An 18-year-old Minnesota resident was arrested and charged with releasing a variant of the MSBlaster worm, U.S. officials announced Friday. Jeffrey Lee Parson, who used the nickname “teekid,” made his first court appearance in St. Paul on Friday and was under house arrest, according to federal authorities.
“With this arrest we want to deliver a message to cyberhackers here and around the world,” said U.S. Attorney John McKay at a news conference in Seattle. “They need to be convinced that the handcuffs are not cybercuffs. They are real.”
McKay said investigators in Seattle and Minneapolis worked together to track down Parson, who was charged with intentionally damaging protected computers. If found guilty, Parson could face up to 10 years in prison and $250,000 in fines.
Parson admitted releasing the worm when he was confronted with evidence by federal authorities on Aug. 19, FBI and Justice Department officials said. “He made certain admissions which are included in the complaint,” McKay said. “He admitted conduct which we allege is unlawful.”
The variant Parson allegedly released, called MSBlaster.B, is a slightly altered version of the original MSBlaster, which wreaked havoc on Internet users two weeks ago. Officials stressed that this was not the end of the Blaster investigation, and sources said Parson likely did not have anything to do with the original MSBlaster worm variant, which targeted security holes in Microsoft’s Windows operating system.
U.S. authorities noted that Microsoft had assisted them in their investigation, but would not describe whether the software maker had itself been hit by the attacks. (Microsoft is a partner in MSNBC.)
Assessing the damage
Microsoft general counsel Brad Smith said company engineers had worked with federal authorities to disassemble the MSBlaster.B worm and intentionally infected Windows computers to discover how the worm operated. But Smith did not describe whether the worm had itself done damage the company’s systems.
“The damage done to Microsoft in this instance is a small tip of damage that was done to computer users around the world,” Smith said at the Seattle news conference, adding that Blaster had cost the company millions of dollars.
While the original MSBlaster infected over 1 million computers, the government alleges Parson’s variant infected some 7,000 computers — raising questions of how significant his role was in the overall crisis that Blaster caused for computer users.
But McKay insisted that Parson’s alleged activities had a profound impact. The 7,000-computer figure, he said, “‘is, I think it’s fair to say, a limited estimate of what we think the impact is.” Investigators were “convinced that it’s quite a bit more,” McKay said.
The investigation into Parson — described as 6-foot, 4-inches tall and weighing 320 pounds — proceeded swiftly. He released the MSBlaster.B variant on Aug. 15; by Aug. 19, federal authorities were questioning him at his Hopkins, Minn. residence.
Though he is being kept under house arrest, a court barred him from accessing the Internet and authorities removed computers from his home. Parson is still a high-school student, but it is unclear whether he will be allowed to attend while he is detained.
For his court appearance, he wore a T-shirt that read “Big Daddy” on the front and “Big and Bad” with a grizzly bear on the back. He sported a metal stud under his lip and his hair was dyed blond on top and shaved close around the sides and back.
Parson was told he would be assigned a permanent public defender after telling the judge he had no income, no assets and only $3 in a savings account.
His mother, Rita Parson, seated in the back row of the courtroom, sighed heavily and wiped tears from her face before the hearing. Neither she nor Parson’s father, Robert, would comment afterward.
Chasing the tail
Though federal authorities underscored the shoe-leather work required to track Parson, much of the investigation involved an online hunt.
Parson’s alleged Blaster variant was programmed to connect back to a Web site named “www.t33kid.com” after it infected computers. Authorities traced that Web site to an Internet provider in San Diego named California Regional Internet Inc., according to the complaint filed against Parson. That provider told investigators that the computer which hosted Parson’s site was actually controlled by a reseller in Watauga, Tex. That reseller fingered Parson as the owner of the Web site.
“He obviously left clues,” McKay said Friday.
Also, according to the Associated Press, a witness saw the teen testing the infection and called authorities.
On Aug. 19, the FBI executed a search warrant on Parson’s home and seized seven computers. At the same time, Parson admitted to an FBI agent he had altered the original MSBlaster worm by changing a file name included in the program and added a “backdoor” program to it that could be used later by him to take control of infected computers.
Another source familiar with the investigation told MSNBC.com that a series of subpoenas had been issued in an effort to learn more information about an Internet Relay Chat room where copies of the worm were distributed and altered. One of the programs available on t33kid.com, labeled as a worm that worked through peer-to-peer networks, was stored at chaos-networks.com, which offers IRC services in addition to Web hosting. The link between the two Web sites was not clear, though by Friday afternoon, someone had posted as “t33kidismyhero” on chaos-networks.com Web forums.
The original MSBlaster wormed quietly around the Internet in early August. Just days later, the Sobig virus generated millions of stray e-mails. Together, they created a huge headache for computer users, expensive technology cleanups for companies — and touched off an FBI manhunt for suspects. On Tuesday, the FBI issued a statement saying it was actively searching for clues to the virus writers’ identities.
McKay said Friday that investigators had not yet uncovered any link between Sobig and Blaster.
Several variants of MSBlaster were released after the original worm made its way around the Internet, including one named Welchia, which also caused major headaches for corporations. The MSBlaster.B variant, however, did not spread very far. In fact, it included negligible changes to the original MSBlaster: a new file name, teekids.exe, some additional vulgar text added, and new compression to avoid antivirus products.
Authorities would not discuss Parson’s alleged motives. The 18-year-old reportedly idolized Microsoft chairman Bill Gates, one family acquaintance told the AP.
The original worm first emerged Aug. 11 carrying a message for the Microsoft chairman: “Billy Gates why do you make this possible? Stop making money and fix your software!!”
Unlike most viruses, which arrive via e-mail, MSBlaster is stealthy. It simply sneaks onto computers connected to the Internet that haven’t been patched for Windows flaws.
Blaster zeroes in on computers running Windows 2000, Windows XP, Windows NT 4.0 and Windows Server 2003 operating systems, Microsoft said. Once Blaster infects a computer, it scans the Internet for other vulnerable machines to infiltrate.
MSNBC’s Jon Bonné and The Associated Press contributed to this report.