Analysts are hoping that last Friday’s arrest of the alleged author of the virulent Sasser
worm will put an end to the ‘worm war’ that has been hammering anti-virus vendors and IT
shops for the past several months.
Sven Jaschan, an 18-year-old German, was picked up in Rotenburg, North Germany by
authorities on Friday, May 7, and allegedly admitted to being the author of the
fast-spreading Sasser worm, according to Reuters news service. Authorities say Jaschan may
have been trying to drum up business for his mother, who runs a small computer maintenance
business.
Analysts estimate that the Sasser family of worms attacked tens of millions of computers
around the world.
But security analysts say this one arrest may have broader implications.
Graham Cluley, a senior technology consultant for Sophos Inc., an anti-virus and anti-spam
company based in Lynnfield, Mass., says virus experts believe the person or group behind
the Sasser worm family also may be responsible for the highly damaging Netsky worms, which
have been battering the Internet for most of the year. And that economic damage was
multiplied when the Netsky author got embroiled in a digital battle with the Bagle worm
author or authors.
One Netsky worm, once it compromised a machine, would actually wipe out any Bagle
infection. And three Netsky variants contained messages inside its coding, sniping at the
authors of Bagle and MyDoom. One message read, ”We kill malware writers. They have no
chance.”
The Bagle authors quickly struck back, including their own messages, many of them R-rated
at the minimum, in several variants. One message reads in part, ”Hey Netsky… Don’t ruin
our business. Wanna start a war?”
The war of words soon turned into a battle of one-ups-manship with each hacker releasing
one worm variant after another. Soon, anti-virus vendors and IT and security administrators
were swamped with simply keeping up with the barrage of Netsky and Bagle worms that were
coming at them.
”Our hope is that this worm war will be over now,” says Ken Dunham, director of malicious
code at iDefense, Inc., a security intelligence company based in Reston, Va. ”We want to
get back to work on other things than Bagle and Netsky variants… If this kid authored
both Sasser and Netsky, it might be over.”
Cluley agrees.
”If you scrutinize the most recent Netsky worm, you can see that the author embedded a
taunt to anti-virus companies, bragging that he also wrote the Sasser worm,” Cluley says
in a written statement. ”If this is the case, this could be one of the most significant
cybercrime arrests of all time.
”All of these worms have been highly disruptive and complex, suggesting that the author
isn’t working alone,” he adds. ”Seizing this man’s computers could provide the vital
clues which will bring down the infamous ‘Skynet’ virus-writing gang. We would not be
surprised if more arrests follow in due course.”
Dunham points out that previous hacker arrests have led to further arrests in the
underground community. He points to the 1999 arrest of David Smith who plead guilty and was
sentenced for creating and disseminating the Melissa virus, which was one of the most
damaging viruses of its time. Dunham says Smith later worked for the FBI, collecting
information about other virus writers.
”Jaschan may have information about lots of people,” says Dunham. ”Virus writers share
code and exploits, and get information from one another. They chat with people and get
help. My guess is that authorities will try to get information on others.”
Reuters reports that Jaschan, who has only allegedly admitted to authoring Sasser at this
point, faces charges of computer sabotage, which carry a maximum of five years in prison.
The actual punishment could be less because Jaschon, who turned 18 in late April, was 17
when the worm was first released into the wild.