State and federal law enforcement authorities have announced a second arrest related to a variant of the Blaster computer worm. Meanwhile, security experts are watching and waiting for another virus variant to take advantage of a similar security hole in Microsoft Windows systems.
Blaster took advantage of a Remote Procedure Call (RPC) vulnerability to spread among nearly half a million machines in August, but the arrests of Minnesota’s Jeffrey Lee Parson, a Romanian man and now a juvenile in the United States involve variants of the worm that had more limited impact.
Still, authorities made it clear they are sending a message with the arrests. The crimes carry potential penalties of as many as 10 to 15 years in prison and US$250,000 in fines. “Computer hackers need to understand that they will be pursued and held accountable for malicious activity,” said a statement from U.S. Attorney John McKay.
But Gartner research vice president Richard Stiennon told TechNewsWorld that the arrests do not get authorities any closer to the author of the original Blaster worm, who may not even be aware of the apprehensions.
“These are more copycat worms where it’s pretty easy for anybody to grab the code for a worm because it’s out there,” Stiennon said. “It’s been easier for law enforcement to track them down, but it’s totally unrelated and they wouldn’t be any closer to the bad guys.”
The latest arrest involves a juvenile accused of releasing a Blaster variant known as RPCSDBOT, which orchestrated a denial-of-service (DoS) attack on Microsoft Web sites using infected machines. Authorities, who plan to charge the juvenile with delinquency violations involving computer crimes, indicated the investigation is ongoing and said they are still pursuing additional people involved in worm writing.
Blaster Writer Unknown
MessageLabs chief information security analyst Paul Wood told TechNewsWorld that the arrests could serve as a deterrent, but only at “the lower level of the virus-writer hierarchy — the script kiddies.” It’s not likely to put off the hard-core criminals, Wood said.
As the writer of the original Blaster worm remains unknown, the security community is on the lookout for a second Blaster-like worm that could take advantage of similar vulnerabilities announced by Microsoft nearly three weeks ago.
With exploit code available and the original Blaster serving as a blueprint, security experts agreed the creation of another worm would be simple. Stiennon said it is “common belief that it’s only a matter of time — at this point days if not hours.”
Wood, who said variants typically come as refinements from a worm’s original author or as spin-offs based on widely available source code published on the Internet, agreed that another Blaster would be simple to create but would be limited in impact because of updated antivirus tools.
Nevertheless, Wood said, attackers’ interest in another Blaster worm indicates there are still a significant number of unpatched, unprotected machines.
Software and Psychology
Aberdeen Group vice president Jim Hurley told TechNewsWorld that while it is becoming easier to create viruses and worms such as Blaster, the perpetrators also are advancing their ability to impact computer users and networks.
“The minds that are putting these together are getting smarter in their ability to create more impact for the codes that are designed to take advantage of published vulnerabilities,” he said.
Hurley, who referred to more successful attempts to trick users into visiting bogus Web sites or downloading malicious code from such sites, said the number of vulnerabilities published by vendors, on public mailing lists and elsewhere is continuing to rise.
The analyst also referred to the psychodynamics of how people think and work, which is being exploited along with “standard software logic” to cause more damage.