IE 11 is not supported. For an optimal experience visit our site on another browser.

Sasser arrest a rare victory in virus wars

With a Sasser suspect in custody and a Microsoft-issued bounty getting much of the credit, experts mull impact of this new weapon against Internet viruses.

With an 18-year-old German student in custody for allegedly writing last week's Sasser worm, and Microsoft's virus writer bounty getting much of the credit, will the arrest translate into fewer computer nuisances flying around the Internet? 

Probably not, most experts say.

The weekend's arrest of Sven Jaschan in northern Germany is certainly noteworthy. It's rare that virus writers are caught for the havoc they wreak -- in fact, it's been almost three years since authorities have managed to arrest someone responsible for a major virus outbreak. And it does appear the existence of a bounty fund, created last year by Microsoft to help suss out virus writers, played a major role in Jaschan's arrest.

Brad Smith, Microsoft's general counsel, said he hoped the appearance of informants would have an immediate effect on the virus-writing underground.

"We're definitley hoping this incident will send a strong message to others, and will deter them," he said.  "There will be a direct benefit if someone else is now dissuaded from spending time creating and launching viruses. And an indirect benefit if it encourages other people to come forward."

But antivirus experts are pessimistic that the incident will have much more than a temporary effect on virus writers looking for fame or a quick buck.

"Most virus writers will think, 'He got caught because he's dumb,' and they are smarter than he is," said Mark D. Rasch, former head of the Justice Department's computer crime unit. He's now an executive at computer security firm Solutionary Inc. "In the last 15 years we've had 30 or 40 arrests of these people worldwide, and yet we still get 15 more of these (viruses) every week." 

According to German law enforcement authorities and Microsoft Corp., a group familiar with the teen's computer programming work approached Microsoft officials in Germany last Wednesday asking if there would be a reward for turning in the Sasser author. The group -- fewer than five individuals, Smith said -- then provided key evidence leading to Jaschan's arrest. Microsoft agreed to pay $250,000 to the group, contingent on conviction of Jaschan. (MSNBC is a Microsoft - NBC joint venture.)

Last year, Microsoft had specifically offered rewards for the MSBlaster and SoBig virus authors, with little effect. However, the possibility of a reward was apparently enticing enough this time to entice witnesses to come forward.

'A lot of scared people'
No official information has been released about who the informants were, but antivirus experts are speculating that they might have been fellow virus writers -- and perhaps fellow programmers who egged on, and then later ended up turning Jaschan in. But Microsoft officials insist the informant had no connection to the virus writer's work, and say they wouldn't pay a reward to anyone who had helped author the computer virus.

Either way, the fact that some cold, hard cash might land in the hands of people surrounding a virus writer might be making other members of the virus-writing underworld nervous right now, said Bruce Hughes, director of malicious code research at TruSecure Corp.

"I bet there's a lot of scared people," he said. "I think there are a lot of guys out there who are thinking, 'Who else knows I've written something? Would they turn me in?' "

And that's the hope, said Greg Fowler, spokesman for the Northwest Cyber Crime Task Force, made up of agents from the FBI, U.S. Secret Service, and Seattle area law enforcement. It's rare that virus writers are successfully hunted through the digital breadcrumbs they leave, he said. So federal authorities are hard at work using more traditional methods to stop the computer underground: developing inside sources and encouraging informants.

"The FBI and the Secret Service have always stressed the importance of developing sources inside secular communities that are difficult to penetrate," he said. "As with terrorism ... the more closed the society is, the more important it is to have good sources."

International law enforcement agencies have a spotty record at tracking down virus writers. There have only been three other major arrests in the last five years, and in all those cases, the author's own sloppy work did him in. Melissa author David Smith, a 30-year-old New Jersey resident, was caught in part because he created his simple virus using a version of Microsoft Word that identified the computer he was using at the time.  He was ultimately given a 20-month prison sentence. 

The authors of the LoveBug and the Anna Kournikova viruses got off much easier, with little but slaps on the wrist. A Dutch 20-year-old named Jan de Wit left his calling card nickname "OnTheFly" in his Kournikova worm and authorities had no trouble linking the moniker to de Wit after several computer sleuths tracked down his many Internet posts in early 2001.

Onel de Guzman also left digital traces when the 23-year-old wrote LoveBug from a small apartment in Manila, Philippines during May 2000. A prior virus, also written by him, mentioned his community college and the name of a local computer club.

Keeping large gangs apart
Apparently, those three cases were enough to teach most virus writers the value of covering their tracks -- until this week it had been three years since such sleuthing worked after a major outbreak. While there were two arrests last summer of programmers suspected for creating variants of MSBlaster, there have been no arrests linked to the virulent program's original author.

But it's possible the first success of the Microsoft bounty effort might change that, said noted cybersleuth Richard Smith, who helped track down both the Kournikova and Melissa authors.

"The bounty system does seem to work and it looks like a useful tool to me," Smith said. "It will probably act as a deterrent and will also make virus writers more careful what they say to each other."

Even if the system simply keeps large virus gangs from forming and sharing information, out of fear of being ratted out, that's useful, Hughes said. Just two months ago, rival virus gangs got into a shouting match over the Internet, releasing dozens of worms during a one-month period with names like NetSky, MyDoom, and Bagle. Authorities believe the Sasser suspect may also have been involved with the various NetSky viruses.

"The more of these guys we get off the street, the better," Hughes said. "If he was part of the NetSky group, that's a lot of viruses off the street now."

Of course, to really have the desired informant effect, Microsoft will have to pay the bounty -- and the firm initially said it will only pay if Jaschan is actually convicted, and the informants really do turn out to be clean.

Meanwhile, potential obstacles to conviction are being raised. It's unclear if the 18-year-old will be tried as an adult -- German authorities can choose to prosecute him as a juvenile or as an adult, Smith said. A nd while Jaschan has confessed to writing and distributing the virus, according to Smith, that still doesn't guarantee a conviction. These vagaries, combined with the elusive track record of virus writers, led most antivirus experts to relatively pessimistic predictions on Monday.

"Every step we take in terms of catching someone is a small victory," said Oliver Friedrichs, senior manager of Symantec Corp.'s Security Response Team. "In the short term, it may have some impact, but people forget really quickly. I don't think we'll see a long-term impact unless the arrests become the norm."