According to reports, the man, Sven Jaschan, was arrested based on information that he created the original Sasser worm, which caused system outages globally last week. German police say Jaschan has since confessed.
Microsoft said the arrests came after cooperation between German police, Microsoft, the US FBI and US Secret Service. The firm said it believes Jaschanwas also behind the NetSky email worms, which have been coming thick and fast since February.
It seems that the arrest would not have happened without the existence of Microsoft’s $5m reward program. Since November, Microsoft has offered cashpayouts of $250,000 to people who provide information leading to the arrest andconviction of major virus writers targeting Windows vulnerabilities.
The program has been used, unsuccessfully, three times. Bounties are stilloutstanding on the heads of the writers of MyDoom, Blaster and SoBig. However, inthe Sasser case, Microsoft had not yet publicly announced a reward.
Microsoft said certain individuals in Germany approached Microsoft investigatorslast week, offered to provide information about the creator of the Sasser virus,and inquired about their potential eligibility for a reward. Microsoft said itwill pay the $250,000 bounty if Jaschan is convicted.
We understand that the lure of a cash anti-virus reward program can prompt thosewith information to come forward and assist law enforcement, Microsoft generalcounsel Brad Smith said. For this reason, Microsoft decided to reward theinformants who provided information vital to this Sasser worm arrest with areward of $250,000, pending the successful conviction of this case.
The Sasser writer identified himself, using plaintext comments hidden within hisviruses, as the same person who wrote the NetSky email worms. Code analysis byantivirus firms such as F-Secure Corp shows similarities between the two, lendingcredibility to this claim.
Comments hidden in many of the NetSky variants released over the last few monthsidentified the writers as a group, rather than an individual, calling itself SkyNet Antivirus, an apparent reference to the malevolent supercomputer in theTerminator movies.
The term antivirus was apparently used because NetSky worms carry no damagingpayload. Instead, they were programmed to clean PCs of MyDoom and Bagle virusinfections. Nevertheless, the fact that they were viral and prolific causedWindows users and administrators no end of headaches.
The NetSky and Sasser comment text also suggested that the writer or writers wereRussian or Czech, due to references to both countries and their internet domains.Security experts now say that this may have been a mere misdirection ploy.
The arrest of Jaschan coincided, reportedly to the minute, with the arrest of a21-year-old in another part of Germany. According to reports out of Germany, thisman is claimed to be responsible for at least one variant of the Phatbot/AgobotTrojan horse programs.
While it was not clear if police suspect the two arrested men were cooperating, virus experts last week noted that the same exploit code Sasser used to penetrateunpatched Windows PCs was also present in a recent Phatbot variant, suggesting alink.
Confusing matters further, a fifth E variant of Sasser was detected on theinternet while Jaschan was in police custody. Anti-virus companies believe thisvariant could have been released prior to Jaschan’s arrest, and point tosimilarities between Sasser.E and NetSky worms.
According to F-Secure, Sasser.E tries to clean PCs it infects of the Bagle worm, much as NetSky variants did. It also displays a warning to the end user thattheir PC is vulnerable to one of the security problems outlined in Microsoftbulletin MS04-011.
Sasser enters via a MS04-011 vulnerability. Attackers can use this vulnerability, in the Local Security Authority Subsystem Service component of Windows 2000, XPand 2003, to remotely run code of their choice on unpatched PCs. Microsoftoffered a patch for this bug on April 13.
The economic impact of Sasser, like any malware, is difficult to assess, butcompanies across the globe in banking, aviation, rail and postal services havepublicly stated that they were or may have been infected by the virus, causingwidespread real-world disruptions.
In some cases the precautionary measures taken, such as taking computer systemsoffline completely for patching (as reportedly happened in a major Finnish retailbanking chain), were just as damaging as the worm itself.
It’s also difficult to assess how many individual computers were infected bySasser, due to the fact that many PCs were infected more than once, but estimatesbased on how many IP addresses were scanning for new systems to exploit put thenumber in the hundreds of thousands.
This article is based on material originally published by ComputerWire
