- Is the Cisco MARS mission going to abort?
- First iPhone worm spreads Rick Astley wallpaper
- 10 stunning 3D buildings made with Google SketchUp
- Open source software ready for big business
- Four reasons to buy (and one reason to avoid) the Droid
The release of a new version of the Sasser worm calls into question claims by some German authorities that they have the sole author of the worm in custody, according to anti-virus experts.
A new version of the Sasser worm, dubbed Sasser-E, appeared late Friday, around the time police arrested an 18-year-old man they said was the author of all the Sasser variants and of the Netsky worm. While it is possible that the teenager released the worm just before being captured, the close timing and clues from earlier Sasser variants may point to a larger network of virus writers outside of Germany, said Mikko Hyppönen, anti-virus research manager at F-Secure in Finland.
On Friday, German police in Lower Saxony arrested the man and charged him with creating Sasser, which appeared on May 1, and three variants that appeared in subsequent days.
The arrest of the man, who has not officially been identified, followed a tip to Microsoft Deutschland from individuals who asked about the possibility of receiving a reward in exchange for information about the creator of the Sasser worm, said Brad Smith, senior vice president and general counsel at Microsoft, in a statement.
On Monday, the Associated Press quoted Frank Federau, a spokesman for the state criminal office in Hanover, Germany, saying the teenager likely programmed Sasser-E "immediately before his discovery."
Microsoft believes that the man arrested made Sasser-E, like the other variants, and released it almost simultaneously with his arrest, according to Smith.
"It's our understanding that the police have arrested the individual responsible for Sasser-E and the four previous variants," he said.
Microsoft is basing that position on statements from German authorities and from the ongoing investigation of Sasser and Netsky, he said.
Anti-virus experts say that scenario is possible, but not likely.
"It's... possible it was released by the guy they arrested... but he would have to have released it just before he got arrested, 15 minutes before the police knocked on his door," Hyppönen said.
However, the timing of the release and tidbits of information gleaned from earlier Sasser worms suggests that others may be involved with the Sasser and Netsky worms, Hyppönen said.
F-Secure learned of Sasser-E 10 hours after the arrest of the suspect, but knows of earlier reports that put the first appearance of the worm around three hours and forty-five minutes after his arrest, according to information on the F-Secure Web site.
Three hours is still a long time for a worm to circulate on the Internet without being spotted. Unless even earlier reports of the worm turn up, that time lag could cast doubt on claims that the man arrested Friday is the sole author of Sasser, Hyppönen said.
"It's... possible that somebody else released (Sasser-E) as proof that (the German man) is not the only guy, or that this guy has written some versions of Sasser but not all, or that he's admitting guilt to protect someone else," he said.
Symantec didn't receive a copy of Sasser-E until 1 a.m. Pacific Time on Sunday morning, almost two days after the arrest. The company is still analyzing data from its worldwide DeepSight Alert network of sensors to spot the first appearance of the worm, said Oliver Friedrichs, senior manager of Symantec Security Response.
Rss FeedRss Feed
The Leader in Network Knowledge
Comment