[ISN] Experts: Timing of new Sasser worm raises questions

From: InfoSec News (isn@private)
Date: Mon May 10 2004 - 22:49:58 PDT

  • Next message: InfoSec News: "[ISN] Book review: Security Warrior by Cyrus Peikari & Anton Chuvakin"

    http://www.nwfusion.com/news/2004/0510expertimin.html
    
    By Paul Roberts
    IDG News Service
    05/10/04
    
    The release of a new version of the Sasser worm calls into question
    claims by some German authorities that they have the sole author of
    the worm in custody, according to anti-virus experts.
    
    A new version of the Sasser worm, dubbed Sasser-E, appeared late
    Friday, around the time police arrested an 18-year-old man they said
    was the author of all the Sasser variants and of the Netsky worm.  
    While it is possible that the teenager released the worm just before
    being captured, the close timing and clues from earlier Sasser
    variants may point to a larger network of virus writers outside of
    Germany, said Mikko Hyppönen, anti-virus research manager at F-Secure
    in Finland.
    
    On Friday, German police in Lower Saxony arrested the man and charged
    him with creating Sasser, which appeared on May 1, and three variants
    that appeared in subsequent days.
    
    The arrest of the man, who has not officially been identified,
    followed a tip to Microsoft Deutschland from individuals who asked
    about the possibility of receiving a reward in exchange for
    information about the creator of the Sasser worm, said Brad Smith,
    senior vice president and general counsel at Microsoft, in a
    statement.
    
    On Monday, the Associated Press quoted Frank Federau, a spokesman for
    the state criminal office in Hanover, Germany, saying the teenager
    likely programmed Sasser-E "immediately before his discovery."
    
    Microsoft believes that the man arrested made Sasser-E, like the other
    variants, and released it almost simultaneously with his arrest,
    according to Smith.
    
    "It's our understanding that the police have arrested the individual
    responsible for Sasser-E and the four previous variants," he said.
    
    Microsoft is basing that position on statements from German
    authorities and from the ongoing investigation of Sasser and Netsky,
    he said.
    
    Anti-virus experts say that scenario is possible, but not likely.
    
    "It's... possible it was released by the guy they arrested... but he
    would have to have released it just before he got arrested, 15 minutes
    before the police knocked on his door," Hyppönen said.
    
    However, the timing of the release and tidbits of information gleaned
    from earlier Sasser worms suggests that others may be involved with
    the Sasser and Netsky worms, Hyppönen said.
    
    F-Secure learned of Sasser-E 10 hours after the arrest of the suspect,
    but knows of earlier reports that put the first appearance of the worm
    around three hours and forty-five minutes after his arrest, according
    to information on the F-Secure Web site.
    
    Three hours is still a long time for a worm to circulate on the
    Internet without being spotted. Unless even earlier reports of the
    worm turn up, that time lag could cast doubt on claims that the man
    arrested Friday is the sole author of Sasser, Hyppönen said.
    
    "It's... possible that somebody else released (Sasser-E) as proof that
    (the German man) is not the only guy, or that this guy has written
    some versions of Sasser but not all, or that he's admitting guilt to
    protect someone else," he said.
    
    Symantec didn't receive a copy of Sasser-E until 1 a.m. Pacific Time
    on Sunday morning, almost two days after the arrest. The company is
    still analyzing data from its worldwide DeepSight Alert network of
    sensors to spot the first appearance of the worm, said Oliver
    Friedrichs, senior manager of Symantec Security Response.
    
    The company doesn't have enough information to say whether there are
    multiple authors behind the Sasser worms. However, prior to the arrest
    Friday, the sheer number of variants produced of both worms led
    Symantec to suspect a virus writing group was behind Sasser and
    Netsky, he said.
    
    F-Secure researchers also assumed there was a group at work, probably
    based in Russia, Hyppönen said.
    
    "We were surprised that it was one guy and that it was not in Russia,"  
    he said.
    
    Comments hidden in previous versions of Netsky and Sasser included
    references to the Czech Republic and Russia, as well as a "crew" of
    authors. Some parts of the Netsky worm code also contain comments in
    Russian, Hyppönen said.
    
    "If they didn't speak Russian, they at least took some lessons before
    inserting the comments in there," he said.
    
    The evolution of the Netsky worm from version to version also suggests
    the work of more than one author, he said.
    
    "The way the secondary functions of the virus changed. In the
    beginning it just killed installations of Mydoom and Bagle, then it
    slowly changed to launch DDOS (distributed denial of service attacks)  
    against peer-to-peer and (software) cracking sites," he said.
    
    The changes could reflect the input and interests of different
    contributors, just as the Blaster worm was modified by others, neither
    of them the original author, resulting in the arrests of two men:  
    Jeffrey Parsons, a teenager from Hopkins, Minn., in August 2003 for
    Blaster-B and Dan Dumitru Ciobanu, a 24-year-old from Romania who was
    charged with releasing the Blaster-F worm in September, he said.
    
    The German man's confession to police and reports that police found
    the Sasser source code on his computer are certainly persuasive that
    man was involved with the worm's creation and release, but not
    conclusive that he was the only person responsible for Netsky and
    Sasser, Hyppönen said.
    
    "I wouldn't be surprised at all if there turns out to be someone else
    -- a third party," he said.
    
    Microsoft is continuing its investigation of Sasser, and doesn't
    discount the possibility of others being involved, Smith said.
    
    "Obviously, information is shared all the time among individuals on
    the Internet, he said. "We're not in a position to comment who had
    access to (the Sasser) information or participated in the spread of
    it," he said.
    
    Despite the arrests, questions remain, Smith said.
    
    "There are things we don't know, such as who put the comments in --
    was it single individual or someone else? What was that person's
    motivation?"
    
    More arrests are possible, but Microsoft believes that the German
    police got their man on Friday, he said.
    
    "It's always possible that (the investigation) will lead to other
    individuals, but I don't believe those will be individuals who
    authored the variants or launched the initial (worm) distribution," he
    said.
    
    If the man arrested on Friday really is the only author, it will be a
    huge relief to anti-virus experts like Hyppönen, who have been working
    overtime in recent months to keep up with the barrage of new worm
    variants.
    
    "If the guy really confessed to writing Netsky and Sasser and that's
    true, then the worm releases should stop right there, and that's
    excellent," he said.
    
    
    
    _________________________________________
    ISN mailing list
    Sponsored by: OSVDB.org
    



    This archive was generated by hypermail 2b30 : Tue May 11 2004 - 07:00:18 PDT