Teenager arrested in Blaster worm case

A Minnesota teenager will appear in federal court in St. Paul Friday to face charges stemming from the release of a variant of the virulent W32.Blaster Internet worm that ravaged computer systems worldwide earlier this month.

Jeffrey Lee Parson, 18, of Hopkins, Minnesota, was arrested by federal law enforcement Friday morning, according to FBI spokesman Bill Murray.

He will appear before federal magistrate Judge Susan Richard Nelson Friday at the James R. Dougan Federal Building in St. Paul, Minn., according to Deputy Clerk Mike Chutich.

Parson was tracked down by a joint federal task force that involved members of the FBI and U.S. Secret Service, Murray said.

According to a complaint filed at the court, Parsons will face one count of intentionally causing or attempting to cause damage to a protected computer in connection with the release of W32.Blaster-B, a variant of the original W32.Blaster-A worm.

That variant appeared on Aug. 14, three days after Blaster-A first appeared, and was nearly identical to the original blaster worm. However, Blaster-B used a different file name, teekids.exe, as opposed to msblast.exe, according to antivirus company Sophos.

Teekid was also an online handle used by Parsons, according to the complaint, which was filed in the Western District of Washington in Seattle, according to Chutich.

The complaint lays out Parson’s role in modifying the original Blaster worm and releasing the Blaster-B variant, as well as the process law enforcement used to track the virus back to Parsons.

The FBI and other law enforcement officials declined to provide more information about the case or the identity of the teenager.

The FBI and the U.S. Attorney’s Office scheduled a press conference for Friday afternoon regarding the worm, according to U.S. Attorney John Hartingh in the U.S. Attorney’s Office for the Western District of Washington in Seattle.

Further details about the case will be presented then, Hartingh said.

A copy of the complaint obtained by IDG News Service indicates that federal law enforcement first got on the trail of Blaster-B’s author by tracking down ownership of an Internet domain, t33kid.com, that the Blaster-B worm used to download instructions and report on infected hosts.

That chase led from a San Diego, Calif., Web wholesale ISP, California Regional Internet, to a small Web hosting provider in Watauga, Texas, and, from there, to ISP Time Warner Cable, which provided Parson’s father’s home broadband account in Minnesota.

Time Warner provided the FBI with the location of Parson’s home in Hopkins and federal agents raided that home on Aug. 19, seizing seven computers from the house, according to the complaint.

The results of a forensic analysis of those computers are still pending, but the complaint says that during an interview that day, Parson admitted to modifying the Blaster worm and creating the Blaster-B worm variant, naming it “teekids.exe” after his online name.

Parson further admitted to outfitting the new worm with a backdoor Trojan program, named “Lithium” so that he could reconnect to infected computers.

Blaster-A first appeared on Aug. 11 and exploited a widespread vulnerability in Microsoft’s Windows operating system.

The worm takes advantage of a known vulnerability in a Windows component called the Distributed Component Object Model interface, which handles messages sent using the Remote Procedure Call protocol.

Vulnerable systems can be compromised without any interaction from a user, which helped Blaster spread quickly on machines running the Windows XP and Windows 2000 operating systems.

At the height of the Blaster outbreak, the worm was credited with shutting down the Maryland Motor Vehicle Administration.

Virus experts were surprised that an arrest was pending, citing the difficulty in tracing computer viruses back to their author.

“I think it gets back to how they caught him,” said Chris Wraight, a technology consultant at Sophos. “It wasn’t digital forensics, but the human intelligence. The did it the old fashioned way, with human intelligence.”

However, Wraight was not surprised to learn that the suspect in the Blaster-B case was a teenager.

He and others long maintained that Blaster’s blatant copying of proof-of-concept code for using the RPC vulnerability, known as the DCOM exploit, meant that Blaster was the work of a novice virus writer, rather than a pro.

The alleged modification of that code by Parson is typical, Wraight said.

“This clearly shows what happens in the virus world – people take and modify other people’s code and try to one up each other. But most of these guys are not too swift and they get caught because of an error,” Wraight said.

While most worm authors are careful to cover their tracks and escape capture, those who are caught face toughened computer crime laws in the U.S. and Europe, he said.

In July, for example, a U.K. court rejected an appeal by 22-year-old Simon Vallor, who was sentenced to two years in prison for writing and releasing three e-mail worms.

In less developed countries, however, there are few laws governing cyber crimes, Wraight said.

The author of one of the most destructive viruses, LoveBug, never faced charges because the Philippines lacked laws on its books to prosecute him, he said.

Parson will be charged with violating U.S. Title 18, section 1030. If found guilty, he could face between five and 20 years in prison and be asked to pay “thousands of dollars” in damages, Murray said.

No specific damages figures were available for the Blaster-B variant, but the complaint refers to more than 7,000 computers being infected with the Blaster-B variant.

In addition, the complaint includes statements by Microsoft representatives that the company “expended significant internal and external (contracted) resources to respond to the distributed denial of service (DDoS) attack launched by Parson’s worm against the windowsupdate.com site, far in excess of $5,000.