[ISN] Arrest could crack open PC virus ring

InfoSec News isn at c4i.org
Mon May 10 02:45:24 EDT 2004


Jennifer Dudley
technology reporter

A RING of virus writers responsible for at least 30 viruses and
billions of dollars damage could be exposed after German police
arrested two men over the Sasser, Agobot and Phatbot viruses.

Anti-virus experts said the arrest of an 18-year-old German high
school student who allegedly confessed to creating Sasser could be
"one of the most significant cybercrime arrests of all time" and was
made possible by a $US250,000 bounty from Microsoft.

The Sasser worm surfaced on April 30 and infected tens of millions of
computers using Windows XP or 2000. It spread without any intervention
from users.

Victims included Westpac Bank, the Northern Territory Government,
British Airways, Delta Airlines and the UK Maritime and Coastguard

Police arrested a man over the virus in Rotenburg, North Germany, on
Friday. His name has not been released although it is believed the FBI
and CIA were searching for a suspect called Sven J.

Lower Saxony police spokesman Frank Federau said the man had confessed
to creating the worm virus and "Microsoft experts . . . confirmed our

Police seized several computers at the man's home and he was released
pending charges. The man's computer reportedly contained the Sasser
virus computer code.

Microsoft senior vice president Brad Smith said a breakthrough came on
Wednesday last week when a group of fewer than five Germans approached
the company with information about the alleged virus writer.

He said the group inquired about the company's $5 million anti-virus
reward program, and Microsoft agreed to pay the group $US250,000
"pending the successful conviction of this case".

If the man is convicted, it would be the first successful prosecution
under the Microsoft reward program, which was launched in November

Also on Friday, German police arrested a 21-year-old unemployed man in
Loerrach who allegedly admitted creating the widespread Agobot and
Phatbot viruses with other programmers.

Sophos senior technology consultant Graham Cluley said the
breakthroughs could lead to further arrests of Skynet virus-writing
group members, who recently claimed to have written Sasser in a
message embedded in the Netsky-AC virus.

"If this is the case, this could be one of the most significant
cybercrime arrests of all time," he said. "We would not be surprised
if more arrests follow in due course."

Mr Cluley said 29 "highly disruptive" variants of the Netsky virus
were spreading and clues to their authors could be on computers seized
during the arrests.

Both men face charges of computer sabotage, which in Germany carries
up to five years' prison, but Computer Associates Australia senior
security consultant Daniel Zatz said it was not illegal to write a
computer virus, only to distribute it. The men might claim they did
not mean to release the viruses.

More information about the ISN mailing list