Biography of a Worm

Redmond, April 13, 2004

It's been more than six months since Ukai's discovery. Microsoft releases its patch, along with details of the LSASS problem, in an advisory labeled MS04-011. By waiting so long, Microsoft has violated a responsible disclosure guideline: Security companies generally agree that patches should appear within 30 days of when a bug is discovered. Kean explains that the patch fixes not just the bug Ukai found in LSASS, but 13 related vulnerabilities as well.

Windows users and IT professionals must install the patch quickly, lest they leave their networks open to ransacking.

The technical report, which system administrators use to evaluate the safety of applying the patch to their computers, also provides the technical data a highly skilled hacker needs to reverse-engineer the patch and write programs to attack unpatched PCs.

Russia, April 29, 2004

Just 16 days later, at 3 p.m. local time, a Russian hacker known as Houseofdabus releases a proof-of-concept exploit--a program that shows how to take control of an unpatched PC--for the LSASS vulnerability.

The code that Houseofdabus writes is professional-quality work. The author claims to have tested the exploit against ten different Russian- and English-language versions of Windows XP and Windows 2000. A note embedded in it states, "This is provided as proof-of-concept code only for educational purposes and testing by authorized individuals with permission to do so." Nobody believes it will be used only by authorized individuals. For virus writers, who tend to be less skilled than exploit writers, this code is like candy.

The motivations of Houseofdabus are unclear, but virus expert Sarah Gordon, who has interviewed dozens of virus writers, says that most exploit coders see delays in applying patches as signs of laziness on the part of PC users and companies. They believe that the presence of their exploits online spurs a faster reaction to security holes.

Back in Redmond, Kean receives word about the Houseofdabus code, and puts the MSRC into "watchful normalcy" mode, a state of alert in which analysts monitor the Internet for signs that someone is trying to use the exploit code.

Helsinki, Finland, May 1, 2004

At 7:02 a.m. local time, analysts at Helsinki-based antivirus firm F-Secure learn that a new worm exploiting the LSASS vulnerability is in the wild. F-Secure dispatches a bulletin about the worm to other antivirus researchers, and names the worm Sasser.

Sasser spreads fast, causing vulnerable computers to crash or reboot without warning. It doesn't inflict deliberate damage on infected systems, but infected PCs bog down as the worm floods the local network, attempting to replicate.

When news of Sasser reaches Microsoft, engineers begin studying the worm on a test-bed PC, to learn how it spreads. Meanwhile, Kean gathers the product teams that need to be involved, as well as people from Microsoft's communications wing, who will run the public and customer outreach efforts.

"It becomes a 24-by-7 operation," Kean says. "We set up a number of war rooms and establish rotating shifts."

About 10 hours later, a second variant of Sasser, Sasser.B, has already popped up on the radar screen of F-Secure. Sasser.B is sufficiently different that antivirus companies have to rerelease their antivirus software updates to detect and remove it.

Redmond, May 2, 2004

By Sunday, within 24 hours of Sasser's appearance, Microsoft decides to launch a broad outreach campaign that will last the entire week, including conducting a Webcast, posting information on the company's Web site, creating retail flyers and content for PC makers and key partners, and even paying Google to ensure that anyone who searches for information about the worm will see an ad that points to Microsoft.com for the patch and other downloads.

Despite all of these efforts, Microsoft is struggling to contain Sasser. Reports of the worm's impact fly in: Operations have been disrupted at companies like Goldman Sachs and British Airways. Computers in half of Taiwan's post offices have been infected. Sasser plagues PCs at government agencies in Hong Kong and on oil platforms off the coast of Mexico.

The magnitude of the worm's disruption is staggering: 5000 computer systems and associated X-ray equipment at a hospital in Lund, Sweden, stop responding; 1200 PCs at the European Commission headquarters in Brussels cannot get online; and Sun Trust bank and American Express in the United States lose Internet connectivity entirely for several hours.

By late Sunday evening, almost 1.5 million people have downloaded a free tool from Microsoft that kills Sasser. But Sasser is far from finished.

Waffensen, Germany, May 3, 2004

LORD OF THE WORMS: Student Sven Jaschan, 18, allegedly wrote Netsky and Sasser.
Photograph: Peter Thoman/Stern/Picture Press
In this village of just 900 people, located about 21 miles from the city of Bremen in northwestern Germany, Sven Jaschan, an 18-year-old high school student, has allegedly spent the past three months writing and revising a series of Internet worms that he calls Skynet, but that antivirus software companies call Netsky. Variants of this earlier worm--one of the most prolific on the Internet--infect and reinfect tens of thousands of computer systems every month. But Netsky's goal isn't to wreak havoc on innocent bystanders: It's a weapon in a war against two other worms--Bagle and Mydoom--that turn infected machines into a spam distribution network. Netsky takes over those infected machines and deletes the spam-sending worms.

Today--a little over two months since the release of the first Netsky worm--Jaschan allegedly releases the 29th version of the worm, Netsky.AC, on his school network. Like previous versions, this variant contains a hidden message, but in this particular message, the author claims responsibility for writing Sasser.

Netsky's author claimed he wrote Sasser, in a note buried in Netsky.AC.

"Hey, av firms, do you know that we have programmed the sasser virus?!?. Yeah thats true! Why do you have named it sasser? A Tip: Compare the FTP-Server code with the one from Skynet.V!!! LooL! We are the Skynet..."

Helsinki, May 4, 2004

On Tuesday morning, antivirus companies are trying to verify the claims made in the hidden Netsky.AC message. Virus analysts at F-Secure dissect Sasser and Netsky, and produce a detailed flow chart of the worms' routines and subroutines.

This graphical depiction enables them to compare the code and the style of its author. "The same guy who wrote Netsky wrote Sasser," says Mikko Hypponen, antivirus research director at F-Secure, pointing to the graphic.

Antivirus companies and Microsoft estimate that each of the four versions of Sasser has infected anywhere from half a million computers to many millions of them. Each infection causes Windows XP and 2000 PCs, without warning, to begin a 60-second, unstoppable countdown to reboot. When office workers returned to work Monday morning, their unpatched PCs set off a tsunami of worm attacks that has yet to subside, and that infects PCs faster than any previously known worm.

Waffensen, May 5, 2004

As the world's news media catches up with the Sasser story, the FBI joins in the hunt for Sasser's author. According to his own account, published in the German magazine Stern, Jaschan writes to one of his friends, known only as MarleB, declaring that he is getting out of worm writing; Jaschan plans to destroy his hard drive.

Six months earlier, Microsoft had caused quite a stir throughout the virus- and worm-writing world by establishing a $5 million fund that the company would use to reward informants for tips that led to the arrest and conviction of anyone responsible for an outbreak of malicious code.

Later that day, MarleB and another of the young man's friends from school call Microsoft's German headquarters to find out whether Microsoft will pay them the $250,000 bounty if they identify the author of the Sasser worm.

The call is passed along to Hemanshu Nigam, Microsoft's corporate attorney, who manages the antivirus Reward Program. "We informed the persons who were coming forward that, yes, we would gladly pay the reward," Nigam says.

But before the informants can get their money, Nigam explains, they must provide data that Microsoft can "technically analyze" to determine the truthfulness of their claims. MarleB sends along the source code to a version of Sasser. No one has revealed how MarleB got it.

"Our security engineers took the information, analyzed it, and concluded that there was evidence that suggested the [informants] did know what they were talking about," Nigam says.

Microsoft now strongly suspects that it has its man, Sven Jaschan. This will be the first time in the history of the Reward Program that a tip from an informant actually leads to an arrest.

Seattle, May 7, 2004

As soon as he receives confirmation about Sasser from his engineers, Nigam calls in federal investigators. An FBI task force based in Seattle immediately contacts police in the German state of Lower Saxony. Later that day, German law enforcement agents raid the cottage where 18-year-old Sven Jaschan lives with his parents, and confiscate Jaschan's computer. In his interrogation, Jaschan allegedly confesses everything about his role in creating Sasser, Netsky, and their variants.

Only 2 hours after his arrest, while Jaschan is still in police custody, a fifth version of Sasser appears online. Some security experts suspect that other hackers may be spreading Sasser, or that Jaschan may have offered a false confession. German authorities, for the moment, remain confident they have the culprit. Jaschan probably unleashed Sasser.E only minutes before authorities arrived at his house, German officials say.

Subscribe to the Security Watch Newsletter

Comments