Experts: Timing of new Sasser worm raises questions

The release of a new version of the Sasser worm calls into question claims by some German authorities that they have the sole author of the worm in custody, according to antivirus experts.

A new version of the Sasser worm, dubbed Sasser-E, appeared late Friday, around the time police arrested an 18-year-old man they said was the author of all the Sasser variants and of the Netsky worm. While it is possible that the teenager released the worm just before being captured, the close timing and clues from earlier Sasser variants may point to a larger network of virus writers outside of Germany, said Mikko Hyppönen, antivirus research manager at F-Secure in Finland.

On Friday, German police in Lower Saxony arrested the man and charged him with creating Sasser, which appeared on May 1, and three variants that appeared in subsequent days.

The arrest of the man, who has not officially been identified, followed a tip to Microsoft Deutschland GmbH from individuals who asked about the possibility of receiving a reward in exchange for information about the creator of the Sasser worm, said Brad Smith, senior vice president and general counsel at Microsoft, in a statement.

On Monday, the Associated Press quoted Frank Federau, a spokesman for the state criminal office in Hanover, Germany, saying the teenager likely programmed Sasser-E "immediately before his discovery."

Microsoft believes that the man arrested made Sasser-E, like the other variants, and released it almost simultaneously with his arrest, according to Smith.

"It's our understanding that the police have arrested the individual responsible for Sasser-E and the four previous variants," he said.

Microsoft is basing that position on statements from German authorities and from the ongoing investigation of Sasser and Netsky, he said.

Antivirus experts say that scenario is possible, but not likely.

"It's ... possible it was released by the guy they arrested ... but he would have to have released it just before he got arrested, 15 minutes before the police knocked on his door," Hyppönen said.

However, the timing of the release and tidbits of information gleaned from earlier Sasser worms suggests that others may be involved with the Sasser and Netsky worms, Hyppönen said.

F-Secure learned of Sasser-E ten hours after the arrest of the suspect, but knows of earlier reports that put the first appearance of the worm around three hours and forty five minutes after his arrest, according to information on the F-Secure Web site.

Three hours is still a long time for a worm to circulate on the Internet without being spotted. Unless even earlier reports of the worm turn up, that time lag could cast doubt on claims that the man arrested Friday is the sole author of Sasser, Hyppönen said.

"It's ... possible that somebody else released (Sasser-E) as proof that (the German man) is not the only guy, or that this guy has written some versions of Sasser but not all, or that he's admitting guilt to protect someone else," he said.

Symantec didn't receive a copy of Sasser-E until 1 a.m. Pacific Time on Sunday morning, almost two days after the arrest. The company is still analyzing data from its worldwide DeepSight Alert network of sensors to spot the first appearance of the worm, said Oliver Friedrichs, senior manager of Symantec Security Response.

The company doesn't have enough information to say whether there are multiple authors behind the Sasser worms. However, prior to the arrest Friday, the sheer number of variants produced of both worms led Symantec to suspect a virus writing group was behind Sasser and Netsky, he said.

F-Secure researchers also assumed there was a group at work, probably based in Russia, Hyppönen said.

"We were surprised that it was one guy and that it was not in Russia," he said.

Comments hidden in previous versions of Netsky and Sasser included references to the Czech Republic and Russia, as well as a "crew" of authors. Some parts of the Netsky worm code also contain comments in Russian, Hyppönen said.

"If they didn't speak Russian, they at least took some lessons before inserting the comments in there," he said.

The evolution of the Netsky worm from version to version also suggests the work of more than one author, he said.

"The way the secondary functions of the virus changed. In the beginning it just killed installations of Mydoom and Bagle, then it slowly changed to launch DDOS (distributed denial of service attacks) against peer-to-peer and (software) cracking sites," he said.

The changes could reflect the input and interests of different contributors, just as the Blaster worm was modified by others, neither of them the original author, resulting in the arrests of two men: Jeffrey Parsons, a teenager from Hopkins, Minnesota, in August 2003 for Blaster-B and Dan Dumitru Ciobanu, a 24 year-old from Romania who was charged with releasing the Blaster-F worm in September, he said.

The German man's confession to police and reports that police found the Sasser source code on his computer are certainly persuasive that man was involved with the worm's creation and release, but not conclusive that he was the only person responsible for Netsky and Sasser, Hyppönen said.

"I wouldn't be surprised at all if there turns out to be someone else -- a third party," he said.

Microsoft is continuing its investigation of Sasser, and doesn't discount the possibility of others being involved, Smith said.

"Obviously, information is shared all the time among individuals on the Internet, he said. "We're not in a position to comment who had access to (the Sasser) information or participated in the spread of it," he said.

Despite the arrests, questions remain, Smith said.

"There are things we don't know, such as who put the comments in -- was it single individual or someone else? What was that person's motivation?"

More arrests are possible, but Microsoft believes that the German police got their man on Friday, he said.

"It's always possible that (the investigation) will lead to other individuals, but I don't believe those will be individuals who authored the variants or launched the initial (worm) distribution," he said.

If the man arrested on Friday really is the only author, it will be a huge relief to antivirus experts like Hyppönen, who have been working overtime in recent months to keep up with the barrage of new worm variants.

"If the guy really confessed to writing Netsky and Sasser and that's true, then the worm releases should stop right there and that's excellent," he said.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Paul Roberts

IDG News Service
Show Comments



Victorinox Werks Professional Executive 17 Laptop Case

Learn more >



Back To Business Guide

Click for more ›

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Louise Coady

Brother MFC-L9570CDW Multifunction Printer

The printer was convenient, produced clear and vibrant images and was very easy to use

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?