German Police Arrest 'Sasser' Programmer
May 9, 2004They have names like "Slammer," "Blaster," or even "Sasser." Very often they're programmed by college or high school students. And even though experts see the signature of amateurs in their work, they still manage to cause billions of dollars in damage in industrial nations.
Last week it was the "Sasser" worm that wriggled its way around the world, bringing computer networks to a crawl or complete halt. The consequences: hours-long delays at British Airways. Finland's Sampo Bank took the precautionary measure of closing its 130 branches because the anti-virus software on its computers hadn't been updated yet. At the European Commission in Brussels, 1,200 computers were affected by Sasser, leading a spokesman to describe it as a "serious problem." Worse yet, the British Coast Guard was forced to abandon its electronic navigation system and instead pull out paper maps.
German police on Saturday morning arrested the suspected "cyber terrorist" believed to have foisted Sasser on the world. The 18-year-old high school student, who hails from a small town near Bremen, confessed to the crime after his arrest, officials said. Officials from the State Office of Criminal Investigation in the state of Lower Saxony first searched the home of the boy's parents before making the arrest. He was later released on bail.
Luck in misfortune
Fortunately, Sasser was one of the less harmful varieties of its species. The worm, which infected millions of computers, didn't cause any direct damage other than the fact that it made computers crash and stalled networks. "The damage is difficult to estimate because nothing has actually been destroyed in the sense of the word," said Michael Dickopf of the Federal Office for Information Technology Security (BSI). "Only companies' productivity was affected, their networks were slowed down."
Despite all the media attention it got, "Sasser" caused far less damage than its predecessors. "The situation was nowhere near as dramatic as last August, when 'Blaster' was going around," said Rainer Link of the virus protection software maker Trend Micro. And even Blaster, a so-called super worm, was more like a baby worm compared to the "Love Bug." The consulting firm Computer Economics estimates that that virus caused as much as €9 billion in damage.
But Sasser is especially sneaky: It doesn't spread itself as an e-mail attachment. Sasser instead takes advantage of a weakness in the Windows operating system to automatically install itself on unsuspecting computers. "In the worst-case scenarios, people go online and are infected within 30 seconds," Link said.
Private users are especially vulnerable to the virus. The only possibility for repairing the security hole that enables Sasser to attack is to download a software patch from the Microsoft Web site. But, complains Michael Dickopf of BSI, "most private users are lacking the security needs. They don't download those kinds of updates." Most firms, on the other hand, reacted quickly to the warning and downloaded the patch. In the end, the biggest problems were encountered at firms where the Microsoft patch was incompatible with the company network.
Competition of the worst kind
Lately, there's been an alarming trend in the increasing speed with which viruses reach their victims. "The number of attacks has increased unbelievably," said Trend Micro's Link. "It's an entirely new dimension." Worms like Sasser, which don't require the help of e-mail to spread across the Internet have reached distribution rates that would have been unimaginable earlier.
The time span between viruses is also shrinking. "It always was a kind of competition," he said. "The virus programmers see the new anti-virus programs and then they try to get around them. That creates a whole new challenge for us." In the case of Sasser, it only took two weeks. On April 14, Microsoft issued a warning and by May 1, the worm was already attacking.