Sasser Author Under Arrest, Say German Police

Apogee writes "A number of german news websites, like n-tv, or the german yahoo news site (courtesy of the german press agency, lending this some credibility) (web sites in german) report that the programmer of the Sasser worm has been arrested by German police. The Sasser author is an 18-year-old man who was arrested on Friday in Rotenburg, Germany. With the Sasser worm being the latest among worms that spread like wildfire among unpatched windows boxes, and apparently also caused serious computer outages and cost to the economy, how will this be transformed into an indictment?" Update: 05/08 18:41 GMT by T : SexySas writes "As the German news site heise reports, the 18-year-old author of Sasser is responsible for Netsky, too. The German police is talking about 'a milestone in war against cybercrime'."

phatbot authors busted too

[taran9000]

they were also arrested on Friday.

Re:phatbot authors busted too

[Vlad_the_Inhaler]

Loerrach (where that article says the Agobot/Phatbot author comes from) is on the German/Swiss border and around 10 miles from the French border. The programmer was also apparently part of a group - others helped him write it.

Loerrach is about as far as you can get from the village the Sasser author came from and still be in Germany.

US authorities helped the German police in both cases.

Articles in English

[metlin]

Here is Reuter's take on this and the news release at Biz Ink.

Re:Articles in English

[Zocalo]

And a few more at The BBC, Sky News, CNN... None of them have a great deal of detail yet though, nor is there any mention of the connection between Sasser and Skynet alledged in the code of one of the varients.

Phatbot comes from Germany, too

[smk]

See here in german and the google translation. Official say, there is no connection. Well ...

Rothenburg an der Wümme.

[Qbertino]

We've got a few (3?) Rothenburg's in Germany. The one americans probably know the best is Rothenburg op der Tauber.
Rothenburg a. d. Wümme is not the medival postcard town, it's just a small boring northern german town. :-)
BTW: Wümme and Tauber are both rivers. German cities with same names ofter difference themselves by the rivers they lie at.

Re:Will he go on trial

[Star_Gazer]

Since both Sasser and Phatbot developers are native germans, they will never be extradited. German constitution luckily forbids it. Only foreigns can be extradited to other countries and only if they don't have to fear death penalty and will get a fair trial.

Re:Not framed?

[zazzel]

Obviously, you don't know much about the german judicial system, nor about our police.

The boy is already back at home (no risk of escape) until he'll be tried. He'll probably get probation, at most. He'll MOST probably be tries under juvenile laws, which have the overruling goal of "educating" young people.

However, he'll be held responsible for the financial damages he's done.

Re:Liability

[varmit+poontang]

If someone sets fire to a house. Are they not responsible for it burning down, whether or not it has sprinkler system or not. This tried to set a fire to all the computers in the world that didn't have their patches yet or sprinklers on. Its a simple thought. He set the fire, it destroyed the city, he is liable for what he has done. I'm just getting pissed that the virus writers are turning out to be teenagers. I mean, come on, go out on dates, go to the movies, play sports or something, why the hell are they staying home and doing this crap. And Microsoft, just start having your patches work, I'm sick of the patch for the patch for the patch because you couldn't get it right the first time.

Re:Not framed?

[zazzel]

To answer two posts in one:

- he cannot be extradited. The German constitution forbids that.
- juvenile laws *can* be applied for ages 18-21 (and very often are), and they have to be applied below.

My guess: juvenile law, probation and probably several 100 hours of social service. And financial damages, of course.

Anyways, shouldn't Microsoft be in his place?

Re:Not framed?

[Sique]

A german court can't award financial damage during a criminal process. If you want to claim financial damage, then you have to enter the trial as a "Nebenklaeger" (secondary plaintiff) and prove that you were financially damaged by the actions of the defendant.

I guess most people will be afraid to fully disclose in court how their IT management works and how their other business processes run to prove the amount of money they have lost due to Sasser.

Re:The auther prolly used WinXP

[cubic6]

Take your paranoid fantasies somewhere where people don't know enough to refute them.

First, when you compile an EXE file with MS tools, it follows a format called the Portable Executable format[1]. You can verify this by opening up the EXE in a hex editor. There are a few headers, a few sections for code and data, and maybe a debug section. There isn't a section called ".backdoor" or ".spyonuser". By examining it very carefully, it might be possible to determine which version of Windows produced it and what compiler, but you aren't going to find your MAC address, name, street address, and favorite color anywhere.

Second, if you're talking about a network backdoor, that's extremely unlikely also. You can see someone using a backdoor on a Backdoors aresimple packet dump. Set up a packet sniffer between your computer and your internet connection and watch for strange packets. Write a virus or something, and see if someone from MS makes a connection to your computer. If you're so paranoid as to think that MS has trojaned all the routers, switches and hubs in the world so as to make it completely impossible to trace, go see a psychiatrist.

[1] - Reference for the PE format: here