrated. His opinion may be wrong, but it is valid non-the-less. It doesn't deserve a troll mod.)

Re:come down hard

[KrisCowboy]

Well, thanks for the insightful info. Guess I just got carried away. You cannot compare a guy's drug problem to his computer problem. Addiction to drugs only shows that he's weak-willed. Writing viruses shows that he's not disciplined, or, he's watching matrix too many times :). You are right, a period of community service is going to help him. But not a short period of one month or year. I'd say, the period should be of (no of effected computers)*(2) days. That should keep him out of mischief for nearly 5-

Re:come down hard

[nyseal]

Oh please. Long gone are the days where prisons are considered 'rehabilitation institutions' for possible release of criminals back into 'productive' society. Prisons exist for the sole purpose of keeping criminals off the street and (hopefully) not getting a chance to perpetuate their crimes. As far as I'm concerned, the longer the better. You're right that harsh penalties don't deter crime, however I for one sleep much better at night knowing that they're not out in the public on some socially accepte

Re:come down hard

[Alomex]

Harsh penalties do *nothing* to deter crime.


Actually, you are wrong on that one. Your rebuttal argument is flawed:

Texas is the death penalty capital of the world. By your logic that would also make it the safest place in the world, yet people are murdered here every day.

You are using a flawed control group: other random places in the world. For the control group to be valid you have to find a place with similar socio-economic characteristics *and* similar prison conditions but laxer sentencing practices.

Moreover, save for hardened criminals which tend not to act rationally, studies *have* shown that the common folk tend to adjust their rates of criminal behaviour in proportion to (a) likelihood of being caught (b) harshness of the penalty if caught and (c) potential reward as compared to living a straight life.

For example in a jurisdiction when a specific crime is suddenly punished in a much harsher way, criminals gravitate to less harshly punished activities.

Same studies have shown that a certain percentage of the drop in crime rates of that type are due to the simple reason that criminals are out of comission longer, due to the longer jail sentences (duh!). So even among the hardened criminals we see a reduction in crime rates, simply because they are in prison and off the streets.

hmmm

[Knights who say 'INT]

Slashdotters blaming someone other than Billy G or Stevie B for bad things.

In other news, Osama Bin Laden renounces Islam and donates his fortune to the James Randi organisation.

Not to nitpick....

[nobodyman]

...but this man is the suspected author of the worm. The authorities haven't released his identity, nor how they arrived at the determination that he is the author.

Btw, Here'a an english [cnn.com] version of the story.

The Microsoft Secret Police caught this kid

[stock]

Remember Minister Otto Schilly signing a security deal with Microsoft ?

"Microsoft signs security pact with Germany" http://news.com.com/2100-7343-5204643.html [com.com]

That was on may 4th... Today THEY GOT HIM. Thats quite a remarkable effort from the Private Secret Police of Microsoft.

Robert

Sven hit Windows at questionable sweetspot

[stock]

its rather striking that winME win95 win98 win98se are not harmed by sasser, they only help spreading. Only damage is done to win2k and higher. From which i conclude, that these windows versions are just security breaches, and only have such hookups for spyware and other "activities". Thats to be read here :

http://news.bbc.co.uk/1/hi/technology/3687583.stm [bbc.co.uk]
"According to anti-virus firms machines running Windows 95, 98 and Millennium Edition can help spread Sasser even though they cannot be infected by it."

The 18 year old kid, (his name is Sven?) really hit Microsoft windows at its weakest sweetspot: Federal ordered builtin hookups for "remote security management" and other "activities" as e.g. Spyware.

Robert

Germany eh?

[Bazman]

Interesting. We had a machine fall over last week during the height of the Sasser panic. Norton AV had caught an installation of a Windows rootkit, and when we got to it (holiday weekend, so took three days), it had an FTP server installed with 19Gb of German-subtitled Moviez. Kill Bill 2 et al.

We found various infection scripts lying around, because Norton's quarantine seemed to have stopped the infection script in its tracks. One thing it did was to take the machine's details and upload them to an FTP server. A server in .de of all places.

We don't know if this invasion used the same exploit as Sasser, or if a small number of Sassered boxes get FTP status or what. But the German moviez + German FTP dropbox seems suspicious.

Luckily we had the IP-address, username, and password in the script, and were suprised to find we could login there and delete the info. Hopefully the hacker hadn't copied it, but the box has been re-installed from scratch.

And the user is now seriously contemplating Linux, after losing two days...

Baz

Sasser is my friend.

[Medievalist]

Sasser showed me which windows machines did not have their auto-patch routines working.

Since the PC support group had recently reported that all machines were now in the auto-patch system, we were quite suprised to see almost 1% (which is a lot of machines, around here) get sasser.

Incidentally, a crude way to scan your network for sasser (let's just say you've got a linux box handy with samba,nmap,bash, grep and gawk and that your network is composed of three class C segments numbered 10.0.1.0, 10.0.2.0, 10.0.3.0 for the sake of example) is:

nmap -p 5554 -oG '-' 10.0.1-3.1-254 |gawk '/^Host.+5554\/open\/tcp/{print "nmblookup -A " $2}'|bash |grep "<00>"|grep -v GROUP

If your machines have useful netbios names (such as their location, for instance) and/or you know the names of your users, that should give you all the info you need.

Thank you Mr. Sasser author! You the man! Your non-destructive code was a public service from where I'm sitting (yes I know others feel differently - the real universe is subjective, neh?).

Names & Reward

[damian]

Maybe we find out about the real names and versions of all the Sasser and Netsky variants now. The ones we know now are just made up by the anti virus guys after all.

heise.de today mentions that Microsoft will pay $250000 to the (less than five) informants.

Re:MS

[mumblestheclown]

Score: Pandering Karma Whore -5

Re:MS

[FAT_VIRGIN]

Testing? What's that? If it compiles, it is good, if it boots up, it is perfect. -- Linus Torvalds

Can we arrest Linus, too?

Re:MS

[Anonymous Coward]

Whoa!

I agree that worm writers are scum. They shouldn't be excused because someone else left a vulnerabilty for them to exploit.

But, especially at this point, I DO think that Microsoft deserves some blame too. SASSER follows in the wake of SQL Slammer and MSBlaster, arguably 2 of the most damaging buffer overflow exploits in many years. IIS has been repeatedly compromised by buffer overrun problems since its initial release.

It isn't hard to code an automated test for buffer overrun vulnerabilities. I hav

Re:MS

[keif]

> And writing intentionally crappy operating systems isn't? Ask yourself: what would happen if they wrote something that was *perfect*?

Someone would complain the default colour scheme was crap.

Re:MS

[Tango42]

They would be what is commonly called "God". Nothing is perfect.

Re:MS

[mfh]

> That you expect perfection only goes to show that you are an American.

I -- Am -- Canadian!

> There is no such thing as a perfect system, in any engineering discipline.

By perfect, I meant: without bugs. I wasn't talking about features. Sorry for the confusion.

Re:Liability

[cms108]

if i go out onto a motorway... and throw a bag of nails on to the road, into the path of cars traveling at 80mph, how am i any more liable for the resulting carnage than the millions who run insecure rubber tyres?
the responsibility lies with vehicle manufacturers for not fitting tyres with kevlar inserts in the side walls as standard; and with motorists for not fitting them themselves.

Re:Liability

[rokzy]

tires are not designed to run over multiple nails at high speed, Windows *is* designed to access the internet, handle email etc.

Re:Liability

[Rolo Tomasi]

This comparison is misleading. You can't physically hurt people through computers. In fact, the damage caused is rather hard to assess ... most is just a few hours of peoples' time. Now, you could sum up all the work hours and arrive at a huge amount, but then what about the other things that steal workers' time, like rebooting the OS, messing around with driver problems or application bugs that cause work to be lost? The software vendors aren't held responsible for these.

Re:Liability

[foidulus]

Yeah, but even if you leave your house unlocked it is still a crime. If it weren't, any criminal could grab your wallet saying that since it wasn't pad-locked down to your chest, it's his. Or could kill someone and claim it was his fault for not carrying a loaded weapon and constantly surveying all around.
People lock their doors because they realize there is a threat, if they don't realize there is a threat, they lose stuff, but it is still criminal. Hopefully after the 5th time someone gets their house broken into they will realize that they need a lock, same goes with computers.
I'm no microsoft fanboy(I don't even use windows), but blaming them is like blaming a car manufacturer because your car got totaled when some jackass rear-ended you. You should have done your homework before you bought the car, and that still does not absolve the jackass.

Re:Liability

[NotoriousQ]

However, the closer analogy would be that a house upon being robbed will create 50 more robbers which will go rob your neighbors. Who is responsible now?

The car manufacturer analogy still works, as they knowingly sold you the car without appropriate safety features. Do your homework -- yes -- but you can not expect people to know everything about a car or a computer.

Re:Liability

[v01d]

If you leave the doors to your house open, and a large neon sign over the threshold saying 'WELCOME', you'll be *damned* lucky if your insurer would pay up.

This is more like just leaving your doors unlocked. There is no protocol for a system to advertise it's vulnerabilities.

Without regard to whether your doors were locked it is illegal to steal things from your house.

Re:Liability

[Rolo Tomasi]

There's still a difference: if the door is unlocked, it's trespassing, if it is locked it's burglary. Quite a difference in the amount of punishment I would imagine.

Re:Liability

[Tango42]

Microsoft and the end users are in the wrong due to not doing something, the virus writers are in the wrong due to doing something - that is the difference.

Your insurer might not pay up but the police will still arrest the guy for theft, criminal damage, or whatever it is he did while inside. The only difference is that he won't be done for breaking and entering.

NB: IANAL

Re:Liability

[tanguyr]

How, exactly, is he any more liable than the millions who run insecure, unpatched machines?
That's ridiculous - people who don't wear bullet proof vests aren't "as liable" as the people who shoot them.

If you leave the doors to your house open, and a large neon sign over the threshold saying 'WELCOME', you'll be *damned* lucky if your insurer would pay up.
No, but you could press charges for burglary if somebody came into your house and stole something. Insurance is a matter of commercial contracts - we're talking about the law here.

If he hadn't exploited it, someone else would have, and the result would have been the same.
No, if someone else had exploited it, then the gentleman under discussion here most probably wouldn't be in police custody facing criminal charges right now.

The reponsibility lies with microsoft, for creating shite software, with inherent vulnerabilities, and with the users, for not bothering to have any kind of protection.
What kind of a world do you live in where the people who write and send out a virus are not liable for the damage it causes?

Re:Liability

[Jim Starx]

True, but a gun is an obvious danger. Are security patches that obvious? You and I would probably both answer yes, but would your average computer illiterate also answer yes?

Re:Liability

[mumblestheclown]

If you leave the doors to your house open and a large neon sign over the threshold saying 'welcome'.

Actually, those are two completely separate issues.

Let's say you left your house and left your door unlocked. If a thief happened by, saw that it was unlocked, and came in and stole all of your belongings, the law in every jurisdiction that I know of is unequivocal: the thief is solely to blame.

On the other hand, if you put up a sign that said "welcome", then that could be construed as an explicit invitation to enter and the corresponding legal judgement would be less clear. You may recall cases way back when when some FTP sites said "Welcome To Private FTP site! Username: Password: ".. well.. some were broken into using brute force un pw attacks. The attackers were subsequently found and based their (largely successful) defense on the fact that it said "welcome!"

Now, about the rest of your point: about people being liable and microsoft being liable; basically, it's wishful thinking from you, who knows nothing. I dare you to build me a house that can not be broken into. It is NOT possible. the windows OS has arguably hundreds of thousands of parts and interfaces and it is not reasonable to expect that every aspect has been checked for every possible potential flaw. I remind you that but a few weeks ago, a new flaw was found in TCPIP, arguably one of the most "eyeballed" standards in the history of computing.

every window in your house can be broken, and a thief can enter by breaking it. the lock on your front door can be opened with a jimmy tool, your electric garage door opener signal can be captured and copied. your hidden key under the bushes can be found. your chimney may be a more or less perpetually open entrance, and yet nobody blames house builders or even home owners of gross negligence in such cases.

the fact is that in a society we recognize the inherent limits of any sort of physical protection. as many on slashdot here have observerd in other contexts (DRM), "if it can be broken, it will be" and "there are no unbreakable protection schemes."

Therefore, we must resort to law and the threat of punishment. It's not perfect, but it's what we have to do.

Re:Liability

[varmit poontang]

If someone sets fire to a house. Are they not responsible for it burning down, whether or not it has sprinkler system or not. This tried to set a fire to all the computers in the world that didn't have their patches yet or sprinklers on. Its a simple thought. He set the fire, it destroyed the city, he is liable for what he has done. I'm just getting pissed that the virus writers are turning out to be teenagers. I mean, come on, go out on dates, go to the movies, play sports or something, why the hell

Re:Liability

[amembleton]

"purlywrong" WTF is that s'posed to mean?

Using my brain I have worked out that he was meaning 'surely wrong'.

Re:Was it a big joke / mistake?

[Tango42]

It has the feel of a proof on concept to me. It distributes fine, but doesn't actually do anything (the crashing appears to be a bug, and the CPU usage is an unavoidable consequence of the distribution process). I wouldn't be suprised if a version with a payload is released soon.

Re:18 year old kid

[NineNine]

If a 18 year old kid can write a small piece of code which can lament and trembel a large part of our society, who should we blame?

The kid.

Re:18 year old kid

[aardvarkjoe]

...small piece of code which can lament and trembel a large part of our society...

The same people who don't teach students the difference between transitive and intransitive verbs?

Re:German police admit corporate control of courts

[rimmon]

So what, that doesn't mean that he is guilty in the official meaning of the word. He was arrested yesterday, with the help of all kinds of specialists, some of them work for Microsoft.
It's standard procedure for the police to work with external specialists.
The idiot who wrote that worm was released later that day and his trial will be in a couple of months where all kind of evidence is used to see if he is guilty or not.
Yes, most likely the statements of said specialists will be heard by the judge but wh