Federal officials reportedly have closed in on an 18-year-old man believed to be the author of a variant of the Blaster worm, which affected nearly half a million computers earlier this month.
An announcement of the suspect’s arrest was expected Friday in Seattle, Washington, near the headquarters of Microsoft, whose Windows operating system was the target of Blaster, its variants, and subsequent worms Nachi and SoBig.F. The Redmond, Washington-based software maker issued a warning about a widespread Windows vulnerability in the middle of July, which was quickly followed by exploit code and computer worms that took advantage of it.
As law enforcement officials continued investigations into the worms, security and antivirus experts were closely watching SoBig.F, which was set again to download unknown code from 20 Internet addresses commandeered by the virus writer.
MessageLabs chief information security analyst Paul Wood told TechNewsWorld that the unknown code is likely a trojan download, which grants control of a computer to a remote attacker. However, Wood said the Internet addresses in question likely will be shut down or isolated, and the preemptive ISP blockage of UDP port 8998 — the port on which the worm will access the trojan — probably will keep the variant contained.
“It’s unlikely it will go much further,” he said.
Blaster Suspect Caught
In the case of the Blaster.B worm, which added to Blaster’s clogging of corporate networks and e-mail servers, law enforcement officials were expected Friday to announce the arrest of an 18-year-old they believe is responsible.
Published reports indicated the teenager allegedly enhanced the original Blaster worm and was discovered when a witness saw him testing the malicious code. FBI deputy assistant director of cybercrime Jim Farnan recently told TechNewsWorld that virus writers face penalties ranging from probation to 20 years in prison and several thousand dollars in fines.
The announcement of an arrest was expected from a U.S. attorney based in Seattle. Sean Sundwall, a spokesperson for Microsoft, told TechNewsWorld that the company assists law enforcement whenever it can and is anxious to hear what happens.
“All Microsoft can do is cooperate and provide whatever information law enforcement officials feel is relevant,” Sundwall said.
While the Blaster.B suspect is not accused of unleashing the original Blaster worm, Wood said there is typically some affiliation among writers of variant worms. “Quite often, it’s usually the same people or same person involved,” he noted. “Virus writers are usually on their own or with a small, trusted group.”
A senior FBI official told TechNewsWorld that law enforcement officials are concerned by the number of different variants, which suggests “the idea that more people are participating” in writing viruses.
The FBI’s Farnan said this week that the bureau also is making progress in finding the author of the SoBig.F worm, which was called the fastest-spreading virus in computer history. The FBI subpoenaed Arizona ISP Easynews.com and informed the company that an individual had used its Usenet server to upload the SoBig.F virus on August 18th.
Wood said the seeding of a virus is the most detectable point in the process of launching one, but he added that highly skilled virus writers still can avoid being discovered.
“There is really no excuse for them to be caught if they’re doing everything properly,” he said.
Tough To Trace
Still, Wood — who said security companies such as his work with law enforcement primarily on high-profile fraud cases — referred to investigators’ brief opportunity to determine the origin of a virus or variant.
“[Virus writers] can largely avoid detection by using other people’s computers and hiding the traces,” he said. “Law enforcement has a very limited time window to track anything of this kind and this scale. Otherwise, they’ll be up against a brick wall.”
Nevertheless, FBI director Robert Mueller said in a statement earlier this week that the bureau is working with the Department of Homeland Security, state and local law enforcement to track down the perpetrators of Blaster and SoBig.
“We employ the latest technology and code analysis to direct us to potential sources, and I am confident that we will find the culprits,” Mueller said.