Slashdot Mirror


Sasser Author Under Arrest, Say German Police

Apogee writes "A number of german news websites, like n-tv, or the german yahoo news site (courtesy of the german press agency, lending this some credibility) (web sites in german) report that the programmer of the Sasser worm has been arrested by German police. The Sasser author is an 18-year-old man who was arrested on Friday in Rotenburg, Germany. With the Sasser worm being the latest among worms that spread like wildfire among unpatched windows boxes, and apparently also caused serious computer outages and cost to the economy, how will this be transformed into an indictment?" Update: 05/08 18:41 GMT by T : SexySas writes "As the German news site heise reports, the 18-year-old author of Sasser is responsible for Netsky, too. The German police is talking about 'a milestone in war against cybercrime'."

11 of 549 comments (clear)

  1. He was just helping his mother by Anonymous Coward · · Score: 5, Interesting

    http://www.channelnewsasia.com/stories/afp_world/v iew/83848/1/.html

    The motives of the alleged Sasser author were still unclear, but Der Spiegel suggested the teen may have wanted to drum up business for his mother, who owns a company offering assistance to computer owners.

  2. About time by Falconpro10k · · Score: 4, Interesting

    granted, im no microsoft lover, but im also kind of against punks like this guy... he has probably cost me almost $500 since this worm started in my PERSONAL services to my friends and family in order to get this all cleared up..

    as for ms, they should be considered just as guilty, with such a large corporate juggernaught they have, they should be able to look for these vulnerabalities early, and maybe go through some more extensive testing.. or at the VERY LEAST spend a million or so and tell they public they messed up, and how to fix it... (run windows update) at least this way, you have a educated public... ignornance is NOT strength.

  3. So, how did he find the exploit? by Coryoth · · Score: 5, Interesting

    Excellent, hopefully they can ask hima simple question and we can put another argument to rest - Was he aware of the exploit from his own hacking, or being told about it by someone, or did he just read the exploit advisory from Microsoft when they released the patch?

    Realistically odds have to favour just reading the advisory, but there have been plenty of claims to the contrary.

    The next question is, will any media actually bother to find out and publish the answer to that question. I'm guessing "absolutely no chance in hell".

    Jedidiah.

  4. Two possibilities by scum-e-bag · · Score: 4, Interesting

    Two possibilities as I see them. First the kid was stupid enough to write and release the worm from his own machine leaving behind traces or was not careful enough hiding his tracks. Second, the kids' machine was hacked and used to hide the real creator of the worm while releasing the worm. I haven't RTA but I think these two conclusions are logical.

    --
    Does it go on forever?
  5. I wonder if we can settle a small question by Sun · · Score: 4, Interesting

    not really an important one, but still.

    Sasser broke a new record in the time it took to find the worm, from the time the hole on which the worm was based was issued a public patch. Now that we, allegedly, have the worm's author, we can ask him whether it was rev-enged from the patch, or whether he had prior knowledge of the hole.

    Shachar

    P.S.
    I would wager the former, but still interesting to get an authorative answer.

  6. Microsoft involvement [Re:they caught him...] by j.leidner · · Score: 5, Interesting
    they shoulda waited until MS announced a reward for it first!

    Hardly likely to have happened, since according to the Yahoo! Germany newswire, Microsoft gave the vital hint to the German police that led to the arrest. Which makes you wonder whether they scanned their Apache..erm..IIS server logfiles to see who was reading about certain security alerts.

  7. Re:MS by Anonymous Coward · · Score: 3, Interesting

    Whoa!

    I agree that worm writers are scum. They shouldn't be excused because someone else left a vulnerabilty for them to exploit.

    But, especially at this point, I DO think that Microsoft deserves some blame too. SASSER follows in the wake of SQL Slammer and MSBlaster, arguably 2 of the most damaging buffer overflow exploits in many years. IIS has been repeatedly compromised by buffer overrun problems since its initial release.

    It isn't hard to code an automated test for buffer overrun vulnerabilities. I have done it myself for embedded designs that I have done with TCP/IP capabilties. Admittedly, it was a much simpler task for my circumstances since my products support a very limited subset of TCP/IP, but then I don't have a legion of progranmmers at my disposal either.

    Here' my point: given that you had a product that had suffered buffer overrun problems for yeras, wouldn't you test specifically for buffer overrun problems before release? Maybe I would give NT and win 2000 problems a pass but win2k3 and XP were both released after a long history of buffer overrun problems. Why didn't Microsoft test specifically for buffer overrun problems before releasing them?

  8. The Microsoft Secret Police caught this kid by stock · · Score: 4, Interesting
    Remember Minister Otto Schilly signing a security deal with Microsoft ?

    "Microsoft signs security pact with Germany" http://news.com.com/2100-7343-5204643.html

    That was on may 4th... Today THEY GOT HIM. Thats quite a remarkable effort from the Private Secret Police of Microsoft.

    Robert

  9. Re:come down hard by KrisCowboy · · Score: 3, Interesting

    Well, thanks for the insightful info. Guess I just got carried away. You cannot compare a guy's drug problem to his computer problem. Addiction to drugs only shows that he's weak-willed. Writing viruses shows that he's not disciplined, or, he's watching matrix too many times :). You are right, a period of community service is going to help him. But not a short period of one month or year. I'd say, the period should be of (no of effected computers)*(2) days. That should keep him out of mischief for nearly 5-8 years. Because, when a drug-addict says clean for a month, there's always chance of his getting back to business on the 31st day. If he stays clean for 5 years, it's difficult to get back. Or, when a security vulnerability is detected, those rich bastards at M$ should pay a reward to the guys who fix it, and fix it effectively in a short time.

  10. Sven hit Windows at questionable sweetspot by stock · · Score: 3, Interesting
    its rather striking that winME win95 win98 win98se are not harmed by sasser, they only help spreading. Only damage is done to win2k and higher. From which i conclude, that these windows versions are just security breaches, and only have such hookups for spyware and other "activities". Thats to be read here :

    http://news.bbc.co.uk/1/hi/technology/3687583.stm
    "According to anti-virus firms machines running Windows 95, 98 and Millennium Edition can help spread Sasser even though they cannot be infected by it."

    The 18 year old kid, (his name is Sven?) really hit Microsoft windows at its weakest sweetspot: Federal ordered builtin hookups for "remote security management" and other "activities" as e.g. Spyware.

    Robert

  11. Germany eh? by Bazman · · Score: 3, Interesting

    Interesting. We had a machine fall over last week during the height of the Sasser panic. Norton AV had caught an installation of a Windows rootkit, and when we got to it (holiday weekend, so took three days), it had an FTP server installed with 19Gb of German-subtitled Moviez. Kill Bill 2 et al.

    We found various infection scripts lying around, because Norton's quarantine seemed to have stopped the infection script in its tracks. One thing it did was to take the machine's details and upload them to an FTP server. A server in .de of all places.

    We don't know if this invasion used the same exploit as Sasser, or if a small number of Sassered boxes get FTP status or what. But the German moviez + German FTP dropbox seems suspicious.

    Luckily we had the IP-address, username, and password in the script, and were suprised to find we could login there and delete the info. Hopefully the hacker hadn't copied it, but the box has been re-installed from scratch.

    And the user is now seriously contemplating Linux, after losing two days...

    Baz