On Blasters Trail
In July 2003, the Last Stage of Delirium group discovered and notified Microsoft of a potential hole in the Windows operating system. Microsoft issued a patch to fix the vulnerability, but a Chinese hacker group named XFocus reverse-engineered the patch, rediscovered the vulnerability and developed scanning software that exploited the hole, according to the complaint. XFocus published the code to the Internet. At or about the same time, Microsoft discovered several variants of the virus, among them the so-called Blaster.B ("W32/Lovesan.worm.b"), which renamed the executable to "teekids.exe," according to the compliant. When executed, the worm contacted the www.t33kid.com hacker site, where the machine was added to a list of infected machines. The t33kid.com site has since been taken down.Agents then resolved the dl.t33kid.com IP address and discovered that the physical location of Parsons house, which was confirmed by Parsons cable provider, Time Warner Cable. Parson later confessed to modifying the code and holding a list of infected computers, according to the complaint. Parson was arrested in his hometown at 8 a.m. Friday and transported to the courthouse, where he was formally charged, McKay said. Although the government asked a Minnesota court to hold Parson in prison until his trial, the court ruled that house arrest was sufficient. The government seized all the computers in Parsons house, McKay said, and Parson is being prevented from accessing the Internet. McKay said he didnt know whether Parson was a student. Although the governments formal compliant against Parson only puts the total damage at $5,000, the minimum amount necessary to charge an individual with malicious damage of a computer, the total damage will run into the "millions," according to Brad Smith, general counsel of Microsoft. The total cost includes technical support for customers and rebuilding the companys communications infrastructure. Meanwhile, Smith said, Microsoft is working to develop stronger, more secure software thats resistant to the types of attacks Parson launched, while providing greater technical assistance to consumers, and providing more cooperation to law enforcement. "We need to keep moving forward on all three fronts," Smith said. McKay said that, for now, Parson is being charged only with modifying and releasing the original Blaster code, and that the government has no evidence he was involved with any other derivatives of the worm or other hacking tools. However, he did say that agents are actively investigating other leads in the case. "Its not unusual that a young individual at a young age has substantial knowledge and ability," McKay said. "But unfortunately, this has been turned to crime." Discuss this in the eWeek forum.
Federal agents then tracked down the domain www.t33kid.com to an ISP in Southern California and found out the customer who leased the IP address. That customer had communicated with Parson over IRC, and subsequently discovered a related site, dl.t33kid.com. According to the complaint, Parson hosted the second site on his own PC, which agents discovered mirrored the www.t33kid.com site, including the Blaster code and a list of infected computers.