Biography of a Worm

Hannover, Germany, June 2004

Despite Jaschan's confession, a trial is required under German law. Helmut Trentmann, the public prosecutor in Lower Saxony, gets the Jaschan case, which should go to trial in the state's capital, Hannover, sometime in January 2005.

Trentmann describes Jaschan as a young man who spends his free time working on his computer. The defendant is "a freak and very intelligent," he says. Based on evidence from computer experts and Microsoft, Trentmann is convinced that Jaschan authored and spread the Sasser worm, and that he acted with malicious intent. "In several steps, he put [Sasser] on the Internet and these steps he made alone," Trentmann says. "And he informed his friends about what he was doing. He was proud."

But Jaschan's malice has yet to be proved, Trentmann acknowledges. "I think his ambition was to get better [at programming]," says Trentmann. "It was a kind of competition. But in the days before he was discovered, he became gripped by fear. He had heard about the FBI investigation. And it became too big for him."

As for Jaschen himself, though his legal status remains unclear, he may get the chance to put his skills to better use: A German firewall firm wants to recruit him as a programmer.

Hannover, September 2004

As PC World goes to press, Trentmann is questioning five informants, four of whom are Jaschan's schoolmates. Trentmann and other investigators consider it likely that some of the informants may have assisted Jaschan in spreading the Sasser worm across the Internet.

Meanwhile, at least two new Sasser variants have appeared, indicating that accomplices of Jaschan may still be hard at work. And on August 23, Sasser.G, which at press time was the most recent variant discovered, was circulating on the Internet. Earlier versions of Sasser continue to infect unpatched machines every day. And Jaschan's mysterious spam-friendly rivals who produce the Bagle and MyDoom worms are still at it as well, releasing a new virus every few days.

All of the parties involved in this case say that their actions help others. EEye and Ukai's discovery of the LSASS hole helped the company's customers, who would have been at risk if a malicious hacker had found the vulnerability first. Microsoft's release of the patch enabled customers to avoid the problem.

Houseofdabus stated that the exploit was created only for educational purposes. Jaschan, too, claims that he was providing a service to the Internet at large. Although Sasser's primary effect was to spread as fast as possible, Netsky, on the other hand, attacked computers infected with the Bagle and MyDoom viruses (collectively known as spam zombies), preventing those PCs from sending spam to the rest of us.

So if everyone is looking out for our interests, why do we keep getting hit by ever-worsening viruses and worms that corrupt our data, gum up our networks, and crash our computers?

In practice, the patch system doesn't protect all of us--it protects those who patch quickly. According to Gerhard Eschelbeck, CEO of the security firm Qualys, only half of all PC users apply patches within three weeks of when they appear. That leaves the other half open to worms that might never have been created if the patch hadn't been released at all.

Clearly we can't simply scrap the current patch system. Malicious hackers will always be on the lookout for vulnerabilities in software, even without unwitting aid from Microsoft. Such hackers, working undetected, might do far more serious damage--all computer users would be vulnerable to data and identity theft, and businesses would be open to espionage.

The ultimate solution is to produce software that's secure from the get-go. Until then, improving the patch system must be the top priority for everyone involved. Users, however, have only one real option right now: Patch early and often.

Subscribe to the Security Watch Newsletter

Comments