Microsoft Bounty Helps Nail Sasser Suspect
A multimillion-dollar Microsoft reward program to encourage people to identify computer virus writers has led to the arrest of a teenager in Germany on suspicion of writing the Sasser computer worm.
Police in the state of Lower Saxony in northern Germany arrested an 18-year-old on Friday after a search of his parents' house in Rotenburg, law enforcement officials say. He has confessed to creating the Sasser worm and is also being investigated on suspicion of creating the NetSky worm, says the Lower Saxony state crime office in a statement.
The arrest comes a week after Sasser was first noted. The worm exploits a flaw in a component of the Windows XP and Windows 2000 operating systems called the Local Security Authority Subsystem Service, or LSASS. The vulnerability was identified by Microsoft on April 13 at the same time as the company released a software patch to correct the flaw.
Sasser is estimated to have caused trouble for thousands of computer users and to have been responsible for disruptions at American Express, Delta Air Lines, and some universities.
Reward Enticed Tip
The investigation got its big break last Wednesday when Microsoft Deutschland was contacted by individuals who asked about the possibility of receiving a reward in exchange for information about the creator of the Sasser worm, says Brad Smith, senior vice president and general counsel at Microsoft.
"Microsoft's investigators informed the individuals that the company would consider providing a reward of up to $250,000 if their information led to the arrest and conviction of the Sasser perpetrator," he says.
The identity of the individuals isn't being disclosed. However, Smith offers two clues as to who they are.
"These were individuals who were aware of who the perpetrator was, Smith says. "They did not stumble upon this simply through technical analysis. They were aware of who this individual was. But beyond that, we're not in a position to disclose their identity."
He also says the informants number "fewer than you could count with one hand."
As a result of the conversation, the informants gave information to Microsoft and to local authorities in Germany. Microsoft's U.S. headquarters was alerted to the information within minutes and an investigation was begun by the software maker, the FBI, Secret Service, and German law enforcement authorities, Smith says.
"Within 48 hours of the informants coming forward our investigators and the German police were able to identify the perpetrator of the Sasser virus and to take him into custody," he says. "This individual is responsible we believe for all four variants of the Sasser virus."
Based on the investigation police suspect the same individual may be responsible for the NetSky worm that first appeared in February.
"Ultimately there were 28 variants of the Netsky worm and the German authorities are alleging today that all of these variants are connected to the individual who they have taken under arrest," Smith says.
A connection between the Sasser and NetSky worms was already noted by antivirus researchers. A new version of NetSky that appeared on May 3 includes a message within its code directed at antivirus companies that claims responsibility for Sasser.
"Hey AV (antivirus) firms, do you know that we have programmed the Sasser virus?!? Yeah, thats true," the message reads, in part.
Despite the arrest the investigation into the worm continues, Smith says. However, he declines comment on any details regarding the ongoing work of Microsoft or investigators.
Microsoft launched its virus-author bounty program, initially funded with $5 million, in November last year.
"Hopefully, people will see this reward announcement as reason to come forward when they have information. The more information that people can provide to law enforcement, the more likely we will have an arrest and a conviction for a malicious code launcher," said Hemanshu Nigam, a Microsoft corporate attorney, at the time of the reward program's launch.
Smith says he sees the German arrests as a success for the reward program and work the company has been doing over the last year to better respond to virus threats.
"We are very pleased with this fast progress and the ability of law enforcement to arrest the perpetrator within seven days of the launch of the worm," he adds.