Sasser Variants Raise Questions
The release of a new version of the Sasser worm calls into question claims by some German authorities that they have the sole author of the worm in custody, according to antivirus experts.
A new version of the Sasser worm, dubbed Sasser-E, appeared late Friday, around the time police arrested an 18-year-old man they said was the author of all the Sasser variants and of the Netsky worm. While it is possible that the teenager released the worm just before being captured, the close timing and clues from earlier Sasser variants may point to a larger network of virus writers outside of Germany, said Mikko Hypponen, antivirus research manager at F-Secure in Finland.
On Friday, German police in Lower Saxony arrested the man and charged him with creating Sasser, which appeared on May 1, and three variants that appeared in subsequent days.
The arrest of the man, who has not officially been identified, followed a tip to Microsoft Deutschland GmbH from individuals who asked about the possibility of receiving a reward in exchange for information about the creator of the Sasser worm, said Brad Smith, senior vice president and general counsel at Microsoft, in a statement.
On Monday, the Associated Press quoted Frank Federau, a spokesman for the state criminal office in Hanover, Germany, saying the teenager likely programmed Sasser-E "immediately before his discovery."
Microsoft believes that the man arrested made Sasser-E, like the other variants, and released it almost simultaneously with his arrest, according to Smith.
"It's our understanding that the police have arrested the individual responsible for Sasser-E and the four previous variants," he said.
Microsoft is basing that position on statements from German authorities and from the ongoing investigation of Sasser and Netsky, he said.
Antivirus experts say that scenario is possible, but not likely.
"It's ... possible it was released by the guy they arrested ... but he would have to have released it just before he got arrested, 15 minutes before the police knocked on his door," Hypponen said.
The timing of the release and tidbits of information gleaned from earlier Sasser worms suggests that others may be involved with the Sasser and Netsky worms, Hypponen said.
F-Secure learned of Sasser-E ten hours after the arrest of the suspect, but knows of earlier reports that put the first appearance of the worm around three hours and forty five minutes after his arrest, according to information on the F-Secure Web site.
Three hours is still a long time for a worm to circulate on the Internet without being spotted. Unless even earlier reports of the worm turn up, that time lag could cast doubt on claims that the man arrested Friday is the sole author of Sasser, Hypponen said.
"It's ... possible that somebody else released (Sasser-E) as proof that (the German man) is not the only guy, or that this guy has written some versions of Sasser but not all, or that he's admitting guilt to protect someone else," he said.
Symantec didn't receive a copy of Sasser-E until 1 a.m. Pacific Time on Sunday morning, almost two days after the arrest. The company is still analyzing data from its worldwide DeepSight Alert network of sensors to spot the first appearance of the worm, said Oliver Friedrichs, senior manager of Symantec Security Response.
The company doesn't have enough information to say whether there are multiple authors behind the Sasser worms. However, prior to the arrest Friday, the sheer number of variants produced of both worms led Symantec to suspect a virus writing group was behind Sasser and Netsky, he said.
F-Secure researchers also assumed there was a group at work, probably based in Russia, Hypponen said.
"We were surprised that it was one guy and that it was not in Russia," he said.
Comments hidden in previous versions of Netsky and Sasser included references to the Czech Republic and Russia, as well as a "crew" of authors. Some parts of the Netsky worm code also contain comments in Russian, Hypponen said.
"If they didn't speak Russian, they at least took some lessons before inserting the comments in there," he said.
The evolution of the Netsky worm from version to version also suggests the work of more than one author, he said.
"The way the secondary functions of the virus changed ... In the beginning it just killed installations of Mydoom and Bagle, then it slowly changed to launch distributed denial of service attacks against peer-to-peer and (software) cracking sites," he said.
The changes could reflect the input and interests of different contributors--just as the Blaster worm was modified by others, neither of them the original author, resulting in the arrests of two men: Jeffrey Parsons, a teenager from Hopkins, Minnesota, in August 2003 for Blaster-B and Dan Dumitru Ciobanu, a 24 year-old from Romania who was charged with releasing the Blaster-F worm in September, he said.
The German man's confession to police and reports that police found the Sasser source code on his computer are certainly persuasive that man was involved with the worm's creation and release, but not conclusive that he was the only person responsible for Netsky and Sasser, Hypponen said.
"I wouldn't be surprised at all if there turns out to be someone else -- a third party," he said.
Microsoft is continuing its investigation of Sasser, and doesn't discount the possibility of others being involved, Smith said.
"Obviously, information is shared all the time among individuals on the Internet, he said. "We're not in a position to comment who had access to (the Sasser) information or participated in the spread of it," he said.
Despite the arrests, questions remain, Smith said.
"There are things we don't know, such as who put the comments in -- was it single individual or someone else? What was that person's motivation?"
More arrests are possible, but Microsoft believes that the German police got their man on Friday, he said.
"It's always possible that (the investigation) will lead to other individuals, but I don't believe those will be individuals who authored the variants or launched the initial (worm) distribution," he said.
If the man arrested on Friday really is the only author, it will be a huge relief to antivirus experts like Hypponen, who have been working overtime in recent months to keep up with the barrage of new worm variants.
"If the guy really confessed to writing Netsky and Sasser and that's true, then the worm releases should stop right there and that's excellent," he said.