Microsoft pays $250,000 bounty to catch Netsky/Sasser author

April 8th, 2008

Book Excerpt
Chapter 4
Pages 52- 59

Zero Day Threat: The Shocking Truth of How Banks and Credit Bureaus Help Cyber Crooks Steal Your Money and Identity 2008 by Byron Acohido and Jon Swartz, Union Square Press, Sterling Publishing Co. ISBN- 13: 978-1-4027-5695-5

Virus Wars

Subject: Hi

So began the Virus Wars of 2004. It would pit the new breed of for-profit virus writers against an idealistic German teenager. Collateral damage would reverberate around the globe: tens of millions of PCs compromised; hospitals, banks, and transportation systems briefly knocked out. The world would never be the same. After 2004, hacking would become almost exclusively a for-profit criminal exercise, and the Internet-the emergent information superhighway-would become a thoroughfare of thieves.
It would start with an innocuous-looking sliver of e-mail moving across the Internet in Australia and New Zealand on January 19, 2004, a Monday morning. It was the beginning of a new workweek. Windows PC users in the Southern Hemisphere logged on to company computers and began absentmindedly cleaning out e-mail in-boxes left dormant over the weekend. Thousands hastily clicked open the e-mail marked “Hi” and read this message:

Test =)


Test, yep.

Lulled into thinking this was some sort of techie-looking test required for one vague reason or another, many took the next step and clicked on the attached icon, a Windows calculator, with the file name:


A functioning calculator, indeed, popped up on the screen. Unseen, a virus, dubbed Bagle.A, went to work. Bagle.A efficiently replicated itself to every e-mail address it could find on the infected PC and quietly opened a back door through which the intruder could return later and install a proxy server. After spreading for two weeks, Bagle.A-like the early variants of SoBig-went dormant.
On January 26, a much more aggressive e-mail virus grabbed the spotlight in America. Craig Schmugar was one of the first to see it spreading. A virus research manager at McAfee’s Anti-Virus Emergency Response Team Labs near San Francisco, Schmugar christened the virus Mydoom, after spotting the word “mydom,” short for “my domain,” in the virus code. “It was evident early on that this would be very big,” Schmugar told editor Jennifer Barrett. “I thought having ‘doom’ in the name would be appropriate.”
Mydoom’s author created many flavors; the virus poured into e-mail in-boxes using one of a variety of subject headers:





server report

mail delivery system

mail transaction failed

And the pretense to get a PC user to click on the viral attachment was much more refined than Bagle.A’s silliness:

The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment


The message contains Unicode characters and has been sent as a binary attachment.


Mail transaction failed. Partial message is available.

Clicking on Mydoom’s attachment did more than let loose the standard address finder and e-mailing engine; it also implanted a copy of the virus on any shared Kazaa directories. Kazaa is a music-sharing service popular with teenagers and young adults. Anyone downloading music from the infected directory would also get the virus.
The virus also mixed and varied the extension of its attachments. Instead of using “text.exe,” for instance, it would use “test.txt.pif” or “,” a ploy to slip through e-mail system filters set to block potentially hostile files. And to lower the odds of early detection, it did not send itself to e-mail addresses of government agencies, the military, or anyone at Microsoft.
While Bagle.A came and went and was barely noticed, Mydoom flooded e-mail systems like no other virus, sweeping around the globe in record time. In less than twenty-four hours, e-mail management company MessageLabs blocked more than 1 million viral e-mails, one in every twelve e-mails handled.
Mydoom also propped open a back door and planted a bot; each bot carried the same instructions: launch a DDoS attack against on February 1. The targeted Web site belonged to the SCO Group, a supplier of Unix computer systems and scourge of the Linux community. SCO had incurred the wrath of Linux supporters by suing IBM and Novell for donating code to Linux-code SCO claimed it partially owned.
SCO drew more ill will from the Linux crowd by posting a $250,000 reward for information leading to the arrest of Mydoom’s creator. No one ever collected the reward, and on February 1, right on schedule, legions of Mydoom bots assaulted, forcing it to shut down for two weeks.
While Mydoom grabbed headlines, Bagle’s author quietly prepared for a long-run assault. On February 17, the Bagle camp upped the ante. Bagle.B appeared on the Internet in Poland and spread to sixty-six countries in less than twenty-four hours. Taking a page from SoBig, it included instructions to self-expire in two weeks, foreshadowing improved variants to come.
As antivirus companies scrambled to thwart the twin attacks of Mydoom and Bagle, a third potent e-mail virus debuted on February 17. It was quickly named Netsky, a twist on a reference in the virus code to “Skynet,” the villainous computer network in the Terminator movies starring Arnold Schwarzenegger.
Netsky incorporated just about every trick in the book. It arrived with a variety of subject lines and message texts; it replicated to all addresses found on the hard drive; it sought out shared links with corporate servers; it infected the file-sharing directories of the music download services Kazaa, BearShare, and LimeWire; and it used attachments with double extensions, such as



sex sex sex sex.doc.exe

hardcore porn.jpg.exe

Upon clicking on Netsky’s viral attachment, the user would get this error message:

The file could not be opened!

Virus hunters had seen all of these techniques before. Netsky rather brilliantly combined them all. But the most distinctive thing about Netsky was its prime directive to clean out Mydoom infections. At its core, Netsky appeared to be an antivirus virus. Any doubts about this were put to rest by these cryptic messages woven into Netsky’s coding:

<-<- we are the skynet – you can’t hide yourself! – we kill malware writers (they have no chance!) – [LaMeRz–>] MyDoom.F is a thief of our idea! – -< SkyNet AV vs. Malware >–>->
#T#h#i#s# #i#s# #t#h#e# #[#W#3#2#.#S#k#y#n#e#t#.#c#z#]# #A#n#T#i#V#i#R#u#S# #-# #w#e# #w#a#n#t# #t#o# #k#i#l#l# #m#a#l#w#a#r#e# #w#r#i#t#e#r#s#!#

By his own account, as told to the German news magazine Stern, Sven Jaschan describes himself as a shy, quiet teenager, who eschewed partying and drinking. In January 2004, while attending computer science classes at a vocational high school in Rotenburg, Germany, Jaschan says he began discussing Mydoom with his school chums. Jaschan was fascinated. Here was a program, whose name everyone knew, reproducing itself at an incredible rate. Wouldn’t it be a crazy idea if someone could write something that reproduced just as quickly and deleted Mydoom? That person would become a self-anointed avenger, a hero.
Jaschan took the challenge upon himself. He spent all of his free time the next three weeks, up to ten hours a day, hunched over his computer in the basement of his parents’ home in the idyllic village of Waffensen. Swigging seltzer and listening to MTV and its German equivalent, VIVA, blaring on a TV set nearby, Jaschan researched e-mail viruses and began to craft Netsky. It would take 2,000 lines of code.
Jaschan told the Stern reporters that his siblings and school chums knew what he was up to. “They even encouraged me to add something that would cause damage, but that was never what I wanted,” claims Jaschan in the Stern article. Soon all the students in Jaschan’s class knew what he was doing; Jaschan even claims that some of them helped him distribute Netsky. “It was just great how Netsky began to spread, and I was the hero of my class,” he told Stern.
Graham Cluley, senior technology consultant at antivirus firm Sophos, can relate to the buzz Jaschan felt. As a college student back in 1991, Cluley won notoriety as the author of the free, text-based video games Jacaranda Jim and Humbug. He picked up spending cash soliciting donations from fans of his games, which happened to include Alan Solomon, creator of one of the early antivirus programs. Cluley took a job at Solomon’s start-up company, and headed off into a career as a virus hunter.
“It’s a shame that someone with obvious computer skills should turn to writing computer viruses to increase their self-esteem, rather than doing something positive like developing computer games or an innovative Web site,” says Cluley.
Jaschan could not have imagined the scale of the virus war he would instigate. As Netsky drew attention, the Mydoom camp sought to regain the spotlight by issuing variants that corrupted Microsoft Office documents and launched a DDoS attack against the Recording Industry Association of America. RIAA had drawn hostility for suing people caught swapping music online.
Over in the Bagle camp, the arrival of Netsky appeared to disrupt carefully laid plans to release a barrage of Bagle variants moving at least partly in the shadow of the headline-grabbing Mydoom. With Netsky on the scene, competition for vulnerable computers to infect had suddenly intensified. Soon Bagle began attacking Netsky, forcing Netsky to retaliate. What started as a Netsky versus Mydoom war evolved into mortal combat between Netsky and Bagle, with Netsky cleaning up Bagle variants as fast as the Bagle camp could put out new ones. Buried deep inside Bagle.J, virus hunters found this cry of frustration:

Hey, NetSky, fuck off you bitch, don’t ruine our business, wanna start a war?
Through the months of March and April, Jaschan would release twenty-nine variants of Netsky, as many as five in one week, counterattacking the latest Mydoom and Bagle variants. As April drew to a close, he began looking for a way to separate himself from the pack and vanquish Mydoom and Bagle for good. He got the germ of an idea on April 13, when Microsoft issued a security patch that sent red flags fluttering throughout the tech community.

What caught Jaschan’s eye was a patch to fix something called Local Security Authority Subsystem Service, or LSASS, a Windows component designed to manage security and authentication. The LSASS vulnerability looked like a repeat of the RPC security hole. It was just the previous summer, in July 2003, that Microsoft had released the RPC patch and seen its worst fears come to fruition in the form of the MSBlast worm, the infection that spread to 25 million Windows PCs worldwide.
Was history about to repeat itself? On April 25, Jaschan paid close attention when a Russian hacking group, known as House of Dabus, posted a proof of concept LSASS exploit on a French Web site. The exploit laid out programming code crafted to overwhelm the LSASS hole and take control of vulnerable Windows XP and Windows 2000 computers. “At that point, anyone with minimal programming skills could go and build a worm to hack into machines,” says Johannes Ullrich, chief technology officer of the SANS Institute Internet Storm Center.
Thursday, April 29, happened to be Jaschan’s eighteenth birthday. After returning home from a celebration with friends, he descended into his basement cubby and put the finishing touches on a self-propagating worm using the House of Dabus’s exploit. Just sixteen days had gone by since Microsoft released the LSASS patch. Hardly anyone had applied the patch. Jaschan set his worm loose on the Internet and went to bed.
Virus hunters first spotted the worm on the move on Friday, April 30, and christened it Sasser. Crudely written, Sasser soon gathered momentum and began to spread faster-and then too fast. The worm spread so rapidly that it caused infected machines to reboot constantly. From his basement, Jaschan tried to correct the problem by releasing Sasser.B, Sasser.C, and Sasser.D, but things only got worse. Within forty-eight hours, Sasser infected at least 1.3 million PCs. In particular, it wreaked havoc with groups of PCs linked together in Windows-based local area networks commonly used in businesses around the globe. Jaschan hoped Sasser would be his coupe de grace to wipe out Mydoom and Bagle. Instead it would lead authorities to his basement lair.
Because much of Asia and Europe was heading into a three-day weekend to celebrate May Day, many companies were operating with skeleton tech-service crews.
Sasser halted rail service in Australia, paralyzed a third of Taiwan’s post office, forced Finland’s Sampo Bank to shut down 130 branches, and prompted Delta Air Lines to cancel several transatlantic flights. Because its effects were so blatant, it spurred other businesses and consumers to install Microsoft’s LSASS patch right away. It also made Sven Jaschan a marked man.
Following the spread of MSBlast and SoBig, Microsoft had announced in the fall of 2003 that it was setting aside $5 million in reward money for the capture of notorious virus writers. A $250,000 prize awaited anyone who provided information leading to the arrest and conviction of the author of MSBlast, SoBig, or Mydoom. On May 5, two of Jaschan’s school chums contacted Microsoft’s German office and inquired whether a similar bounty might be available for information that led to Sasser’s author. When Microsoft assented, they fingered Jaschan.
Police arrested young Sven in his home on May 7. Reporters swooped in. Sabine Jaschan, his stepmother, told a reporter for RTL News, “About four months ago he was over here for a visit and said, ‘Papa, I’ve put out a computer worm.’ And then my husband said, ‘Sven, you didn’t do anything stupid, did you?’ He just kind of laughed nervously.”
Jaschan confessed to creating Sasser and Netsky. At a hearing more than a year after his arrest, Jaschan received a sentence of twenty-one months on probation and thirty hours of community service, based largely on the fact that most of his virus writing was done before he turned eighteen. Shortly thereafter, Microsoft paid his two school chums, who for a time were investigated as suspected accomplices, $250,000.
“He said he really wanted to develop an antidote to the virus,” Rainer Jaschan, Sven’s father, told reporters. “He said he didn’t want to cause any damage.”