They have a supect for the sasser.a worm.

http://www.reuters.co.uk/newsArticle.jhtml?type=technologyNews&storyID=5079955&section=news

HANNOVER, Germany (Reuters) - German police have arrested an 18-year-old man suspected of creating the "Sasser" computer worm, believed to be one of the Internet's most costly outbreaks of sabotage.


Previous versions of Netsky, for example, were programmed to attack the Web site for an education server in the German state of Lower Saxony where the German suspect lived, security officials points out.

If the Sasser author is part of the Netsky group, which calls itself the "Skynet ant-virus group" this could be the single biggest arrest yet in bringing down a virus-writing gang, officials said.

"The police may just have cracked the Netsky gang with this arrest. The whole ring may be broken wide open," said Graham Cluley, senior technology consultant at Sophos Plc, a British-based security outfit.

Now that would be interesting.

If this is the wrong forum I apologize to the moderators. Since this issue is 'sasser' related I posted this here. I was surfing on a MSNBC this morning when I noticed a catchy title 'sasser creator busted' The full story can be found here http://www.msnbc.msn.com/id/4928653/

It seems it was created by an 18 year old high school student. I was shocked when I saw this. He should get a job for Mircosoft.

Worm infected thousands of computers worldwide

This was a nasty worm infected more than thousands of PCs I'll tell you that. We were in que for 7 hours because of this issue not to mention for the past week straight. Hospitals in Hong kong, Coast Guard a lot of different places got hit hard by this not to mention home PC users. Whats your take on this? I wanna know how they caught him because they caught him pretty quick.

:)
The author of the Sasser Worm may have been caught.
An 18 year old student from northern Germany has been taken into custody and allegedly confessed to the authorities, that he is the author. Evidence has been confiscated from his parents home, where the student also lived. A further official statement is to follow later in the day.

http://www.faz.net/s/Rub21DD40806F8345FAA42A456821D3EDFF/Doc~E646FA877D4DB4715995C5EAD363397F5~ATpl~Ecommon~Scontent.html

This guy is no longer a juvenile!!!!

Not bad that they have caught him. Could this worm be big if people would have updated their PC's? I think not because the Update for this problem existed a long time.

This makes three times this has been posted, does no one use the has my topic been posted befor tool.

Sheesh. I heard the first time.

I just checked the times and it would seem you were the first to post nice find.

Jinxy

Ok. Here's what I did: Took the 3 threads, merged them into one (since Moonwolf was first, his original thread was kept) and got rid of some dup posts (notably by Jinxy :D). If ya have questions, just hollar. :)

If ya have questions, just hollar


MsM's wild side coming out or is Canada getting cool??? Give her some beers, lets see what she does :D :drink: :fart:

if this breaks the skynet gang it'll be because this kid might know who they are and tells. which i dont think is the case. there are no messages in it to the beagle gang and this one is just plain malicious it does nothing to thwart their opponents viruses.

imo its a typical attempt to blame all crimes on one criminal to try to appear to the public that they actually have a clue.

imo its a typical attempt to blame all crimes on one criminal to try to appear to the public that they actually have a clue.

Who? The police or the kid that got caught and thought this was a "kewl" thing to do? ;)

:)

imo its a typical attempt to blame all crimes on one criminal to try to appear to the public that they actually have a clue.

Now this is just pure spun bull by the media. I cannot recall seeing any official statement to that effect. But the possibility shouldn't be discounted. Maybe we'll see some pictures of dear Sven J. being tortured in some gulag, with Bill Gates later apologizing for bad management of prison policy.

Nothing personal, but it may be a good idea to give this some time. The authorities have some "evidence" to analyze. LOL, can you see Ankit in a consulting position.

he authorities have some "evidence" to analyze. LOL, can you see Ankit in a consulting position.

I bet that for any reason the police would confiscate the computers of any of the antionline members that there is a shitload of "evidence" for instance you bookmarks. Does most probebly link to sites with info about and virii want to bet that they can make it look like you are going there because you wanted to learn how to write virii or something like that.

Wheter that kid did that or not, he is in serious problems. The moment they found more than a few games on his pc he had nowere to hide. If they want to(and i beleive they do) they can nail this guy to the ground. Wheter he is innocent or not.

And the netsky group. Well maybe he is a member. But I doubt he is going to tell. And even if he is going to tell. Wat is he going to know that can be of any help. I doubt they now the real name's of each ohter. IP's can be changend so can IRC channels/websites/E-mail adresses you name it.

But if he really is the guy. Than I have to say that was damn fast. Wich is another problem if he is part of skynet then he wouldn't have been such a "easy" capture.

Not bad that they have caught him. Could this worm be big if people would have updated their PC's? I think not because the Update for this problem existed a long time.

If eEye kept the code private and worked with microsoft on a private profesional basis the internet user's wouldnt have had to cope with this and microsoft could have renounced it in there next hotfix users are patched damage would have been minimal if any :rolleyes:

bleh

http://msnbc.msn.com/id/4928653/

In a search of the suspect’s home, German investigators confiscated his customized computer, which contained the worm’s source code.

The teenager told officials that his original intention was to create a virus called “Netsky A” that would combat the “Mydoom” and “Bagle” viruses, removing them from infected computers. In the course of that effort, he developed Sasser.

Who's to say that he wasn't a zombie? Or a friend just played a trick on him that morphed from his computer? And how did they find him so fast?

kurt_der_koenig---did you miss the part where it said he confessed? :p

I had to chuckle reading this as he wants to be a good programmer. Me thinks he might need to definately take some classes. :D

Source: Canoe Online (http://cnews.canoe.ca/CNEWS/TechNews/2004/05/08/452169-ap.html)

'Sasser' creator tried to limit damage
By GEIR MOULSON
Sasser worm shows need for IT security

BERLIN (AP) - An 18-year-old German who confessed to creating the Sasser computer worm launched a new version meant to limit the damage just before his arrest last week, investigators said Monday.

Authorities who have questioned Sven Jaschan got the impression his motive was to gain fame as a programmer, prosecutor Detlev Dyballa said. Dyballa described as speculation news media reports that Jaschan may have created the disruptive program to drum up business for his mother's computer store, PC-Help, in the small town of Waffensen.

"One can never rule out anything, but there are no facts to suggest it," he told The Associated Press by telephone.

Jaschan was arrested Friday at his mother's house, where police said agents found him sitting at his computer. Investigators say the machine contained the worm's source code.

Earlier Friday, investigators said, Jaschan unleashed the new Sasser e virus - a failed attempt to limit the damage caused by the four previous versions.

Frank Federau, a spokesman for the state criminal office in Hanover, said the worm was "a slightly modified form" of the program that raced around the world over the past week, exploiting a flaw in Microsoft's Windows operating system.

"He did it with good intentions, but it had exactly the same damaging effects," said Sascha Hanke, a Microsoft data protection official in Germany.

Like the other versions, the new variant - which notified users of a Microsoft patch against Sasser - caused computers to crash and reboot.

"The cause was erroneous programming of the virus," Hanke said.

Police have said Jaschan was responsible for all versions of Sasser as well as the Netsky virus.

He is being investigated on suspicion of computer sabotage, which carries a maximum sentence of five years in prison. He was released pending charges after questioning last Friday, when he admitted creating Sasser, police said.

A trial could begin at the end of June, Dyballa said.

Investigators were still examining the contents of Jaschan's confiscated computer Monday.

"This will take quite a long time," criminal office spokesman Detlef Ehrike said. Officials are working to prepare hundreds of pages worth of data for a possible court case, he said.

The teenager has told officials his original intention was to create a virus, Netsky A, that would combat the Mydoom and Bagle viruses, removing them from infected computers.

That led him to develop the Netsky virus further - and after modifying it created Sasser.

"He's not stupid - he's a really good programmer," Dyballa said. "But I don't know whether he was aware of the scale" of the damage.

Sasser affects computers running Windows XP or 2000.

Last Monday, the worm hit public hospitals in Hong Kong and one-third of Taiwan's post office branches. Twenty British Airways flights were each delayed about 10 minutes Tuesday due to Sasser troubles at check-in desks, while British coast guard stations used pen and paper for charts normally generated by computer.

Waffensen residents described Jaschan as shy and withdrawn, and said he hoped to study computing after finishing high school.

"He only got involved when the talk turned to computers," said Christian Mueller, a chef at the Eichenhof restaurant. "I've never heard him talk about anything else."

and said he hoped to study computing after finishing high school.

It might have been a good idea to wait until _after_ he studied computing to decide to write worms/viruses. That way he might have had a better idea of the overall effect he might have..... But I guess that is the young mind sometimes.... Us old farts need to learn all we can from the young before they all forget the 'everything" they know about "everything".... Like we all did..... ;)

The result really is that another, potentially brilliant, mind may have been crippled by the experience..... such a waste really.... even if he was a bad coder..... there was room for improvement......

The result really is that another, potentially brilliant, mind may have been crippled by the experience..... such a waste really.... even if he was a bad coder..... there was room for improvement......

Indeed. For some reason I kept thinking of the Morris Worm when reading this.. :)

Morris was dragged into court, where his case made a ton of press. He was convicted of the Computer Fraud and Abuse Act, and sentenced to three years of probation, 400 hours of community service, and a fine of $10,400. He appealed the case and lost. Morris now shows up occasionally at various functions, and most humorously was the network administrator for the Ig Nobel awards, an award ceremony run by a scientific parody paper.

Some conspiracy theorists have noted that the story of Robert Morris wouldn't be complete without mentioning his father, Robert Morris, who at the time of the release of the Morris Worm was the Chief Scientist of the NSA. He had a habit of bringing home neat shit for his son to play with (like one of the original Enigma Code machines), so perhaps his son got his hands on a fledging NSA project? Maybe. Sure makes gives you something to mull over coffee while your system is down from the newest attacks crippling the net. Morris' spirit lives on! (As does Morris, now a teacher at MIT).

Source (http://www.rotten.com/library/bio/hackers/robert-morris/)

I went to see what happened to him..... It seems he worked out ok..... At least as far as his sentence wasn't something that "cripples" his ability to keep learning and working.... I see so many of the more recent "perpetrators" given probations that keep them off computers or the internet for X years..... By the time they get back they are so far behind it's barely worth starting again.... Yet that could be a perfectly good mind if channeled correctly.....

Hmmm.... thoughts of "A Beautiful Mind".... Great movie.... If you haven't seen it, it's definitely worth the watching.....

I saw an article, in the newest "PC Magazine about this. It seems that Netsky, Sasser, Bagel, and MyDoom are, in fact, all related. (Netsky was supposed to be an AV worm to remove th others.) It seems to be a war between hacking groups. The source code is littered with insults back and forth between authors. One of which warning the other not to start something this big. Very interesting to see the underground at work, its like ant colonies. These people may be causing damage, but at least it's not human life, its a cyber war to see who can cause the most damage. Something that would be quite interesting is to see one virus work with the damage that another had already caused, to increase the damage exponentially.

A_T

These people may be causing damage, but at least it's not human life, its a cyber war to see who can cause the most damage.


For now...but crippling information transfer could result in loss of human life.

The problem with these "hacking groups" is that they're consisted of the most immoral, misguided, and overall overconfident people I can think of. Are they smart? Yes, sometimes frighteningly so. Are they capable? Yes again...

SHOULD THEY ALREADY KNOW WHAT THEY COULD BE RELEASING INTO THE FREAKING WILD WITH THEIR CHILDISH HIGHSCHOOL-ESQUE BACK AND FORTH PROGRAMS?!?!?!

Once again, YES. Give me a break. "I didn't know what kind of damage nor to what extent it would be..." should be met with "Should've thought about that, 20 years without parole, no chance to ever sit behind a keyboard again". IT staff EVERYWHERE has had to work TRIPLE TIME (keep in mind, 90% or more of us are salary so guess what, no OT for us!) to keep these idiots out of our networks because of two failings:

1: any known exploit that's abused in any windows environment

coupled with

2: end users who aren't educated to preventing these things through regular measures of updating windows, running updated antivirus scans, etc...

Knowledge is power and yes, these and others could've done something different and better but I have no sympathy because you know they know that everyone will read their back and forth banter and for all we know, they're all one big group laughing at all of us thinking they're two warring factions in cyber-crime.

Throw them under the jail and get rid of the key, if you ask me. IMHO, of course, hehe...

they said before he was caught he might have released another version of Sasser....

SHOULD THEY ALREADY KNOW WHAT THEY COULD BE RELEASING INTO THE FREAKING WILD WITH THEIR CHILDISH HIGHSCHOOL-ESQUE BACK AND FORTH PROGRAMS?!?!?!

Hey, watch the high school dissing, some of us are still there :D...

But, I am not at their maturity level thankfully. ;)

If eEye kept the code private and worked with microsoft on a private profesional basis the internet user's wouldnt have had to cope with this and microsoft could have renounced it in there next hotfix users are patched damage would have been minimal if any

Prodikal, I think its more likely that the virus was a direct result of someone decompiling the patch to find out what exploit it was fixing.

Just a theory. I know I rip these patches to bits every time I get them to see what they are changing.

Original link

but is expected to slow down as computer users download anti-virus patches.

Correct me if I am wrong here, but couldn't this of been avoided if the MS patch was installed in the first place?

2 cents

Valid 2 cents Dopey. The patch was out before the virus this time.

Mark: The patch was released

Issued: April 13, 2004
Updated: May 4, 2004


Source (http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx)


the earliest POC was


04.24.2004


then a universal exploit was released on


04.29.2004


Source (http://k-otik.com/exploits)
then the virus appeared on the scene


The Sasser Internet worm first appeared April 30


Source (http://www.infoworld.com/article/04/05/07/19NNsasser_1.html)

Is 11 days really that long to patch millions of users world wide ?. I think the exploit framework was probably done with the first POC that was released and when the second was released it was twice more damage think about when the universal exploit and when the worm appeared so in 16 days of a patch and advisorey being released there was a very malicious worm out in the wild. I ask you is 16 days really enough to provent someting like this happening they should have kept the code under raps for at-least 2 month, 2 month is a decent wait for the vx scene then after 2 month the worm wouldnt have that much to exploit there still would be vulnerable computers out there, there still is vulnerable DCOM hosts from the first exploit that was released but the sasser worm causes the computer to reboot so users would think there is something seriously wrong take it to be fixed and the problem would be solved so those computers are going to be cleaned of the virus not unless the user is really stupid or just ignorant so i think this will be a easy clean up but still something that could have been prevented

Is 11 days really that long to patch millions of users world wide ?.

What would have happened if all the millions of users worldwide had been firewalled in the first place..... Not much really...... The vulnerable "default on" services would have been protected by it.....

I, for one, am looking forward to XP SP2.

:)
Keeping a known vulnerability under wraps, especially one that has been discovered by an outside party, might be very difficult for MS to do. They are caught between a rock and a hard place. Consider a leak before a patch has been issued. MS may open itself to litigation. It may just pierce their legal defense, by virtue of not showing due diligence, and could set a precedence for other legal action. In their risk management, they must feel compelled to act ASAP on known exploits.

With as many patches and hotfixes that have been issued in the past, it is beyond my understanding why individual users and especially admins fail to update their systems in a timely manner. I am aware that patches can affect the functionality of operating systems, requiring more work of admins by testing the patch, but hey, that is why there are admins.

The grass is always greener on the other side of the fence.

Is 11 days really that long to patch millions of users world wide ?.

Yes and no. While this time frame was kind of slim, it doesn't excuse alot of big corperations. For example I mentioned in a previous post, this virus/worm caused massive havoc at the local grocery stores. The only form of currency accepted was cash. No credit, debit, coupons, or food stamps. They had freezer failure because all the controls were electronic w/o manual overrides. The inventory scanners did not function. This went on for three days.

Then at my place of employment. UUmm, I build business jets. Most of the information is company secret. But for some reason we fell victim to sasser. If this virus had carried a server with it's payload there would of been an even greater problem. I am positive one of our competitors would love to take a glimpse at our blueprints, schematics, and standard processes. Honda just purchased a jet from us, so they could disassemble it, and crate it to ship it back home.

I guess my point is this. And the point has been mentioned already. If these systems were either patched, or firewalled there would of been no problem. Personally I downloaded the patch, experiencing problems after which I removed it. And fell back to firewall as protection.


Be safe and stay free