Security threats Toolkit

Sasser worm author arrested in Germany

Tags:
Hackers,
Worms,
Sasser

Reuters CNET

Published: 09 May 2004 11:05 BST

Spokesman Frank Federau for the Lower Saxony police said the man was arrested Friday. Federau said the suspect admitted to programming the worm, but authorities did not know if he had created all the versions of it.

Security experts said this could be the single biggest arrest yet in the campaign against the computing underground responsible for hatching worms and viruses, which has proved difficult for law enforcement to crack.

"He made a confession, and the experts at Microsoft have now confirmed that he was the cause of this worm," Federau said. He said he did not have any details of how the suspect was found.

Surprised at the rapid developments, security experts said this could be the single biggest arrest yet in bringing down a virus-writing gang.

Federau said that the man, who lived with his parents near the central German town of Rotenburg, did not have any links with organized crime. But the spokesman could not confirm if the suspect had ties to other worm programmers.

All the teenager's computers were confiscated by police but the suspect himself was not in custody, Federau said.

Since appearing a week ago, Sasser has wreaked havoc on personal computers running on the ubiquitous Microsoft Windows 2000, NT and XP operating systems, but is expected to slow down as computer users download antivirus patches.

The computing underground responsible for hatching worms and viruses has proved a difficult ring to crack for law enforcement.

"Hopefully this arrest will limit their activities," said Mikko Hypponen, antivirus research director at Finnish data security firm F-Secure. "If we can start catching these guys, it will certainly put more pressure on existing virus writers."

Separately, police in the southern state of Baden-Wuerttemberg said they had arrested a 21-year-old man who confessed to programing the Internet worm Agobot, which was later renamed as Phatbot.

A spokesman for the State Police Office in Stuttgart said the arrests were not connected.

From the outset, Sasser baffled security experts. Unlike the most recent digital outbreaks, Sasser was programed simply to spread and knock out computer networks, not take over machines and possibly steal information stored on them.

The prevailing theory was Sasser was written by the same gang behind the prevalent 2-month-old Netsky virus. German news magazine Der Spiegel said the German man was also suspected of creating a variant of the Netsky virus.The police spokesman would not confirm that and said police were still investigating the suspect's links to Netsky variants.

Pieces of code found in a recent version of Netsky made references to Sasser. Typically, such clues generate the biggest leads for authorities in hunting down culprits.

Previous versions of Netsky, for example, were programed to attack the Web site for an education server in the German state of Lower Saxony where the German suspect lived, security officials point out.

If the Sasser author is part of the Netsky group, which calls itself the "Skynet antivirus group," this could be the most important arrest yet in cracking virus-writing crime.

"The police may just have cracked the Netsky gang with this arrest. The whole ring may be broken wide open," said Graham Cluley, senior technology consultant at Sophos, a British-based security outfit.

Home users, corporations, and government agencies throughout Europe, North America and Asia have been hit. Once infected, the vulnerable PC reboots without warning as the compact program hunts for more machines to infiltrate.

The economic toll of Sasser may never be known, but it has claimed some big victims, including Germany's Deutsche Post, Britain's coast guard stations and investment bank Goldman Sachs.