Even as Microsoft and law enforcement authorities celebrated the arrest of a German teenager believed to be the mastermind behind the malicious Sasser worm, anti-virus firms have quarantined yet another mutant attacking vulnerable Windows users.
Over the weekend, Microsoft announced the arrest of an unidentified 18-year-old in connection with the creation and distribution of the Sasser worm that exploits
a flaw in the Local Security Authority Subsystem Service (LSASS), but the new development does not end to the threat.
According to anti-virus specialist Symantec , a new variant (W32.Sasser.E.Worm) has appeared and is exploiting the LSASS vulnerability described in Microsoft’s MS04-011 patch. Sasser.E, which is being widely distributed, spreads by scanning randomly selected IP addresses for vulnerable systems. “W32.Sasser.E.Worm can run on, but not infect,
Windows 95/98/Me computers. Although these operating systems cannot be infected, they can still be used to infect vulnerable computers,” Symantec warned.
Symantec said the latest variant contains code that mentions the unrelated NetSky worm, prompting speculation among security experts that more arrests are imminent. According to Sophos, there is enough information to believe that the gang responsible for distributing the Sasser worm may also be responsible for Netsky, which has been infecting computer users for most of this year.
Sophos technology consultant Graham Cluley described the emergence of Sasser as the “most significant virus attack of 2004” and said the arrest of a suspect could provide “”vital clues which may break open the underground worm-writing network which has been responsible for not only Sasser, but the Netsky worms too.”
“If you scrutinize the most recent Netsky worm, you can see that the author embedded a taunt to anti-virus companies, bragging that he also wrote the Sasser worm. All these worms have been highly disruptive and complex, suggesting that the author isn’t working alone. We would not be surprised if more arrests follow in due course.”
Microsoft general counsel Brad Smith said the arrest of the high school student resulted from a coordinated enforcement effort involving multiple agencies on two continents. On a conference call with reporters, Smith hailed the company’s Antivirus Reward Program as the catalyst for the information that led to the teenager’s arrest.
“Aware of this program, individuals in Germany approached Microsoft investigators this past Wednesday on May 5th. These individuals offered to our investigators to provide information about the creator of the Sasser virus and they inquired about their potential eligibility for a reward under our program…Microsoft’s investigators informed the individuals that the
company would consider providing a reward of up to $250,000 if their information led to the arrest and conviction of the Sasser perpetrator. Following this discussion, the individuals provided information to Microsoft and to local authorities in Germany,” Smith explained.
“Within 48 hours of the informants coming forward our investigators and the German police were able to identify the perpetrator of the Sasser virus and to take him into custody. This individual is responsible we believe for all
four variants of the Sasser virus.”