Teen caught by own "Blaster" worm
Source: The Seattle Times
Mike Carter and Kim Peterson
Date: August 30, 2003
An 18-year-old Minnesota man charged yesterday with launching an "insidious" version of the "Blaster" worm had posted codes for other computer viruses on his Web site, urged others to use them and showed off his own successful worm.
Jeffrey Lee Parson was arrested yesterday morning at his home in suburban Minneapolis. He was charged here in federal court with one count of causing damage to a protected computer. If convicted, he faces up to 10 years in prison and fines of $250,000.
Federal officials here touted Parson's arrest at a crowded press conference, saying they hoped to deter other virus writers thinking of disrupting the Internet. "These were no cyberhandcuffs," Seattle U.S. Attorney John McKay said of Parson's capture.
Attorney General John Ashcroft said in a statement, "We will devote every resource possible to tracking down those who seek to attack our technological infrastructure."
Last year, the Justice Department obtained 75 convictions for all federal computer crimes, not just hacking or virus infections. The median prison sentence was one month, according to Transactional Records Access Clearinghouse (TRAC) of Syracuse University. In the Western district of Washington since 1993, agents have referred 52 computer crime cases to federal prosecutors. The U.S. Attorney's Office prosecuted 15 and obtained 10 convictions.
Just two of the 10 convicted were sentenced to prison, one for one year and the other for 18 months, according to TRAC.
The creator of the original "Blaster" remains unknown. McKay said the investigation is ongoing and that he was optimistic there would be more arrests.
Federal prosecutors in Minnesota asked that Parson be held without bail, but U.S. Magistrate Judge Susan Richard Nelson released the high school senior to home confinement, except for school or doctor visits. She ordered him to not to use the Internet, even at school.
Earlier, federal agents seized as many as seven computers from his parents' home in Hopkins, Minn. The complaint filed in Seattle showed that Parson was hardly a mastermind of cybercrime: he named his altered version of the "Blaster" worm after himself, and did little to hide his tracks through the Internet once he launched his creation. It took agents just six days to find him.
Computer-security experts said Parson appears to be a "script kiddie," a beginner who can't create such sophisticated worms as "Blaster" but can tweak the code enough to produce a variant. The version Parson allegedly created, called the "B-variant," is essentially the same as the original but with a "Trojan horse" attachment designed to hide a more malicious virus in a seemingly benign program, according to Sharon Ruckman, a senior director at antivirus firm Symantec Security Response.
Blaster-B was designed to turn an infected army of computers into "drones," which Parson could then access at will, using them to infect others. According to the complaint, Parson may have taken over 7,000 drone computers, which were programmed to attack Microsoft's "Windows Update" Web site, which housed patches to fix flaws in software.
An estimated one million computers were attacked by various versions of the "Blaster" worm after it first appeared on Aug. 11. The complaint against Parson was filed in Seattle because the worm was designed to exploit a weakness in Microsoft's WindowsXP and Windows 2000 operating programs.
Brad Smith, general counsel for Microsoft, said the "Blaster" worm attacks have cost the company at least $10 million. Thousands of other computer users, in government, business and private owners, also were victimized.
According to the complaint and interviews, Microsoft was anticipating an attack as early as last month, after a freelance group of computer scientists alerted the company to a weakness in its Windows operating system. Microsoft devised a patch for the flaw and posted it. Not long afterward, a group in China used the patch code as blueprint to exploit the flaw and posted it on the Internet. Federal agents say that information was used to design the "Blaster" worm.
The Chinese group is under investigation. "We will not be deterred by national boundaries," McKay said.
When Parson's "Blaster" variant hit, Microsoft quickly assembled a team of about six engineers and lawyers to learn as much as they could about the worm, Smith said. In just a few hours, employees took apart the code and began picking through the data to determine how the Blaster-B differed from the original. The team sent a flurry of e-mail messages to each other, sharing updates and newly learned bits of information.
Its investigation didn't end there. The team decided to recreate an attack of the worm, and intentionally infected a clean computer. It watched as the computer found a Web site registered to Parsons. "It was by intentionally infecting that we were able to then observe what happened," Smith said in an interview later. "In this place we were able to see in fact that it connected to the Web site."
Once authorities learned of Parsons' Web site, they were able to track him through servers in California and Texas to his home in Minnesota.
Parson's Web site was unavailable yesterday. On a different site, he had posted a message saying he had a "pretty large" archive of Trojan horse programs on his site and gave its address.
Original article at: http://seattletimes.nwsource.com/html/localnews/2001676433_blaster30m.html
^macro[showdigestcomments;^uri;Teen caught by own "Blaster" worm]