Slashdot Mirror
Sasser Author Under Arrest, Say German Police
Apogee writes "A number of german news websites, like n-tv, or the german yahoo news site (courtesy of the german press agency, lending this some credibility) (web sites in german) report that the programmer of the Sasser worm has been arrested by German police. The Sasser author is an 18-year-old man who was arrested on Friday in Rotenburg, Germany.
With the Sasser worm being the latest among worms that spread like wildfire among unpatched windows boxes, and apparently also caused serious computer outages and cost to the economy, how will this be transformed into an indictment?"
Update: 05/08 18:41 GMT by T : SexySas writes "As the German news site heise reports, the 18-year-old author of Sasser is responsible for Netsky, too. The German police is talking about 'a milestone in war against cybercrime'."
they shoulda waited until MS announced a reward for it first!
How can one make sure he was not framed?
Also what international terrorist law is he going to be tortured for?
http://www.channelnewsasia.com/stories/afp_world/v iew/83848/1/.html
The motives of the alleged Sasser author were still unclear, but Der Spiegel suggested the teen may have wanted to drum up business for his mother, who owns a company offering assistance to computer owners.
they were also arrested on Friday.
Here is Reuter's take on this and the news release at Biz Ink.
How did they find this guy? Was it that he was bragging like in the former MS worm cases, or was there a "higher technological power" involved?
Score: Pandering Karma Whore -5
find it ironic that an ad for Microsoft security services accompanies this story?
There is no reasonable defense against an idiot with an agenda
:wq
IF that person is found to be guilty ( Remember kids, innocent until proven guilty! ) than that person wil be solely held responsible for all damages Sasser has caused, is causing and will cause in the future.
Hate me!
granted, im no microsoft lover, but im also kind of against punks like this guy... he has probably cost me almost $500 since this worm started in my PERSONAL services to my friends and family in order to get this all cleared up..
as for ms, they should be considered just as guilty, with such a large corporate juggernaught they have, they should be able to look for these vulnerabalities early, and maybe go through some more extensive testing.. or at the VERY LEAST spend a million or so and tell they public they messed up, and how to fix it... (run windows update) at least this way, you have a educated public... ignornance is NOT strength.
WARNING: This sig does not contain a joke
In other countries? He did damage in more than one country, but with the tangled web of extradition treaties etc, how will other countries deal with his arrest? Will they demand justice?
I guess the fact that he was in Germany, a country with a modern justice system and extradition treaties, will help. They have had a hell of a time in the past getting police in places like Russia and the Phillipines to co-operate.
Just another interesting adventure in the globalized, internet-driven world I guess.
See here in german and the google translation. Official say, there is no connection. Well ...
* Smile. People will wonder what you think. *
Excellent, hopefully they can ask hima simple question and we can put another argument to rest - Was he aware of the exploit from his own hacking, or being told about it by someone, or did he just read the exploit advisory from Microsoft when they released the patch?
Realistically odds have to favour just reading the advisory, but there have been plenty of claims to the contrary.
The next question is, will any media actually bother to find out and publish the answer to that question. I'm guessing "absolutely no chance in hell".
Jedidiah.
Craft Beer Programming T-shirts
Two possibilities as I see them. First the kid was stupid enough to write and release the worm from his own machine leaving behind traces or was not careful enough hiding his tracks. Second, the kids' machine was hacked and used to hide the real creator of the worm while releasing the worm. I haven't RTA but I think these two conclusions are logical.
Does it go on forever?
The article also referred to Der Spiegel
As reported in Der Spiegel
ah, mod points
Make him explain to my mother what a worm is, what he made it, and how to enable a firewall. That'd be punishment enough.
Read reviews of shopping cart software
I only came here to do two things; kick some ass, and drink some beer...looks like we're almost out of beer.
Didn't the creator of the Melissa virus get his sentence removed in exchange for helping the government with security stuff?
If so, the same thing could happen to this guy with the German government.
Vonal Declosion
We've got a few (3?) Rothenburg's in Germany. The one americans probably know the best is Rothenburg op der Tauber. :-)
Rothenburg a. d. Wümme is not the medival postcard town, it's just a small boring northern german town.
BTW: Wümme and Tauber are both rivers. German cities with same names ofter difference themselves by the rivers they lie at.
We suffer more in our imagination than in reality. - Seneca
if i go out onto a motorway... and throw a bag of nails on to the road, into the path of cars traveling at 80mph, how am i any more liable for the resulting carnage than the millions who run insecure rubber tyres?
the responsibility lies with vehicle manufacturers for not fitting tyres with kevlar inserts in the side walls as standard; and with motorists for not fitting them themselves.
not really an important one, but still.
Sasser broke a new record in the time it took to find the worm, from the time the hole on which the worm was based was issued a public patch. Now that we, allegedly, have the worm's author, we can ask him whether it was rev-enged from the patch, or whether he had prior knowledge of the hole.
Shachar
P.S.
I would wager the former, but still interesting to get an authorative answer.
> And writing intentionally crappy operating systems isn't? Ask yourself: what would happen if they wrote something that was *perfect*?
Someone would complain the default colour scheme was crap.
Yeah, but even if you leave your house unlocked it is still a crime. If it weren't, any criminal could grab your wallet saying that since it wasn't pad-locked down to your chest, it's his. Or could kill someone and claim it was his fault for not carrying a loaded weapon and constantly surveying all around.
People lock their doors because they realize there is a threat, if they don't realize there is a threat, they lose stuff, but it is still criminal. Hopefully after the 5th time someone gets their house broken into they will realize that they need a lock, same goes with computers.
I'm no microsoft fanboy(I don't even use windows), but blaming them is like blaming a car manufacturer because your car got totaled when some jackass rear-ended you. You should have done your homework before you bought the car, and that still does not absolve the jackass.
However I am basing this on that fact he is 18 and on the assumption that he fits a profile of some kid who does n't have many friends and needs attention. I'm not saying I'm right, just my take as you'd be amazed on how many criminals get caught simply on the inability to keep their mouths shut.
If you leave the doors to your house open, and a large neon sign over the threshold saying 'WELCOME', you'll be *damned* lucky if your insurer would pay up.
This is more like just leaving your doors unlocked. There is no protocol for a system to advertise it's vulnerabilities.
Without regard to whether your doors were locked it is illegal to steal things from your house.
Much as I'm pissed off with Microsoft for putting out software with so many holes, I think virus writers still have a lot to answer for.
I reckon he should get 10 minutes of prison time for every machine his trojan infected, since this is the time it probably takes someone on average to clean up the mess.
1,000,000 * 10 minutes = 166,667 hours = 6944 days = 19 years.
Seems fair to me, anyways...
How, exactly, is he any more liable than the millions who run insecure, unpatched machines?
That's ridiculous - people who don't wear bullet proof vests aren't "as liable" as the people who shoot them.
If you leave the doors to your house open, and a large neon sign over the threshold saying 'WELCOME', you'll be *damned* lucky if your insurer would pay up.
No, but you could press charges for burglary if somebody came into your house and stole something. Insurance is a matter of commercial contracts - we're talking about the law here.
If he hadn't exploited it, someone else would have, and the result would have been the same.
No, if someone else had exploited it, then the gentleman under discussion here most probably wouldn't be in police custody facing criminal charges right now.
The reponsibility lies with microsoft, for creating shite software, with inherent vulnerabilities, and with the users, for not bothering to have any kind of protection.
What kind of a world do you live in where the people who write and send out a virus are not liable for the damage it causes?
#!/usr/bin/english
It has the feel of a proof on concept to me. It distributes fine, but doesn't actually do anything (the crashing appears to be a bug, and the CPU usage is an unavoidable consequence of the distribution process). I wouldn't be suprised if a version with a payload is released soon.
Sure, these worms did cause a lot of inconvenience and downtime and such. But a (probably unintended) benefit of their outbreaks was that many vulnerable machines are now actually patched. Without these worms, if you hit a random 2K/XP machine on the net, there is a very good chance that you can take over the machine through either DCOM or LSASS (port 135 and 445 IIRC). Essentially, everyone can gain access to millions of machines, and the owners would probably be totally unaware. I'm not trying to defend the worm writer, but we all know that millions of people simply wouldn't patch until the machines keeps rebooting every few minutes.
I'm sorry, but any virus or worm writer that gets busted is just plain stupid. It's so simply to NOT get caught:
Step 1: Write virus/worm without your name, intials, alias, or any other identifying info.
Step 2: Release your virus/worm from an internet cafe, preferably one far from home, even a different city or country.
Step 3: Keep your mouth shut!!!
I mean, how hard can it be to avoid getting caught? I think most of these morons have the most trouble with steps 1 & 3, even if they're smart enough to manage step 2.
Actually, those are two completely separate issues.
Let's say you left your house and left your door unlocked. If a thief happened by, saw that it was unlocked, and came in and stole all of your belongings, the law in every jurisdiction that I know of is unequivocal: the thief is solely to blame.
On the other hand, if you put up a sign that said "welcome", then that could be construed as an explicit invitation to enter and the corresponding legal judgement would be less clear. You may recall cases way back when when some FTP sites said "Welcome To Private FTP site! Username: Password: ".. well.. some were broken into using brute force un pw attacks. The attackers were subsequently found and based their (largely successful) defense on the fact that it said "welcome!"
Now, about the rest of your point: about people being liable and microsoft being liable; basically, it's wishful thinking from you, who knows nothing. I dare you to build me a house that can not be broken into. It is NOT possible. the windows OS has arguably hundreds of thousands of parts and interfaces and it is not reasonable to expect that every aspect has been checked for every possible potential flaw. I remind you that but a few weeks ago, a new flaw was found in TCPIP, arguably one of the most "eyeballed" standards in the history of computing.
every window in your house can be broken, and a thief can enter by breaking it. the lock on your front door can be opened with a jimmy tool, your electric garage door opener signal can be captured and copied. your hidden key under the bushes can be found. your chimney may be a more or less perpetually open entrance, and yet nobody blames house builders or even home owners of gross negligence in such cases.
the fact is that in a society we recognize the inherent limits of any sort of physical protection. as many on slashdot here have observerd in other contexts (DRM), "if it can be broken, it will be" and "there are no unbreakable protection schemes."
Therefore, we must resort to law and the threat of punishment. It's not perfect, but it's what we have to do.
...I think he should be locked in a padded cell with a 486-SX and a copy of Windows v3.1 for company, I'd sooner have my left nut crushed in a vice rather than face that
I've noticed that everyone who is for abortion has already been born - Ronald Reagan
This comparison is misleading. You can't physically hurt people through computers. In fact, the damage caused is rather hard to assess ... most is just a few hours of peoples' time. Now, you could sum up all the work hours and arrive at a huge amount, but then what about the other things that steal workers' time, like rebooting the OS, messing around with driver problems or application bugs that cause work to be lost? The software vendors aren't held responsible for these.
Did you know you can fertilize your lawn with used motor oil?
If it becomes that easy, and people don't get caught, then governments will have to react. Government might force an identification system where there will be no anonymity. They might have closed networks, where countries that don't agree with us are shut out. 1984 is going to happen because of these people. And givernment will use it as a legitimate reason to take away freedom from the rest of us. The .0001% of people who are anti-social criminals are going to cause the other 99% of us to lose freedom. That is why they should be punished harshly when they get caught.
Rosco: "If brains were gunpowder, Enos couldn't blow his nose."
There's still a difference: if the door is unlocked, it's trespassing, if it is locked it's burglary. Quite a difference in the amount of punishment I would imagine.
Did you know you can fertilize your lawn with used motor oil?
how some of these so-called "genius" worm authors always manage to get busted. If any of them had a brain in their head and assuming they're not bed-ridden, they would stop being so headstrong and arrogant, and release the worm from an internet café. They could even wear a disguise, dye/cut their hair, or walk funny just in case the place had surveillance cameras about. It just seems to me that it would be so simple not to get caught at all.
He should be punished to the maximum extent permitted by law - I don't care under which law. People who can't respect computers should not be allowed to (ab)use them. If he screws up his computer, it's his problem. But the moment he screws up boxes over internet, he's got to be punished hard. The punished should be harsh so that no other individual will ever attempt to write a virus. Microsoft users are already suffering with poor quality, tech-support and other stuff, guess they don't need viruses.
Slashdotters blaming someone other than Billy G or Stevie B for bad things.
In other news, Osama Bin Laden renounces Islam and donates his fortune to the James Randi organisation.
If someone sets fire to a house. Are they not responsible for it burning down, whether or not it has sprinkler system or not. This tried to set a fire to all the computers in the world that didn't have their patches yet or sprinklers on. Its a simple thought. He set the fire, it destroyed the city, he is liable for what he has done. I'm just getting pissed that the virus writers are turning out to be teenagers. I mean, come on, go out on dates, go to the movies, play sports or something, why the hell are they staying home and doing this crap. And Microsoft, just start having your patches work, I'm sick of the patch for the patch for the patch because you couldn't get it right the first time.
Hardly likely to have happened, since according to the Yahoo! Germany newswire, Microsoft gave the vital hint to the German police that led to the arrest. Which makes you wonder whether they scanned their Apache..erm..IIS server logfiles to see who was reading about certain security alerts.
...but this man is the suspected author of the worm. The authorities haven't released his identity, nor how they arrived at the determination that he is the author.
Btw, Here'a an english version of the story.
No, what happened here is that you got sold a lock that doesn't work and the theif broke into your house and a hundred million others based on the fact that the lock company has a monopoly over lock distribution. The lock company should be jointly liable.
Whoa!
I agree that worm writers are scum. They shouldn't be excused because someone else left a vulnerabilty for them to exploit.
But, especially at this point, I DO think that Microsoft deserves some blame too. SASSER follows in the wake of SQL Slammer and MSBlaster, arguably 2 of the most damaging buffer overflow exploits in many years. IIS has been repeatedly compromised by buffer overrun problems since its initial release.
It isn't hard to code an automated test for buffer overrun vulnerabilities. I have done it myself for embedded designs that I have done with TCP/IP capabilties. Admittedly, it was a much simpler task for my circumstances since my products support a very limited subset of TCP/IP, but then I don't have a legion of progranmmers at my disposal either.
Here' my point: given that you had a product that had suffered buffer overrun problems for yeras, wouldn't you test specifically for buffer overrun problems before release? Maybe I would give NT and win 2000 problems a pass but win2k3 and XP were both released after a long history of buffer overrun problems. Why didn't Microsoft test specifically for buffer overrun problems before releasing them?
> According to one of thousands of corollaries to Murphy's Law, a spelling correction on the net is guaranteed to contain at least one spelling mistake as well.
I propose that this corollary be named "Muprjys law".
Using my brain I have worked out that he was meaning 'surely wrong'.
"Microsoft signs security pact with Germany" http://news.com.com/2100-7343-5204643.html
That was on may 4th... Today THEY GOT HIM. Thats quite a remarkable effort from the Private Secret Police of Microsoft.
Robert
Windows *is* designed to access the internet, handle email etc.
Oh? I'm more under the impression that windows was designed to be accessed by the internet...
Someday, after the revolution, this will be remembered as something we should have taken more seriously...
The orignalHowever, the closer analogy would be that a house upon being robbed will create 50 more robbers which will go rob your neighbors. Who is responsible now?
The car manufacturer analogy still works, as they knowingly sold you the car without appropriate safety features. Do your homework -- yes -- but you can not expect people to know everything about a car or a computer.
badness 10000
If a 18 year old kid can write a small piece of code which can lament and trembel a large part of our society, who should we blame?
The kid.
And have you ever seen a single, functional piece of software without bugs?
So what, that doesn't mean that he is guilty in the official meaning of the word. He was arrested yesterday, with the help of all kinds of specialists, some of them work for Microsoft.
It's standard procedure for the police to work with external specialists.
The idiot who wrote that worm was released later that day and his trial will be in a couple of months where all kind of evidence is used to see if he is guilty or not.
Yes, most likely the statements of said specialists will be heard by the judge but what you are trying to imply is just pure bullshit.
You know, it was a worm written for for a Microsoft OS. I can hardly imagine a better source for information for the police.
Hendrik
Yeah, like write a truely terrible virus which will disable a hundred times as many systems.
Since when is identifying a criminal an attack?
http://news.bbc.co.uk/1/hi/technology/3687583.stm
"According to anti-virus firms machines running Windows 95, 98 and Millennium Edition can help spread Sasser even though they cannot be infected by it."
The 18 year old kid, (his name is Sven?) really hit Microsoft windows at its weakest sweetspot: Federal ordered builtin hookups for "remote security management" and other "activities" as e.g. Spyware.
Robert
tell M$ to put their money where their mouth is and hold them liable for all the damages.
Any auto maker is liable for problems necessitating recalls, so why shouldn't M$ be too? You'd think the biggest company in the world could at least back their products.
Lobby to your congress-person to hold M$ responsible.
Interesting. We had a machine fall over last week during the height of the Sasser panic. Norton AV had caught an installation of a Windows rootkit, and when we got to it (holiday weekend, so took three days), it had an FTP server installed with 19Gb of German-subtitled Moviez. Kill Bill 2 et al.
.de of all places.
We found various infection scripts lying around, because Norton's quarantine seemed to have stopped the infection script in its tracks. One thing it did was to take the machine's details and upload them to an FTP server. A server in
We don't know if this invasion used the same exploit as Sasser, or if a small number of Sassered boxes get FTP status or what. But the German moviez + German FTP dropbox seems suspicious.
Luckily we had the IP-address, username, and password in the script, and were suprised to find we could login there and delete the info. Hopefully the hacker hadn't copied it, but the box has been re-installed from scratch.
And the user is now seriously contemplating Linux, after losing two days...
Baz
nothing worse for a nerd then no computer.
Sending him to prison only makes him meet the really bad guys.
Jail is not the solution to everything. It denies you normal live, far beyond the duration of incarceration.
Not the US system though! I've seen those TV programs set in US high schools - the students are mostly in their 20s!
The same people who don't teach students the difference between transitive and intransitive verbs?
How can we continue to believe in a just universe and freedom to eat crackers if we have no ale?
Take your paranoid fantasies somewhere where people don't know enough to refute them.
First, when you compile an EXE file with MS tools, it follows a format called the Portable Executable format[1]. You can verify this by opening up the EXE in a hex editor. There are a few headers, a few sections for code and data, and maybe a debug section. There isn't a section called ".backdoor" or ".spyonuser". By examining it very carefully, it might be possible to determine which version of Windows produced it and what compiler, but you aren't going to find your MAC address, name, street address, and favorite color anywhere.
Second, if you're talking about a network backdoor, that's extremely unlikely also. You can see someone using a backdoor on a Backdoors aresimple packet dump. Set up a packet sniffer between your computer and your internet connection and watch for strange packets. Write a virus or something, and see if someone from MS makes a connection to your computer. If you're so paranoid as to think that MS has trojaned all the routers, switches and hubs in the world so as to make it completely impossible to trace, go see a psychiatrist.
[1] - Reference for the PE format: here
Karma: Contrapositive
Microsoft then called the German police.
I am sure the person who called Microsoft was doing this because s/he wanted the reward. Otherwise s/he would have gone directly to the police.
Translated quote from the article:
True, but a gun is an obvious danger. Are security patches that obvious? You and I would probably both answer yes, but would your average computer illiterate also answer yes?
The darkness... controls the music. The music... controls the soul.
Most criminals, espically the non-organized ones, suffer from a problem of running-of-the-mouth. Almost all of us do, actually. We like to brag about the things we've achieved to friends. However, when you are braging about legal exploits like winning the pot at the last card game, it's fine. Thing it most crooks also brag about their illegal exploits too. This is fine, until one of their friends (or friends of friends) turns them in.
Also most script kiddies/crackers run their mouth when they get caught. We had one on campus, he was using some program (I forget the name) that tried to spoof itself as the default gateway so all traffic would go through him and he could sniff passwords. He couldn't get it working right and it kept bringing down a part of the network. Well when we caught him he instantly confessed everything to us, then to the police.
The thing is that he (and those like him) are so convinced of their invenurability because of their anaonymity, that they are just totally unprepared to get caught. So when it does happen, they usually just break down and confess everything.
Sasser showed me which windows machines did not have their auto-patch routines working.
Since the PC support group had recently reported that all machines were now in the auto-patch system, we were quite suprised to see almost 1% (which is a lot of machines, around here) get sasser.
Incidentally, a crude way to scan your network for sasser (let's just say you've got a linux box handy with samba,nmap,bash, grep and gawk and that your network is composed of three class C segments numbered 10.0.1.0, 10.0.2.0, 10.0.3.0 for the sake of example) is:
nmap -p 5554 -oG '-' 10.0.1-3.1-254 |gawk '/^Host.+5554\/open\/tcp/{print "nmblookup -A " $2}'|bash |grep "<00>"|grep -v GROUP
If your machines have useful netbios names (such as their location, for instance) and/or you know the names of your users, that should give you all the info you need.
Thank you Mr. Sasser author! You the man! Your non-destructive code was a public service from where I'm sitting (yes I know others feel differently - the real universe is subjective, neh?).
Maybe we find out about the real names and versions of all the Sasser and Netsky variants now. The ones we know now are just made up by the anti virus guys after all.
heise.de today mentions that Microsoft will pay $250000 to the (less than five) informants.
The nice part about bringing steganography into the argument is that it has deniability: It's pretty much impossible to prove that something does *not* contain steganography. I can't argue that it's impossible for EXE files to contain steganographic information, but I will argue that it's extremely unlikely given the specific circumstances in original parent.
Karma: Contrapositive
As a sibling poster mentioned somewhat rudely, yes, it's entirely possible to embed information in an EXE file using steganographic techniques. I retract any part of my statements which attempts to deny that.
I would like to say that my post was in reply to a post claiming that the virus author was captured because of a Microsoft backdoor in their own compiler products. He did not specify that the virus author had a trojaned copy, or that his compiler was altered in any way from one I might install. He implied that there was a backdoor in the standard installation of MS tools and Windows which inserted enough personal information for tracking. I'd simply like to state that under the conditions stated by original poster, that technique is not practical, and extremely unlikely.
Karma: Contrapositive