Sasser release points to more than one author

The release of a new version of the Sasser worm calls into question claims by some German authorities that they have the sole...

The release of a new version of the Sasser worm calls into question claims by some German authorities that they have the sole author of the worm in custody.

The latest version of the worm, Sasser-E, appeared late on Friday, around the time police arrested an 18-year-old man they said was the author of all the Sasser variants and of the Netsky worm.

While it is possible that Sven Jaschan released the worm just before being captured, the close timing and clues from earlier Sasser variants may point to a larger network of virus writers outside Germany, said Mikko Hyppönen, antivirus research manager at F-Secure.

German police charged Jaschan with creating Sasser, which appeared on 1May, and three variants that appeared in subsequent days.

Jaschan's arrest followed a tip to Microsoft Deutschland from individuals who asked about the possibility of receiving a reward in exchange for information about Sasser's creator, said Brad Smith, senior vice president and general counsel at Microsoft.

On Monday, the Associated Press quoted Frank Federau, a spokesman for the state criminal office in Hannover, saying the teenager could have programmed Sasser-E "immediately before his discovery".

Microsoft believed Jaschan made Sasser-E, like the other variants, and released it almost simultaneously with his arrest.

"It's our understanding that the police have arrested the individual responsible for Sasser-E and the four previous variants," Smith said.

Microsoft is basing that position on statements from German authorities and from the investigation of Sasser and Netsky, he added. 

Antivirus experts say that scenario is possible, but not likely.

"It's ... possible it was released by the guy they arrested ... but he would have to have released it just before he got arrested, 15 minutes before the police knocked on his door," Hyppönen said.

However, the timing of the release and titbits of information gleaned from earlier Sasser worms suggests that others may be involved with Sasser and Netsky, Hyppönen said.

F-Secure learned of Sasser-E 10 hours after the arrest of the suspect, but knows of earlier reports that put the first appearance of the worm around three hours and 45 minutes after his arrest. 

Three hours is still a long time for a worm to circulate on the internet without being spotted. Unless even earlier reports of the worm turn up, that time lag could cast doubt on claims that Jaschan is the sole author of Sasser, Hyppönen said. 

"It's ... possible that somebody else released [Sasser-E] as proof that he is not the only guy, or that this guy has written some versions of Sasser but not all, or that he's admitting guilt to protect someone else," he said.

Symantec did not receive a copy of Sasser-E until 1am Pacific Time on Sunday morning, almost two days after the arrest. The company is still analysing data from its worldwide DeepSight Alert network of sensors to spot the first appearance of the worm, said Oliver Friedrichs, senior manager of Symantec Security Response.

The company does not have enough information to say whether there are multiple authors behind the Sasser worms. However, before Friday's arrest, the sheer number of variants produced of both worms led Symantec to suspect a virus writing group was behind Sasser and Netsky.

F-Secure researchers also assumed there was a group at work, probably based in Russia, Hyppönen said. "We were surprised that it was one guy and that it was not in Russia." 

Comments hidden in previous versions of Netsky and Sasser included references to the Czech Republic and Russia, as well as a "crew" of  authors. Some parts of the Netsky worm code also contain comments in Russian.

"If they didn't speak Russian, they at least took some lessons before inserting the comments in there," said Hyppönen.

The evolution of the Netsky worm from version to version also suggests the work of more than one author.

"The way the secondary functions of the virus changed. In the beginning it just killed installations of Mydoom and Bagle, then it slowly changed to launch DDOS against peer-to-peer and [software] cracking sites," he said.

The changes could reflect the input and interests of different contributors, just as the Blaster worm was modified by others, neither of them the original author, resulting in the arrests of two men: Jeffrey Parsons, a teenager from Hopkins, Minnesota, in August 2003 for Blaster-B and Dan Dumitru Ciobanu, a 24 year-old from Romania who was charged with releasing the Blaster-F worm in September.

Jaschan's confession to police and reports that police found the Sasser source code on his computer are certainly persuasive that he was involved with the worm's creation and release, but not conclusive that he was the only person responsible for Netsky and Sasser, Hyppönen said.

"I wouldn't be surprised at all if there turns out to be someone else - a third party," he said.

Microsoft is continuing its investigation of Sasser, and does not discount the possibility of others being involved, Smith said.

"Obviously, information is shared all the time among individuals on the Internet, he said. "We're not in a position to comment who had access to [the Sasser] information or participated in the spread of it," he said.

Despite the arrests, questions remain, Smith said.

"There are things we don't know, such as who put the comments in - was it single individual or someone else? What was that person's motivation?"

If the man arrested on Friday really is the only author, it will be a huge relief to antivirus experts like Hyppönen, who have been working overtime in recent months to keep up with the barrage of new worm variants.

"If the guy really confessed to writing Netsky and Sasser and that's true, then the worm releases should stop right there and that's excellent."

Paul Roberts writes for IDG News Service

Sasser and Phatbot arrests co-ordinated, but not linked >>

Sasser arrest 'encouraging', but more should be done, say experts >>

Read more on IT risk management