Why We May Not Have Seen The Last Of Sasser

[<bleeding_heart>]

Robert Vamosi

Senior Associate Editor, Reviews

Monday, May 17, 2004

Despite the the $250,000 reward offered by Microsoft, the original author of the MSBlast worm remains on the loose, as do those responsible for the Sobig virus and MyDoom worms. So security experts were surprised--and somewhat skeptical--last week when German authorities announced the arrest of the Sasser author just seven days after the code's release.

Previously, I've reported that the author of the Sasser worm, which doesn't use e-mail but spreads via the Internet and crashes vulnerable Windows XP and Windows 2000 machines, is part a virus-writing gang also responsible for the Netsky virus. While the suspect has confessed and German authorities haven't ruled out more arrests as a result of their investigation, I have a gut feeling that the true programming geniuses behind these worms lie outside the vocational school in rural Germany that's now under investigation.

With friends like these...

Despite teams of investigators working worldwide, the Sasser arrest was actually the result of three to five individuals walking into Microsoft's German offices on Wednesday, May 5, 2004, unannounced. They inquired whether the $250,000 (U.S.) reward offered for information leading to the arrest of the individual(s) responsible for MSBlast, Sobig, and MyDoom outbreaks also applied to the Sasser worm. Microsoft had not announced such a reward for Sasser, but apparently took the information very seriously.

Concurrently, Microsoft and other security experts were parsing the Sasser code, looking for programming clues to its origin. Analysis reveals that Sasser is a poorly modified version of the Netsky virus, augmented with off-the-shelf scripting tools from online virus-writing kits available from underground hacker Web sites. In other words, any script kiddie or criminal hacker without technical skills could have created Sasser.

Acting on the informants' information, on Friday, May 7, 2004, German authorities arrested an 18-year-old, Sven Jaschan of Waffensen in Lower Saxony, Germany. This would fit the clue "Mr.SJ" found within the Sasser viral code. Further, German authorities report finding the source code for the Sasser on Jaschan's computers, along with source code for 20-some variations of the Netsky virus.

Questioning the Sasser investigation

But here's where it gets really interesting: about 3 hours and 45 minutes after Jaschan's arrest, a fifth variant, Sasser.e, was reported in the wild. As part of his confession, Jaschan allegedly stated he intended for Netsky to be an "antivirus"--that is, Netsky and Sasser would remove copies of other viruses such as MyDoom and Bagle. Early forms of Netsky and Sasser, in fact, did not remove other viruses, and Netsky opened ports on infected computers, allowing remote access.

Oddly, Sasser.e, released after Jaschan's arrest, appears to be preventative: it attempts to warn users if their computers are vulnerable to the lsass.exe flaw (which Sasser exploits) and urges them to download the patch from Microsoft. This warning displays on the infected computer's desktop and is signed by the "Skynet Team for malicious activity prevention." Sasser.e also attempts to remove previous infections by Bagle, a virus that seeks to delete copies of the Netsky virus, and MyDoom--just as Jaschan said.

While it's possible that Mr.SJ released the Sasser.e code just minutes before his arrest and that it took a while to surface, it's more probable that more than one person is behind Sasser.

Antivirus researcher Mikko Hypponen of F-Secure has pointed out that previous text messages found within Netsky indicated a possible Russian connection. Not only were Russian and Czech references found in the viral code statements, so were Russian words. Thus, many antivirus researchers were surprised when the arrest happened in Germany. Hypponen admits the Netsky and Sasser text messages could all be misdirection--however, there are credible signs that multiple authors are at work.

The plot thickens

Last Tuesday, May 11, 2004, the German authorities raided five more homes near Sven Jaschan's home and uncovered more copies of the Netsky and Sasser source code on additional computers. The five others are all schoolmates of Jaschan, who recently graduated from a 2,300-student vocational school.

Here's what I think: I think the individuals who turned in Jaschan are themselves connected in some way. Perhaps these guys are the authors of the Bagle virus, which sought to remove copies of Netsky infections. But deep down, I think these German virus writers are merely tweaking someone else's code, perhaps for profit.

Netsky, for example, is capable of creating large networks of remote-control compromised computers; this has financial value to spam operators (who can send their mail anonymously worldwide) and shake-down artists (who can extort money from Web sites in exchange for not shutting them down via denial-of-service attacks). I don't think these kids in Germany are operating on that level. I think they're pawns--but willing pawns and, therefore, no less guilty. I just hope we get to the bottom of this and don't settle for a few very easy arrests.

Source

[Universal Absurdity]

worms killing viruses, viruses deleting worms

he said she said about who did it, and a conspiracy as to wether or not the accused are really making this stuff, or is it some big business scam

*checks windows update*

*re checks firewall*

what else can i do?

nothing

[<bleeding_heart>]

Make sure your AV software is upto date and there a few things here.