Slashdot Mirror
Sasser Author Under Arrest, Say German Police
Apogee writes "A number of german news websites, like n-tv, or the german yahoo news site (courtesy of the german press agency, lending this some credibility) (web sites in german) report that the programmer of the Sasser worm has been arrested by German police. The Sasser author is an 18-year-old man who was arrested on Friday in Rotenburg, Germany.
With the Sasser worm being the latest among worms that spread like wildfire among unpatched windows boxes, and apparently also caused serious computer outages and cost to the economy, how will this be transformed into an indictment?"
Update: 05/08 18:41 GMT by T : SexySas writes "As the German news site heise reports, the 18-year-old author of Sasser is responsible for Netsky, too. The German police is talking about 'a milestone in war against cybercrime'."
they shoulda waited until MS announced a reward for it first!
http://www.channelnewsasia.com/stories/afp_world/v iew/83848/1/.html
The motives of the alleged Sasser author were still unclear, but Der Spiegel suggested the teen may have wanted to drum up business for his mother, who owns a company offering assistance to computer owners.
they were also arrested on Friday.
Here is Reuter's take on this and the news release at Biz Ink.
How did they find this guy? Was it that he was bragging like in the former MS worm cases, or was there a "higher technological power" involved?
find it ironic that an ad for Microsoft security services accompanies this story?
There is no reasonable defense against an idiot with an agenda
:wq
granted, im no microsoft lover, but im also kind of against punks like this guy... he has probably cost me almost $500 since this worm started in my PERSONAL services to my friends and family in order to get this all cleared up..
as for ms, they should be considered just as guilty, with such a large corporate juggernaught they have, they should be able to look for these vulnerabalities early, and maybe go through some more extensive testing.. or at the VERY LEAST spend a million or so and tell they public they messed up, and how to fix it... (run windows update) at least this way, you have a educated public... ignornance is NOT strength.
WARNING: This sig does not contain a joke
See here in german and the google translation. Official say, there is no connection. Well ...
* Smile. People will wonder what you think. *
Excellent, hopefully they can ask hima simple question and we can put another argument to rest - Was he aware of the exploit from his own hacking, or being told about it by someone, or did he just read the exploit advisory from Microsoft when they released the patch?
Realistically odds have to favour just reading the advisory, but there have been plenty of claims to the contrary.
The next question is, will any media actually bother to find out and publish the answer to that question. I'm guessing "absolutely no chance in hell".
Jedidiah.
Craft Beer Programming T-shirts
Two possibilities as I see them. First the kid was stupid enough to write and release the worm from his own machine leaving behind traces or was not careful enough hiding his tracks. Second, the kids' machine was hacked and used to hide the real creator of the worm while releasing the worm. I haven't RTA but I think these two conclusions are logical.
Does it go on forever?
Make him explain to my mother what a worm is, what he made it, and how to enable a firewall. That'd be punishment enough.
Read reviews of shopping cart software
We've got a few (3?) Rothenburg's in Germany. The one americans probably know the best is Rothenburg op der Tauber. :-)
Rothenburg a. d. Wümme is not the medival postcard town, it's just a small boring northern german town.
BTW: Wümme and Tauber are both rivers. German cities with same names ofter difference themselves by the rivers they lie at.
We suffer more in our imagination than in reality. - Seneca
not really an important one, but still.
Sasser broke a new record in the time it took to find the worm, from the time the hole on which the worm was based was issued a public patch. Now that we, allegedly, have the worm's author, we can ask him whether it was rev-enged from the patch, or whether he had prior knowledge of the hole.
Shachar
P.S.
I would wager the former, but still interesting to get an authorative answer.
> And writing intentionally crappy operating systems isn't? Ask yourself: what would happen if they wrote something that was *perfect*?
Someone would complain the default colour scheme was crap.
Yeah, but even if you leave your house unlocked it is still a crime. If it weren't, any criminal could grab your wallet saying that since it wasn't pad-locked down to your chest, it's his. Or could kill someone and claim it was his fault for not carrying a loaded weapon and constantly surveying all around.
People lock their doors because they realize there is a threat, if they don't realize there is a threat, they lose stuff, but it is still criminal. Hopefully after the 5th time someone gets their house broken into they will realize that they need a lock, same goes with computers.
I'm no microsoft fanboy(I don't even use windows), but blaming them is like blaming a car manufacturer because your car got totaled when some jackass rear-ended you. You should have done your homework before you bought the car, and that still does not absolve the jackass.
However I am basing this on that fact he is 18 and on the assumption that he fits a profile of some kid who does n't have many friends and needs attention. I'm not saying I'm right, just my take as you'd be amazed on how many criminals get caught simply on the inability to keep their mouths shut.
If you leave the doors to your house open, and a large neon sign over the threshold saying 'WELCOME', you'll be *damned* lucky if your insurer would pay up.
This is more like just leaving your doors unlocked. There is no protocol for a system to advertise it's vulnerabilities.
Without regard to whether your doors were locked it is illegal to steal things from your house.
Since both Sasser and Phatbot developers are native germans, they will never be extradited. German constitution luckily forbids it. Only foreigns can be extradited to other countries and only if they don't have to fear death penalty and will get a fair trial.
How, exactly, is he any more liable than the millions who run insecure, unpatched machines?
That's ridiculous - people who don't wear bullet proof vests aren't "as liable" as the people who shoot them.
If you leave the doors to your house open, and a large neon sign over the threshold saying 'WELCOME', you'll be *damned* lucky if your insurer would pay up.
No, but you could press charges for burglary if somebody came into your house and stole something. Insurance is a matter of commercial contracts - we're talking about the law here.
If he hadn't exploited it, someone else would have, and the result would have been the same.
No, if someone else had exploited it, then the gentleman under discussion here most probably wouldn't be in police custody facing criminal charges right now.
The reponsibility lies with microsoft, for creating shite software, with inherent vulnerabilities, and with the users, for not bothering to have any kind of protection.
What kind of a world do you live in where the people who write and send out a virus are not liable for the damage it causes?
#!/usr/bin/english
Sure, these worms did cause a lot of inconvenience and downtime and such. But a (probably unintended) benefit of their outbreaks was that many vulnerable machines are now actually patched. Without these worms, if you hit a random 2K/XP machine on the net, there is a very good chance that you can take over the machine through either DCOM or LSASS (port 135 and 445 IIRC). Essentially, everyone can gain access to millions of machines, and the owners would probably be totally unaware. I'm not trying to defend the worm writer, but we all know that millions of people simply wouldn't patch until the machines keeps rebooting every few minutes.
I'm sorry, but any virus or worm writer that gets busted is just plain stupid. It's so simply to NOT get caught:
Step 1: Write virus/worm without your name, intials, alias, or any other identifying info.
Step 2: Release your virus/worm from an internet cafe, preferably one far from home, even a different city or country.
Step 3: Keep your mouth shut!!!
I mean, how hard can it be to avoid getting caught? I think most of these morons have the most trouble with steps 1 & 3, even if they're smart enough to manage step 2.
Actually, those are two completely separate issues.
Let's say you left your house and left your door unlocked. If a thief happened by, saw that it was unlocked, and came in and stole all of your belongings, the law in every jurisdiction that I know of is unequivocal: the thief is solely to blame.
On the other hand, if you put up a sign that said "welcome", then that could be construed as an explicit invitation to enter and the corresponding legal judgement would be less clear. You may recall cases way back when when some FTP sites said "Welcome To Private FTP site! Username: Password: ".. well.. some were broken into using brute force un pw attacks. The attackers were subsequently found and based their (largely successful) defense on the fact that it said "welcome!"
Now, about the rest of your point: about people being liable and microsoft being liable; basically, it's wishful thinking from you, who knows nothing. I dare you to build me a house that can not be broken into. It is NOT possible. the windows OS has arguably hundreds of thousands of parts and interfaces and it is not reasonable to expect that every aspect has been checked for every possible potential flaw. I remind you that but a few weeks ago, a new flaw was found in TCPIP, arguably one of the most "eyeballed" standards in the history of computing.
every window in your house can be broken, and a thief can enter by breaking it. the lock on your front door can be opened with a jimmy tool, your electric garage door opener signal can be captured and copied. your hidden key under the bushes can be found. your chimney may be a more or less perpetually open entrance, and yet nobody blames house builders or even home owners of gross negligence in such cases.
the fact is that in a society we recognize the inherent limits of any sort of physical protection. as many on slashdot here have observerd in other contexts (DRM), "if it can be broken, it will be" and "there are no unbreakable protection schemes."
Therefore, we must resort to law and the threat of punishment. It's not perfect, but it's what we have to do.
...I think he should be locked in a padded cell with a 486-SX and a copy of Windows v3.1 for company, I'd sooner have my left nut crushed in a vice rather than face that
I've noticed that everyone who is for abortion has already been born - Ronald Reagan
Obviously, you don't know much about the german judicial system, nor about our police.
The boy is already back at home (no risk of escape) until he'll be tried. He'll probably get probation, at most. He'll MOST probably be tries under juvenile laws, which have the overruling goal of "educating" young people.
However, he'll be held responsible for the financial damages he's done.
He should be punished to the maximum extent permitted by law - I don't care under which law. People who can't respect computers should not be allowed to (ab)use them. If he screws up his computer, it's his problem. But the moment he screws up boxes over internet, he's got to be punished hard. The punished should be harsh so that no other individual will ever attempt to write a virus. Microsoft users are already suffering with poor quality, tech-support and other stuff, guess they don't need viruses.
If someone sets fire to a house. Are they not responsible for it burning down, whether or not it has sprinkler system or not. This tried to set a fire to all the computers in the world that didn't have their patches yet or sprinklers on. Its a simple thought. He set the fire, it destroyed the city, he is liable for what he has done. I'm just getting pissed that the virus writers are turning out to be teenagers. I mean, come on, go out on dates, go to the movies, play sports or something, why the hell are they staying home and doing this crap. And Microsoft, just start having your patches work, I'm sick of the patch for the patch for the patch because you couldn't get it right the first time.
Hardly likely to have happened, since according to the Yahoo! Germany newswire, Microsoft gave the vital hint to the German police that led to the arrest. Which makes you wonder whether they scanned their Apache..erm..IIS server logfiles to see who was reading about certain security alerts.
...but this man is the suspected author of the worm. The authorities haven't released his identity, nor how they arrived at the determination that he is the author.
Btw, Here'a an english version of the story.
Whoa!
I agree that worm writers are scum. They shouldn't be excused because someone else left a vulnerabilty for them to exploit.
But, especially at this point, I DO think that Microsoft deserves some blame too. SASSER follows in the wake of SQL Slammer and MSBlaster, arguably 2 of the most damaging buffer overflow exploits in many years. IIS has been repeatedly compromised by buffer overrun problems since its initial release.
It isn't hard to code an automated test for buffer overrun vulnerabilities. I have done it myself for embedded designs that I have done with TCP/IP capabilties. Admittedly, it was a much simpler task for my circumstances since my products support a very limited subset of TCP/IP, but then I don't have a legion of progranmmers at my disposal either.
Here' my point: given that you had a product that had suffered buffer overrun problems for yeras, wouldn't you test specifically for buffer overrun problems before release? Maybe I would give NT and win 2000 problems a pass but win2k3 and XP were both released after a long history of buffer overrun problems. Why didn't Microsoft test specifically for buffer overrun problems before releasing them?
To answer two posts in one:
- he cannot be extradited. The German constitution forbids that.
- juvenile laws *can* be applied for ages 18-21 (and very often are), and they have to be applied below.
My guess: juvenile law, probation and probably several 100 hours of social service. And financial damages, of course.
Anyways, shouldn't Microsoft be in his place?
> According to one of thousands of corollaries to Murphy's Law, a spelling correction on the net is guaranteed to contain at least one spelling mistake as well.
I propose that this corollary be named "Muprjys law".
"Microsoft signs security pact with Germany" http://news.com.com/2100-7343-5204643.html
That was on may 4th... Today THEY GOT HIM. Thats quite a remarkable effort from the Private Secret Police of Microsoft.
Robert
However, the closer analogy would be that a house upon being robbed will create 50 more robbers which will go rob your neighbors. Who is responsible now?
The car manufacturer analogy still works, as they knowingly sold you the car without appropriate safety features. Do your homework -- yes -- but you can not expect people to know everything about a car or a computer.
badness 10000
So what, that doesn't mean that he is guilty in the official meaning of the word. He was arrested yesterday, with the help of all kinds of specialists, some of them work for Microsoft.
It's standard procedure for the police to work with external specialists.
The idiot who wrote that worm was released later that day and his trial will be in a couple of months where all kind of evidence is used to see if he is guilty or not.
Yes, most likely the statements of said specialists will be heard by the judge but what you are trying to imply is just pure bullshit.
You know, it was a worm written for for a Microsoft OS. I can hardly imagine a better source for information for the police.
Hendrik
http://news.bbc.co.uk/1/hi/technology/3687583.stm
"According to anti-virus firms machines running Windows 95, 98 and Millennium Edition can help spread Sasser even though they cannot be infected by it."
The 18 year old kid, (his name is Sven?) really hit Microsoft windows at its weakest sweetspot: Federal ordered builtin hookups for "remote security management" and other "activities" as e.g. Spyware.
Robert
Interesting. We had a machine fall over last week during the height of the Sasser panic. Norton AV had caught an installation of a Windows rootkit, and when we got to it (holiday weekend, so took three days), it had an FTP server installed with 19Gb of German-subtitled Moviez. Kill Bill 2 et al.
.de of all places.
We found various infection scripts lying around, because Norton's quarantine seemed to have stopped the infection script in its tracks. One thing it did was to take the machine's details and upload them to an FTP server. A server in
We don't know if this invasion used the same exploit as Sasser, or if a small number of Sassered boxes get FTP status or what. But the German moviez + German FTP dropbox seems suspicious.
Luckily we had the IP-address, username, and password in the script, and were suprised to find we could login there and delete the info. Hopefully the hacker hadn't copied it, but the box has been re-installed from scratch.
And the user is now seriously contemplating Linux, after losing two days...
Baz
nothing worse for a nerd then no computer.
Sending him to prison only makes him meet the really bad guys.
Jail is not the solution to everything. It denies you normal live, far beyond the duration of incarceration.
A german court can't award financial damage during a criminal process. If you want to claim financial damage, then you have to enter the trial as a "Nebenklaeger" (secondary plaintiff) and prove that you were financially damaged by the actions of the defendant.
I guess most people will be afraid to fully disclose in court how their IT management works and how their other business processes run to prove the amount of money they have lost due to Sasser.
Take your paranoid fantasies somewhere where people don't know enough to refute them.
First, when you compile an EXE file with MS tools, it follows a format called the Portable Executable format[1]. You can verify this by opening up the EXE in a hex editor. There are a few headers, a few sections for code and data, and maybe a debug section. There isn't a section called ".backdoor" or ".spyonuser". By examining it very carefully, it might be possible to determine which version of Windows produced it and what compiler, but you aren't going to find your MAC address, name, street address, and favorite color anywhere.
Second, if you're talking about a network backdoor, that's extremely unlikely also. You can see someone using a backdoor on a Backdoors aresimple packet dump. Set up a packet sniffer between your computer and your internet connection and watch for strange packets. Write a virus or something, and see if someone from MS makes a connection to your computer. If you're so paranoid as to think that MS has trojaned all the routers, switches and hubs in the world so as to make it completely impossible to trace, go see a psychiatrist.
[1] - Reference for the PE format: here
Karma: Contrapositive