View Full Version : German Teen ARRESTED For Sasser Attack


HootervilleFan
05-08-2004, 11:41 PM
http://www.usatoday.com/tech/news/2004-05-08-sasser-arrest_x.htm

Authorities: Teen confesses to 'Sasser' computer worm
HANOVER, Germany (AP) — A German high-school student has confessed to creating the "Sasser" worm that generated chaos across the globe by infecting hundreds of thousands of computers, authorities said Saturday.
The teenager, whose name was not released, was arrested Friday in the northern village of Waffensen, where he lives with his family. Investigators in nearby Hanover said they were put on his trail by a tip earlier Friday from Microsoft Corp.

In a search of the suspect's home, they confiscated his customized computer, which was believed to contain the worm's source code, the state criminal office said in a statement.

It added that "as a result of the student's detailed testimony about the viruses he spread, he has been identified clearly as the author."

The worm raced around the world over the last week, exploiting a flaw in Microsoft's Windows operating system.

The teenager is being investigated on suspicion of computer sabotage, which carries a maximum sentence of five years in prison, said Detlef Ehrike, a spokesman for the state criminal office. After being questioned, he was released pending charges.

Unlike most computer infections, Sasser does not require users to activate it by clicking on an e-mail attachment. Once inside, the worm scans the Internet for others to attack, causing some computers to continually crash and reboot.

The teenager told officials that his original intention was to create a virus that would combat the "Mydoom" and "Bagle" viruses, removing them from infected computers. In the course of that effort, he developed the "Netsky" virus further — and after modifying it, Sasser.

"The student did not give any thought to the resulting consequences or damage," investigators said.

On Monday, the worm hit public hospitals in Hong Kong and one-third of Taiwan's post office branches. Twenty British Airways flights were each delayed about 10 minutes Tuesday due to Sasser troubles at check-in desks, while British coast guard stations used pen and paper for charts normally generated by computer.

Sasser is known as a network worm because it can automatically scan the Internet for computers with a security flaw and send a copy of itself there.

robyrob
05-09-2004, 12:02 AM
its kind of ironic when you think about it, every time Microsoft issues a new security patch, the virus writers have a new virus to exploit that hole within weeks - basically taking adavantage of the fact that most computers arent kept up-to-date with new security patches

i strongly suggest that everyone should get automatic updates, AND visit Windows Update at least once a month (unless you're using Linux or a Mac of course)

HootervilleFan
05-09-2004, 12:08 AM
I GOT the friggin Sasser! All because I must have missed an update. So....yes indeed...keep up with them! This was my first experience with this nonsense. I have Norton, and a firewall and do my spy/adware removal...but I wasn't immune from Sasser.

robyrob
05-09-2004, 04:28 PM
http://zdnet.com.com/2100-1105_2-5208762.html?Tag=zdnn.companybox.MSFT

Microsoft's $5 million fund for rewarding informants for leads on virus attacks has snagged its first success with the arrest of a man in Germany who has confessed to the release of the Sasser worm, the software giant said Saturday.

In what the company called a "coordinated multinational law enforcement effort," information provided to Microsoft by informants led local authorities to arrest the 18-year-old unnamed resident of Rotenburg, Germany, only a week after the original Sasser virus had been released.

"Within 48 hours of the informants coming forward, our investigators and the German police were able to identify the perpetrator of the Sasser virus and to take him into custody," said Brad Smith, general counsel for Microsoft. "This individual is responsible, we believe, for all four variants of the Sasser virus."

robyrob
05-16-2004, 09:47 AM
http://zdnet.com.com/2100-1105_2-5211543.html?tag=adnews

Police in Germany question more Sasser suspects
Reuters
May 12, 2004, 5:16 PM PT
German authorities have searched five homes near the village where the teenager who created the crippling Sasser computer worm was caught last week, police said Wednesday.

Police expect to lay charges of computer sabotage against an 18-year-old identified in the media as Sven Jaschan after he admitted to creating and distributing the Sasser worm, which brought down thousands of computers around the world.

They had previously believed the youth, a student of computer science at a vocational college, had largely worked alone, merely exchanging ideas with fellow students.

"The assessments that have followed have now supported the suspicion that others were involved in distributing the virus," police in the state of Lower Saxony said in a statement.

Sasser, a worm that affects computers running on the omnipresent Microsoft Windows 2000, NT and XP operating systems, laid low computer systems of companies, government offices and individuals across the world since it surfaced more than a week ago.

Jaschan was arrested last Friday after a tip-off from Microsoft. He was released pending charges after police seized the computer on which the worm was developed.

Police said officers working with the Verden state prosecutors office had secured a large quantity of material during searches of the five homes near the northern German town of Rotenburg on Tuesday.

Two of those questioned had admitted to receiving the source code to the related Netsky worm from the author of Sasser, but only one had admitted to distributing Netsky.

Police gave no further details, saying the investigation was still under way.

robyrob
05-16-2004, 10:18 AM
http://www.eweek.com/article2/0,1759,1591569,00.asp

Wallon Worm Skirts Around Windows Patch Release
By David Morgenstern
May 12, 2004

UPDATED: A new worm, dubbed Wallon.A, arrives on the Internet, requiring a convoluted infection process. Skipping from page to page, the worm arrives on the host following a call to Windows Media Player.

The latest exploit of Windows and Internet Explorer found its way into e-mail boxes in Europe on Wednesday with the arrival of the Wallon.A worm. According to security services, the new worm is considered a midrange threat and is continuing to spread in the wild.

Wallon.A, reported by several security services such as F-Secure Corp. and Network Associates Inc.'s McAfee business unit, takes advantage of a known vulnerability in Windows.

In fact, its rather convoluted action was covered under the security advisory MS04-013, released in April.

Wallon's infection process is complicated. Unlike the ordinary e-mail worm that arrives in an attachment to a message, Wallon appears as a link in a message to a Yahoo page. But with redirection, the Yahoo connection leads to another page that delivers an encrypted link to yet another page that delivers a special downloader application.

Microsoft provided a security patch for this vulnerability in April and suggested its application for all currently supported Windows versions. The company describes the update as "critical" and recommends it for all Windows variants, starting with Windows 98, even for systems where Outlook Express is not the default e-mail reader.

The downloader app is activated by a call to the Windows Media Player, so when the user enters a media-rich site or views some streaming content, the actual worm is finally downloaded. It then proceeds to perform a series of actions to propagate itself, the services report.

Microsoft's latest patch release addresses a similarly convoluted social engineering mechanism with advisory MS04-015, titled "Vulnerability in Help and Support Center Could Allow Remote Code Execution." In this case, users are directed to a malicious Web page where they click on a link and follow directions. The actual attack occurs only after they perform the actions.