[ISN] FBI Says Teen Put Worm on Internet

From: InfoSec News (isnat_private)
Date: Tue Sep 02 2003 - 06:15:32 PDT

  • Next message: InfoSec News: "[ISN] Linux Security Week - September 1st 2003"

    http://www.washingtonpost.com/wp-dyn/articles/A2306-2003Aug29.html
    
    By Ben White and Charles Duhigg
    Washington Post Staff Writers
    Saturday, August 30, 2003; Page A01 
    
    Government investigators yesterday arrested a Minnesota teenager on
    charges of unleashing a version of the "Blaster" worm that snarled
    Internet traffic and shut down computer systems from Maryland to
    Sweden earlier this month.
    
    FBI agents arrested Jeffrey Lee Parson, an 18-year-old high school
    senior, early yesterday at the home he shares with his parents in
    Hopkins, Minn. The U.S. attorney's office in Seattle, which is leading
    the case, charged Parson with intentionally damaging thousands of
    computers owned by Redmond, Wash.-based Microsoft Corp., other
    businesses and individuals.
    
    The 6-foot-4, 320-pound Parson -- described by a neighbor as an
    academically advanced teen who often sported a Mohawk -- appeared
    before a U.S. magistrate judge in St. Paul but did not enter a plea.  
    He was released without posting bail and returned home. Parson's
    lawyer, Lyonel Norris, an assistant federal defender for the district
    of Minnesota, declined to discuss the case.
    
    Parson did little to cover his tracks, according to the criminal
    complaint. He appears to have boasted of unleashing viruses. According
    to a version of his Web site, recorded by the Internet search engine
    Google, Parson claimed to have created a worm called "p2p.teekid.c"  
    that was spread by people using popular services such as Kazaa and
    iMesh, which are used by millions of people to share songs, video and
    movie files. Parson used the pseudonym "Teekid" online, according to
    prosecutors. The site contained no references to Blaster, however.
    
    Prosecutors alleged that Parson modified the existing Blaster virus,
    which began circulating on the Internet on Aug. 11, and unleashed his
    own, more insidious version known as Blaster.B, among other names.  
    Computer security experts suggested yesterday that Parson probably
    downloaded the original worm and simply added a bit more code.
    
    The magistrate judge yesterday ordered that Parson be subject to house
    arrest and denied access to the Internet. He faces up to 10 years in
    prison and a $250,000 fine if convicted.
    
    "With this arrest we want to deliver a message to cyber criminals here
    and around the world that the Department of Justice takes these crimes
    seriously," U.S. Attorney John McKay said at a news conference in
    Seattle. Homeland Security Secretary Tom Ridge issued a statement
    praising the arrest.
    
    McKay said his office is still trying to find the author of the
    original Blaster.
    
    According to a criminal complaint, the trail to Parson picked up
    quickly after federal investigators found a Web address --
    www.t33kid.com -- embedded in the Blaster.B worm's program.
    
    Federal agents subpoenaed California Regional Internet Inc., the owner
    of the Internet protocol address corresponding to the Web site, to
    determine who had registered the site. They found Brian Davis of
    Watauga, Tex.
    
    Davis told authorities that he controlled the computer hosting
    www.t33kid.com, but the Web site had been set up and was operated by a
    user named "teekid." Davis corresponded electronically with "teekid"  
    and provided information to federal authorities that led them to
    another Web site maintained by the same user, hosted on a home
    computer. Using public databases, authorities tracked the computer to
    the Parson home.
    
    Authorities with a warrant searched the Parson home on Aug. 19,
    seizing seven computers that are undergoing forensic analysis.  
    According to the complaint, Parson admitted to federal agents during
    the search of his house that he modified the Blaster worm.
    
    "He's your average high school kid who likes to play with computers, a
    good kid. I've never known him to get in any trouble at all," said a
    neighbor, Curtis Mackey. "He's definitely not trying to hurt anybody."
    
    The original Blaster exploited a flaw in a part of Microsoft's Windows
    operating system, which runs more than 90 percent of the world's
    personal computers, that allows data files to be shared across
    computer networks. The fast-moving virus crippled computers around the
    globe, forcing the Maryland Motor Vehicle Administration to shut down
    on Aug. 12. Prosecutors allege that Parson's version infected at least
    7,000 computers, which were instructed to attack Microsoft's Web site.
    
    At the news conference in Seattle, Microsoft general counsel Brad
    Smith said all the versions of Blaster had cost the company tens of
    millions of dollars. McKay said the amount of damage Blaster.B did was
    significant but declined to elaborate.
    
    Blaster is one of a handful of viruses that have plagued home computer
    users and businesses this summer and stoked fear that ever-more-savvy
    hackers could launch attacks that could cripple an economy that
    increasingly relies on e-mail and Internet access to conduct business.
    
    Last week, officials in the United States and Canada raced to blunt
    the effects of Sobig.F, a new strain of a virus that has infected
    computers since January. Investigators said code in Sobig.F instructed
    infected computers to contact one of 20 other computers to download
    instructions for another possible cyber attack.
    
    "A lot of the power of viruses that experts have been warning about is
    now being unleashed," said Aviel Rubin, a professor at the Johns
    Hopkins University Information Security Institute. "The combination of
    vulnerable platforms, such as Microsoft's Windows, combined with
    clever virus writers, is leading to an Internet that is quickly going
    to make using computers a lot less efficient."
    
    The Blaster worms, unlike some previous viruses, do not require users
    to open e-mail attachments to spread. Instead, they propagate through
    the Microsoft vulnerability. Experts at computer security firm
    Symantec say infection rates of the various versions of the Blaster
    worms peaked a little over a week ago, infecting a total of 1.2
    million machines to date.
    
    Some computer security experts cautioned that Parson's arrest probably
    won't reveal the identity of the worm's original authors. "Blaster was
    a sophisticated and complex worm," said Sharon Ruckman, senior
    director at Symantec Security Response. "Whoever wrote it may be
    clever enough that we can't track them down."
    
    This case illustrates how easy it is for relatively inexperienced
    users to launch computer attacks using tools created by others, and
    how easily worms and viruses can spread, experts said.
    
    "Whoever developed the Blaster worm had to know how to write effective
    code," said Ken Dunham, malicious code intelligence manager for
    Reston-based iDefense Inc. "Anyone after that could have spread it
    without much technical ability."
    
    Experts estimate there are more than 30,000 Web sites containing virus
    programs and tools for launching attacks.
    
    In 2001, a 21-year-old in the Netherlands created the Anna Kournikova
    virus after downloading a "worm generator" program from the Internet
    that allows users to create viruses by making choices from pull-down
    menus, Dunham said.
    
    The virus infected hundreds of thousands of computers. The code's
    author was apprehended and eventually sentenced to 150 hours of
    community service by a Dutch court.
    
    Washingtonpost.com staff writer Brian Krebs and researcher Richard
    Drezen contributed to this report.
    
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Tue Sep 02 2003 - 09:28:33 PDT