Hunt For Sasser Authors Widens
May 13, 2004 (2:27 p.m. EST)
By Gregg Keizer, TechWeb News
In a widening of the investigation into the Sasser worm, German police announced Wednesday that they had searched the homes of five suspected accomplices of the 18-year-old man taken into custody last Friday. The five, however, were neither arrested nor charged.
On May 7, authorities in the state of Lower Saxony arrested a man they identified as Sven Jaschan as the prime suspect in the Sasser worm case. Jaschan lives in Waffensen, a town in the northwest of Germany about 20 miles east of Bremen.
Saturday, Microsoft officials said that informants in Germany had tipped them to the identity of the Sasser author. After technical analysis, the Redmond, Wash.-based developer confirmed that Jaschan was the likely creator of the worm which rolled through the Internet the week before, and notified local authorities. At that time, German police and Microsoft claimed that Jaschan was acting alone.
Tuesday, however, police raided the apartments of five more suspects -- all who live in the Waffensen area -- and uncovered a “large quantity of material” according to reports by Reuters and the Associated Press.
While the five were released, police in Hanover now think that their initial take on Jaschan's part may have been off the mark. “The assessments that have followed have now supported the suspicion that others were involved in distributing the virus," police said in a statement.
Two of the five have reportedly admitted to having the source code for Netsky, another worm that police believe Jaschan authored. Only one confirmed that he had actually distributed Netsky, however.
The fact that the investigation has spread didn't surprise some analysts.
“Even guys who claim that they're loners are getting help of some sort,” said Ken Dunham, the malicious code director of iDefense. “You talk to them, and yeah, they admit that they downloaded a routine here or worked a chat room there.”
Suspicions that Jaschan wasn't the only hacker working on Sasser had increased this week as another variant, dubbed Sasser.f, appeared long after the teen's arrest. Sasser.f was first noticed on the Internet Monday.
Dunham believes that the copycat was probably created by a simple edit of the binary code, not through access to Sasser's source code.
Hackers who obtain a binary copy of the worm can open it with a hex editor, said Dunham, and make minor changes. “That's what we believe is going on with these [recent] variants,” he said. There's no evidence yet that Sasser's source code is out in the wild.
But the availability of worm source code is “one of the most dangerous trends” in Internet security, said Dunham.
Although worm code was rarely shared by hackers in the past, lately it's been widely disseminated. “The source code for Netsky, for Phatbot, and other major top ten worms are in the hands of people who don't want to do good things,” he added.
“Some of these guys just want to share their work,” Dunham argued, which has led to a powerful arsenal of source code and tools circulating in the hacker underground.
But hackers aren't the only ones who worry security analysts. “Those who are after economic gain, or even state-sponsored attackers, now have plenty of weapons at their disposal,” said Dunham.
While Microsoft played a part in Jaschan's arrest, the company said Thursday that it knew nothing more about the recent raids than what was reported in the media. “This is an ongoing investigation conducted by German law enforcement,” said a Microsoft spokesman, and was not due to any intelligence Microsoft may have offered.
Microsoft stands by its promise to offer a $250,000 reward for the arrest and conviction of the person or persons who authored the Sasser worm, the spokesman added.