Security threats Toolkit

Sasser suspect snared by Microsoft reward

Tags:
Suspect,
German,
Arrest,
Microsoft

Published: 10 May 2004 08:30 BST

Microsoft's $5m (£2.81m) fund for rewarding informants for leads on virus attacks has snagged its first success with the arrest of a man in Germany who has confessed to the release of the Sasser worm, the software giant said on Saturday.

In what the company called a "coordinated multinational law enforcement effort," information provided to Microsoft by informants led local authorities to arrest the 18-year-old unnamed resident of Rotenburg, Germany, only a week after the original Sasser virus had been released.

"Within 48 hours of the informants coming forward, our investigators and the German police were able to identify the perpetrator of the Sasser virus and to take him into custody," said Brad Smith, general counsel for Microsoft. "This individual is responsible, we believe, for all four variants of the Sasser virus."

The arrest brings a quick end to the latest worm incident. The week-old worm has slowed its spread, as companies clean up existing infections. The worm and its three known variants have compromised hundreds of thousands of computers running Microsoft Windows, though some estimates put the number of infected systems in the lowms.

The arrest is the first success for Microsoft's Antivirus Award Program, a $5m fund to reward people for coming forward with information about those who release major worms and viruses. While Microsoft has offered three rewards of $250,000 each for those who were responsible for the havoc caused by the MSBlast worm, the Sobig virus and the MyDoom virus, no arrests in those cases have yet been made. The arrest of the author of a minor variant of the MSBlast worm predated the award program.

While Microsoft had not announced any reward for information about the person or group that released, and presumably wrote, the Sasser worm, the informants approached the software giant's German office on Wednesday and inquired about whether such a cash award would be paid.

"Aware of this programme, individuals in Germany approached Microsoft investigators," Smith said. "We did not hesitate and made a decision to offer a reward of $250,000."

Smith wouldn't say how many people came forward, except to indicate it was fewer than five. Moreover, while he would not comment on whether a relationship existed between the Sasser suspect and the informants, he did say that they both live in the same part of Germany.

"These were individuals who were aware of who the perpetrator was; they did not stumble upon this because of technical analysis," Smith said.

The arrest could be the most significant since David L. Smith was arrested for spreading the Melissa virus in 1999, and may eventually exceed that case in importance as well, as security researchers originally believed that Sasser was written by a group of programmers. The arrest could lead to more suspects.

Moreover, security experts and German police believe that the author of the Sasser worm also created several, if not all, variants of the mass-mailing computer virus, Netsky. At least one version of that virus had been signed by what seemed to be a group of programmers calling itself the Skynet Antivirus Team.

Smith would not comment on whether there may be additional arrests, but confirmed that the investigation was ongoing.

Graham Cluley, senior technology consultant for antivirus firm Sophos, praised the quick arrest.

"All these worms have been highly disruptive and complex, suggesting that the author isn't working alone," he said. "Seizing this man's computers could provide the vital clues that will bring down the infamous Skynet virus-writing gang. We would not be surprised if more arrests follow in due course."

Microsoft also said that several new virus research techniques that the software giant has developed over the past year have played a key role in identifying the author and verifying the data provided by the informants.

The message for virus writers is that they are not safe from the law on the Internet, Smith said.

"I do think that the fast action in this case does send a message to people who are thinking of launching or creating malicious viruses and worms," he said. "And that is, we together with law enforcement can and will identity individual who launch malicious code on the Internet. And law enforcement can and will bring them to justice regardless of where they are in the world."