[ISN] Experts: Timing of new Sasser worm raises questions

InfoSec News isn at c4i.org
Tue May 11 01:49:58 EDT 2004


By Paul Roberts
IDG News Service

The release of a new version of the Sasser worm calls into question
claims by some German authorities that they have the sole author of
the worm in custody, according to anti-virus experts.

A new version of the Sasser worm, dubbed Sasser-E, appeared late
Friday, around the time police arrested an 18-year-old man they said
was the author of all the Sasser variants and of the Netsky worm.  
While it is possible that the teenager released the worm just before
being captured, the close timing and clues from earlier Sasser
variants may point to a larger network of virus writers outside of
Germany, said Mikko Hyppönen, anti-virus research manager at F-Secure
in Finland.

On Friday, German police in Lower Saxony arrested the man and charged
him with creating Sasser, which appeared on May 1, and three variants
that appeared in subsequent days.

The arrest of the man, who has not officially been identified,
followed a tip to Microsoft Deutschland from individuals who asked
about the possibility of receiving a reward in exchange for
information about the creator of the Sasser worm, said Brad Smith,
senior vice president and general counsel at Microsoft, in a

On Monday, the Associated Press quoted Frank Federau, a spokesman for
the state criminal office in Hanover, Germany, saying the teenager
likely programmed Sasser-E "immediately before his discovery."

Microsoft believes that the man arrested made Sasser-E, like the other
variants, and released it almost simultaneously with his arrest,
according to Smith.

"It's our understanding that the police have arrested the individual
responsible for Sasser-E and the four previous variants," he said.

Microsoft is basing that position on statements from German
authorities and from the ongoing investigation of Sasser and Netsky,
he said.

Anti-virus experts say that scenario is possible, but not likely.

"It's... possible it was released by the guy they arrested... but he
would have to have released it just before he got arrested, 15 minutes
before the police knocked on his door," Hyppönen said.

However, the timing of the release and tidbits of information gleaned
from earlier Sasser worms suggests that others may be involved with
the Sasser and Netsky worms, Hyppönen said.

F-Secure learned of Sasser-E 10 hours after the arrest of the suspect,
but knows of earlier reports that put the first appearance of the worm
around three hours and forty-five minutes after his arrest, according
to information on the F-Secure Web site.

Three hours is still a long time for a worm to circulate on the
Internet without being spotted. Unless even earlier reports of the
worm turn up, that time lag could cast doubt on claims that the man
arrested Friday is the sole author of Sasser, Hyppönen said.

"It's... possible that somebody else released (Sasser-E) as proof that
(the German man) is not the only guy, or that this guy has written
some versions of Sasser but not all, or that he's admitting guilt to
protect someone else," he said.

Symantec didn't receive a copy of Sasser-E until 1 a.m. Pacific Time
on Sunday morning, almost two days after the arrest. The company is
still analyzing data from its worldwide DeepSight Alert network of
sensors to spot the first appearance of the worm, said Oliver
Friedrichs, senior manager of Symantec Security Response.

The company doesn't have enough information to say whether there are
multiple authors behind the Sasser worms. However, prior to the arrest
Friday, the sheer number of variants produced of both worms led
Symantec to suspect a virus writing group was behind Sasser and
Netsky, he said.

F-Secure researchers also assumed there was a group at work, probably
based in Russia, Hyppönen said.

"We were surprised that it was one guy and that it was not in Russia,"  
he said.

Comments hidden in previous versions of Netsky and Sasser included
references to the Czech Republic and Russia, as well as a "crew" of
authors. Some parts of the Netsky worm code also contain comments in
Russian, Hyppönen said.

"If they didn't speak Russian, they at least took some lessons before
inserting the comments in there," he said.

The evolution of the Netsky worm from version to version also suggests
the work of more than one author, he said.

"The way the secondary functions of the virus changed. In the
beginning it just killed installations of Mydoom and Bagle, then it
slowly changed to launch DDOS (distributed denial of service attacks)  
against peer-to-peer and (software) cracking sites," he said.

The changes could reflect the input and interests of different
contributors, just as the Blaster worm was modified by others, neither
of them the original author, resulting in the arrests of two men:  
Jeffrey Parsons, a teenager from Hopkins, Minn., in August 2003 for
Blaster-B and Dan Dumitru Ciobanu, a 24-year-old from Romania who was
charged with releasing the Blaster-F worm in September, he said.

The German man's confession to police and reports that police found
the Sasser source code on his computer are certainly persuasive that
man was involved with the worm's creation and release, but not
conclusive that he was the only person responsible for Netsky and
Sasser, Hyppönen said.

"I wouldn't be surprised at all if there turns out to be someone else
-- a third party," he said.

Microsoft is continuing its investigation of Sasser, and doesn't
discount the possibility of others being involved, Smith said.

"Obviously, information is shared all the time among individuals on
the Internet, he said. "We're not in a position to comment who had
access to (the Sasser) information or participated in the spread of
it," he said.

Despite the arrests, questions remain, Smith said.

"There are things we don't know, such as who put the comments in --
was it single individual or someone else? What was that person's

More arrests are possible, but Microsoft believes that the German
police got their man on Friday, he said.

"It's always possible that (the investigation) will lead to other
individuals, but I don't believe those will be individuals who
authored the variants or launched the initial (worm) distribution," he

If the man arrested on Friday really is the only author, it will be a
huge relief to anti-virus experts like Hyppönen, who have been working
overtime in recent months to keep up with the barrage of new worm

"If the guy really confessed to writing Netsky and Sasser and that's
true, then the worm releases should stop right there, and that's
excellent," he said.

More information about the ISN mailing list