Blaster Writer Caught

Henry V .009 writes "The FBI will be arresting an 18 year-old in connection with MS Blaster, reports The Washington Post." According to the article, the teen was witnessed testing the worm, and then turned in by a bystander. It's also worth noting that this is merely one of the Blaster variations. Hope whoever it was had fun, because a world of pain is waiting in store now.

A witness turned him in?!?

[corebreech]

How on Earth do you witness somebody writing a virus?

He's sitting in front of a computer, hitting keys on the keyboard and looking at the monitor. That describes the person who wrote this story, the person who submitted this story, the person who posted the story, me getting first post, and everybody reading and moderating this and every other post to come.

It also describes RMS writing Emacs, Linus debugging the kernel, and SCO issuing another press release.

Did this witness actually read the code? What kind of idiot virus-writer lets someone he doesn't know pull up a chair and start auditing his code?

Or was the witness tipped off when the screen start flashing "NOW TESTING VIRUS"? Damn, I hate when that happens!

This doesn't sound quite right.

Re:A witness turned him in?!?

[Gyan]

Probably, they caught a small fly. Who then got immunity and secrecy for turning in the ubercoders. Hence, "the witness"

Re:A witness turned him in?!?

[turgid]

What is with this whole 'virgin' preocupation? Why is anyone concerned with this kid's (or any kid's) level of sexual activity? I don't understand.

...beacause it's still a socially-acceptable way to stereotype and belittle young men. You would never hear of people using the term "18 year-old girl, probably still a virgin" in similar circumstances. It's hypocrasy, ignorance and spitefullness.

Re:A witness turned him in?!?

[tigheig]

You're misreading the original message. It's not sad that this kid was caught. What was said was:

The sad thing is they'll fail to catch the original Blaster author so they'll throw the book at this kid for the whole Blaster thing.

The sad and dangerous part is the news media's tendancy to try to find the culprit as if there was a single individual responsible. If they blame the entire thing on him, and then have the standard trial by news pundit, what we'll get is a scapegoat and no progress on solving the problem of poorly written software and an expanding OS monoculture that makes the vulnerabilities even more prevalent. Slammer, Blaster, Sobig, and whatever the next one is represent a serious problem, and if we get another attempt to blame it all on the loner teenage hacker instead of trying to fix the bigger problems that make it possible we'll get hit again and probably much harder.

Many of us have spent a lot of time trying to convince our senior management that we have serious problems with unmanaged systems (i.e. either not sysadmin'd at all, or administered by someone who doesn't know what they're doing) and are finally beginning to make some progress. We don't need scapegoating clouding the issue.

I was approached this morning by a VP in my company who pointed to this news release and said 'Looks like they caught him, I guess we don't need that project you wanted for better patch management on the Enterprise network.' I went about re-educating him (and was reasonably successful), but I know I was successful because I have his ear and he listens. Not all of my peers at other companies are as lucky.

Im guessing it was a mate of his

[msim]

I mean, maybe he borrowed his mates computer to do something, saw something interesting, then got told to take a long walk off a short plank when he tried to blackmail him.

Well until someone is caught and Proven to have written the virus, as far as im concerned it is a bunch of FUD.

A world of sympathy

I'm no sure about the world of pain. Given the age, given the media, I predict the sympathy angle will start to be played for all is worth.

Seriously? Arrest Microsoft, Inc.

[Drakon]

This is a ~10 year old vulnerability in DCOM.
Corporate neglagence is still a crime. and Corporations are Individuals, therefore Microsoft, Inc. Should be incarcerated.

Re:Seriously? Arrest Microsoft, Inc.

[EvilTwinSkippy]

Exactly how do you put a fictitious legal entity in Jail? Or perhaps you meant the entire company and everyone who worked there.

I'm a firm believer that Microsoft, for all it's faults, isn't nearly as much of a problem as it's doting customers. Microsoft has ALWAYS been terrible at security. This is not news. So who the hell keeps buying their crap?

Start charging the folks who deploy Microsoft for negligence.

Re:Seriously? Arrest Microsoft, Inc.

[beacher]

Ralph Nader brought the automotive industries up to safety standards. I'm too young to remember the public's preception of him, but it sounds like we need someone like him around again. Microsoft has enough defects inside it's operating system to make it the 2000's equivalent of the Ford Pinto. They should be held accountable.

What about the users though? This isn't the 70's and information is readily available about Microsoft's security practices. Why do they do it? Is it like riding a rollercoaster that has a 6 junction split at the end, only 2 of which leads to the egress queue, 3 of which leave you hanging on the top of a hill until you debug the rollercoaster, and the final split has a jump through a fiery ring with no landing zone? I mean come on, they all saw the rollercoaster... They all knew the ramifications of their actions.. What about them?

-B

Re:Seriously? Arrest Microsoft, Inc.

[Darth_Burrito]

A company I once worked for, NCR (National Cash Register), built a moat around their headquarters.

Re:Seriously? Arrest Microsoft, Inc.

[Slack3r78]

Except Ralph Nader didn't just attack the automotive industry's real problems. He created problems that didn't exist to gain publicity for his cause. That said, it's important to note Nader wasn't the one who "blew the whistle" on the Pinto. But here's a car that he did:

From 1959 to 1969, GM produced a car under the name of the Chevrolet Corvair. The Corvair was radically different from any other American car produced at the time. It was rear engine and powered by an air-cooled V6. This made it a perfect target for the type of attack Nader wanted to launch. It was different, and therefore, suspect. Now, the way the rear suspension of the car was originally designed, under heavy cornering, the rear wheels could take on a positive camber, which Nader charged GM knew made the car prone to rollovers, yet did nothing about. Serious charges to say the least. Did I mention that GM was not only aware of the "problem" (more on that later) but had fixed it before Nader's book "Unsafe At Any Speed" was released?

To say the least, these were serious charges which outraged the public, and cost GM dearly with negative publicity. But here's the thing - in response to these charges, the National Highway Transportation Agency decided to put both styles of Corvair and a few of its competitors through severe handling tests. Neither the original style Corvair nor the later style with camber compensation showed any handling abnormalities and did not roll in ANY single test. There's a much more detailed bit of information about the whole situation here.

So what you have is Nader using people's fear of the unknown to generate massive publicity at GM's expense with little to no actual evidence on claims which are eventually proven by both the NHTA and an independent panel to be totally false. In fact, in the years since then, Nader has even admitted that the only reason the Corvair was targeted was because GM was the largest automotive manufacturer at the time, not because of any real problems with the car. And this is the reason that while I may agree with some of his ideals, I would absolutely NEVER vote for Ralph Nader. He's no less of a liar than the ones he ridicules.

Re:Will be arresting...

[TheDredd]

Well if he's reads slashdot, he'll be long gone by now

Is it standard FBI practise to anounce to the public they will arrest someone before they actually do?

Re:Assuming this is true....

[sperling]

This guy's probably just a kid that grabbed the worm while it were passing, modded it a little and passed it on. I doubt it's the original author...
Although, looking at how lousy that worm was implemented, the authour might be dumb enough to get caught.

He did not write MS blaster

[watzinaneihm]

I submitted this story sometime ago, but got rejected. The kid actually did not write the MSBlaster worm, he modified it to make it more potent and released it. story here

Bragging

[PrImED73]

Perhaps, as some kids are at that age do (not all before you flame me), he had been bragging about it in an irc chat room, had an enemy/concerned chatter catch wind of it and reported it to the feds with logs and IP information.

Why not eh? stranger things have happened at sea.

HAX0R!!!

It can take weeks of computer forensics to identify what someone was creating on a computer, so I doubt very much that they're 100% certain this kid is guilty without inspecting his equipment. And last I checked they need proof before assigning guilt (unless Ashcroft's already removed that clause from US law).

Yo, RTFP/RTFA

[RedBear]

Yo, RFTP/RTFA. It says in both the article and the post that the witness saw the person "testing" the virus, not writing it. Which is even more scary in a way. How did the witness know what he was doing? What day was it? Which version is he supposed to have written? Oh, and there has been "no arrest made in this matter yet."

The BBC article contains a bit more info: It says he's suspected of altering the original MSBlast worm into one that would cause more damage.

It also says: "Reports suggest he is likely to be arrested by the end of the day." WTF? They're giving him advance warning?!? Run, boy, RUN!!! LOL.

Vigilante Virus Writer

[Toddimer]

"Instead he is suspected of altering the worm into a variant that did more damage than the original."

Another /. article recently exposed a variation of this virus that actually cleaned up Blaster by automatically patching the "infected" computer, yet caused more trouble than the original in terms of network traffic.

I wonder if this could be the variation they suspect the teen worked on? If so, it could turn into a slippery moral slope for the press to take a stand on either way...

No wonder he got caught

[Xel'Naga]

IIRC, the boy tried to DDOS www.windowsupdate.com, which is not the URL people usually use for windowsupdate.
Makes you wonder what a professional terrorist could do. The worm could have been far more destructive.

It is so obvious that Microsoft wrote this article

[dodell]

Infected computers were programmed to automatically launch an attack on a Web site operated by Microsoft, which the software maker easily blunted. The site, windowsupdate.com, is used to deliver repairing software patches to Microsoft customers to prevent against these types of infections.

Talk about an advertisement.

Anyway, doesn't it ever occur to the press that Microsoft could actually be doing a better job researching into securifying their products *pre* release? Right now (as everyone knows), they're submitting corporate-level products to corporations, making gazillions of dollars, and ignoring any bugs until someone points them out.

When is somebody going to finally decide to call them on this and force Microsoft to do a security audit? :\

Re:Will be arresting...

[cherberos]

Well, the BBC article claimes the FBI already talked to him.
There is probably more to this then the article states (as is almost always the case with the media-reports). It's pretty vague. A witness, testing? Where was he testing, and how. AV-companies also test this stuff.

Context is missing, so I guess a conclusion will have to wait till this afternoon.

Re:If

[tankdilla]

Would've been kinda funny if the kid was actually a kid, like 12 yrs old or something. The headlines would say:

***World crippled by 12 year old***

Who would've gotten blamed then and what would've been the consequences?

Caught after Braggin' - How typical!

Few years ago, one of our local companies got hacked and it took like 1 week to catch the "hacker".

How? He started bragging about what he did in a IRC chat room... But oops.... few days later caught!

For gods sake he was like 23 years old!

One word:

[Motherfucking+Shit]

Mafiaboy.

Given the age (he was only 15!), and given the media, he was still crucified. There was no sympathy angle, there was no "youngster gets hassled by overzealous feds" angle. He was, as could be expected, generally portrayed as an evil h4x0r who DoSed eTrade, eBay, Yahoo, etc.

No, whomever launched MSBlaster.B is not going to become a media darling, and he damned sure isn't going to win the hearts and minds of Joe Sixpack, whose computer kept rebooting itself due to the various incarnations of MSBlaster.

From a personal standpoint, I think it's sort of shitty that this kid is getting busted for what seems to amount to no more than a bit of hex editing. I'd rather see the FBI investing its resources into tracking down the author of the original MSBlaster (as opposed to a barely-modified variant which didn't propagate widely)... And I'd much rather see them go after whatever assclown is responsible for SoBig.F, of which I've now received more than 6,000 copies at 100KB apiece. That's not to say that they aren't investigating these things, and I hope they find the perps eventually; but I think it's a bad deal that they're going to bust a kid who made a knock-off instead of the guy who started it.

I really don't buy the sympathy angle. The guy allegedly launched a worm variant, he probably bragged about it (another similarity to Mafiaboy), according to MSNBC, the FBI subpoenaed IRC server logs to track him down. Launch a worm and gloat about it to your 31337 buddies, and you get what's coming.

Fists in the air in the land of hypocrisy

Advertisers and marketing executives spend billions of dollars each year creating, researching, and disseminating memetic viruses through every conceivable media outlet...

OUTCOME: Profit and stupidity

An 18-year old writes a computer virus that shakes these corporations up a little bit....

OUTCOME: The FBI arrests him

MORAL OF THE STORY: The Matrix has you...

P.S. Wake Up by Rage Against The Machine is a great song

Another version of the Blaster worm

[No2NT]

An the article is not kidding about variants of the blast worm. Two weeks ago we saw heavy destination traffic on port 4444 to random boxen on the internet. It turns out one of my client's linux boxen had been cracked into and a dropper that works just like the blaster virus starting hitting hundreds of outside servers. We tested it in a clean lab and it would infect but not install the worm properly. It was nice that he left source code and all. Makes me wonder just how many variants are still out there?

Here's the some of the source, might look familiar to some of you..... Hope the right person sees this. /*
**
** 2003/07/27 - DCOM RPC WIN32 remote exploit (Most languages)
**
** FlashSky/Benjurry and, H D Moore's code is very excellent.
** It works well even if change only return address.
** I didn't feel necessity for new make.
**
** Thankful to them.
**
** 2003/07/30 - Update, Added magic return address.
**
** kokanin supplied very excellent information:
** URL: http://lists.netsys.com/pipermail/full-disclosure/ 2003-July/012000.html
**
** * As well as Korean thanks to, a lot of systems can exploit.
**
** --
** Thank you.
**
** P.S: Sorry, for my poor english.
**
** --
** exploit by "you dong-hun"(Xpl017Elz), .
** My World: http://x82.i21c.net & http://x82.inetcop.org
*/

#include
#include
#include
#include
#include
#include

u_char bindstr[]={
0x05,0x00,0x0B,0x03,0x10,0x00,0x00,0x00,
0x48,0x00,0x00,0x00,0x7F,0x00,0x00,0x00,
0xD0,0x16,0xD0,0x16,0x00,0x00,0x00,0x00,

Prison rape

[Boing]

Okay, this will likely be treated as a troll, but I have a little karma to burn. I have issue with the people who are moderating the numerous "haha this guy will get raped in jail" comments as "funny". Prison rape is a serious issue, as much as real-world rape. This kid is eighteen. He did something that pissed off a lot of the world (including most of the people reading slashdot). But, legally or not, he's a damn kid. If you're older than eighteen, how many asswitted things did you do when you were that age? Would you have ever thought that the idea of you getting raped for any of them was acceptable?

I expect the comments in the first place. It's inevitable among any community that has people the likes of the "Frist p0st" and "go to cnn.com [secret link to goatse.cx]" commenters. But the moderation system is in place so that crap like that can get ignored by the people who don't want to hear it.

If you think it's funny, Obviously I can't/won't stop you from moderating it that way. But think about the real issue behind it before you encourage lighthearted humor about rape.

Re:Huh huh, he said penis...

[Felinoid]

There is also a possability they busted someone who was just discecting blaster not making a new varent.

To a techno neophite there isn't much diffrence. If the guy decompiled the code and his friend looked over his sholder his friend would see someone with the blaster source.
Decompillers aren't so well known now a days so even an experenced programmer who might normally know what he is looking at might not recognise this as decompiler output and not original source code.

He might also not realise you generally can not recompile decompiled code.

Or the busted teen is an idiot who said "Hay watch this. I got blaster. Now I'm chaning it to penis32. Aren't I clever?"

Vote on it!

[waynelorentz]

The Houston Chronicle version of the story allows you to vote on who's to blame:
Microsoft, The virus writers, or people who click on attachments.

Come on you anti-MS-types, get clicking!

Re:how odd, not the situation here in UK

[DrSkwid]

eing an animal-rights ass or just fighting some dumbassed class war?

both

We are a place without wilderness.
Access to every square inch is under control.
Freedom is not just freedom of thought.
Without freedom of movement there is no freedom.

We have a saying, "The trouble with country folk is they lost touch with nature."

Misprison of a felony

[SunPin]

Look it up, amigo. If you know about a felony and you don't report it, you are guilty of cover-up and can serve time for your avoidance of doing the right thing.

You have an amazingly rosy view of how the law works in this country. You must be those law-abiding citizens with nothing to fear that I keep hearing about. When we have laws that will revoke habeas corpus for the bizarre and impossible crime of loitering with space aliens (1982, Department of defense appropriations bill) and the hard-hitting "conspiracy of one", you can and will go down for anything if they want you.

Do you think it's an accident that we have the largest prison population, in absolute and relative terms, in the world?

So you feel better now?

[miradu2000]

IS it really worth ruining a persons life, if he is found guilty, just becuase you as a sys admin had to deal with an inconvience. Windows update didn't go down, maybe some of your time was spent dealing with it, but that is YOUR JOB. And if your network isn't up to date with updates, IMHO, it's your damn fault.

Sadly he'l be the scaegoat while all the network admins, microsoft etc gets to go free. I just don't think that any punishment they give him will fit the crime... Personally i think he just needs to do some community service, what he did was wrong, but nothing truely bad.

Belittling ourselves

[phorm]

Actually, considering the self-deprecating humour on slashdot, I wouldn't read too much into it. How many of us have joked about "slashdot readers being virgins." Mainly because we have a large geeky population, and many (but not all) of said geeky population lack the social skills to properly interface with members of the same gender, let alone the opposite sex.

The virgin isn't really a reference to sexual activity per-se, so much as it is a reference to the fact that somebody with so much a lack of a "life" probably is very likely sitting in front of a PC 24/7 and not meeting women.

Actually, sounds a lot like me in High School. Except that I didn't write viruses (custom backdoors to deal with people in the lab I didn't like, yes, but the teachers knew and found it amusing), and I now do have a social/sex life in addition to geeky pursuits.

Of course... another trademark of my geekdom is that said social life usually falls on the backburner whenever the newest Final Fantasy or RPG comes out... luckily the g/f is into 'em too (though I haven't gotten her on Warcraft/Starcraft or FPS yet).

Re:Prisoner rape is funny, ha ha

[ivanmarsh]

Blaster took down transportation systems, among other things, and put many people's lives in danger.

Rape is the least of what he deserves. Try him as a domestic terrorist under the patriot act an make him disappear.

Some thoughts on future virus and worm attacks...

You know, looking at the previous weeks in retrospect we can consider ourselves lucky that virus and worm writers haven't latched onto the "open" paradigm....

I think it would be an extremely bad situation if worms had some sort of SDK and documentation in their payload so that anyone, just like this 18-year old, could build on the worms capabilities. By the same token, it would be even worse if the source code to the worm would not be included because that would be a great help for those developing countermeasures against it.

If there's a way to build on a worm's code, people will come up with novel ideas to use the code the original developer of the virus didn't even think of. They could even provide field service to it, fixing/improving the propagation code for example so it hits even more systems.

Finally there's one thing I hope virus writers never consider.. I hope they wont delay execution of their damage code, not even for a couple of hours. If they did that, their worms could penetrate much deeper into intranets before admins detect it and cause so much more damage.

I hate virus writers. They hurt all the corporations dear to my heart, the bank I love and the government we all rely on. I hate this little 18 year old brat whoever he is going to be (obviously the FBI didn't pick which of the million teens with a computer and a modem to go after yet...). I hope they throw the book at him and make him suffer like Mitnick. Scum like that doesn't have "rights" much less a "right" to "due process". They should kick him into the face for breakfast, torture him with cattle-prods for lunch and bullwhip him for dinner 7 days a week.

There comes the question

[phorm]

Who would understand he was actually writing a virus? Well, perhaps a fellow coder, a hacker, a classmate?

But then that brings the question: such individuals are usually fairly close-knit. If you're around the dude long enough to realize his code is a blaster-variant, and he is somewhat of a friend, or good associate, would you turn him in? How many geeks would?

It's a hard decision, especially with a decent chance that with the current upset over said viruses even a script-kiddy variant-writer is going to get lynched after being caught. It'd make him/her a good example for other would-be virus writers, but would you do it to somebody you know?

Of course, many such geeks are vain. It could have been somebody declaring, "you think blaster was bad... wait until you see the badass variant I'm writing. I'm going to 0WZ0R J00"...

Bill Gates taunt in worm.

[RoadWarriorX]

Researchers also discovered another message hidden inside the infection that appeared to taunt Microsoft Chairman Bill Gates: "billy gates why do you make this possible? Stop making money and fix your software!"

Gee, maybe we should take his message more seriously. Maybe the author of the worm is correct in some aspects. Some say that Microsoft is solely to blame for this. I'd say it is not 100% correct. There is a shared blame for the security problems:

1. Microsoft, like many other companies, always preferred to have features and ease-of-use over security. To be fair, Microsoft and it's security initiatives have been somewhat successful, the preference still remains. The security problems still will continue.
2. The U.S. Government, specifically the Federal Trade Commission. They has continually ignored the fact that security problems in Microsoft software has costed the government, businesses and individuals billons of dollars combined over the years. We see that monetary quantification all of the time, however, the always forget the real impact of individuals. These security problems do affect the daily life of individuals, from deleted homework assignments to identity theft.
3. The Mass Market. This is because the mass-market of computer users want simplicity because they are not willing to take the time to learn about it's implications. They are technologically challenged. So, the mass-market users are mostly willing to sacrifice their security and privacy in order to have this simplicity. If they still continue to use products knowing that their time, their identity, their money and their life might be affected by the use of these products, then I do not feel sorry for them at all. They've made their consumer choices, let them learn from their mistakes.

--
No memory available for sig. Please reboot now.

Scapegoat?

[Attaturk]

Apart from the obvious "innocent until proven guilty" matter, how about we don't publicly hang some kid for tweaking a virus until we've found the real author and proved his/her guilt.

Media-blitz acomming FBI are heros (NOT)

[gone.fishing]

On tonight's TV news and in tomorrows newspapers we will see and hear headlines that tell us that the blaster author has been caught and that he faces a lengthy prison sentence. This is what most people will hear and understand. The few who dig deeper will learn that this kid took the worm and created a variant of it.

What the kid allegidly did is wrong, if he did it, he deserves to be arrested, arraigned and go through the process and ultimately be punnished.

I smell a smoke screen here. It seems to me like the FBI is making this arrest and getting the publicity here for their own purposes. By making an arrest and getting publicity, they are doing something for themselves. People will think the FBI actually caught the guy that did it. That isn't true. They caught a stupid individual who took the code, changed it, and re-released it.

Now that the pressure is off, I doubt that the FBI will be able to afford many resources to keep hunting down the original author. They will keep some people on the case but the reality is that they will task most of the agents to other higher priority things now that this is going to the back burner.

To me, the FBI has achieved their goal - to divert publicity away from themselves but, they have not achieved justice which is what I would expect of them.

MOD PARENT UP

All these comments posted claiming this kid is innocent obviously haven't run a google search yet for "teekid"... Quite a few of his antics, including defacing the Minnesota Government Finance Officers Association page are still in the google cache.

I think the FBI deserves props for catching this guy, even if he's not the original author, he was still up to no good and one less script kiddie is one less script kiddie.

Re:Huh huh, he said penis...

[uxo]

Decompillers aren't so well known now a days so even an experenced programmer who might normally know what he is looking at might not recognise this as decompiler output and not original source code.

Back in my day we called them disassemblers.

Anyway, the author of this thread says someone witnessed him testing the virus, not modifying it.

Re:Huh huh, he said penis...

[$exyNerdie]

Here's that genius's picture - Jeffrey Lee Parson, 18, Minnesota teenager who officials said admitted to making a copycat variant of the devastating Blaster Internet worm.

He looks bald at age 18 !!