Response program has

By Dennis Fisher  |  Posted 2004-06-07 Print this article Print

evolved "> The program now in place at the MSRC has evolved over time as the nature and speed of threats on the Internet have morphed. Driving the program are checklists that assess the potential level of damage from the worm or virus and how many customers are likely to be affected. Team members practice regularly; in fact, they were in the middle of a drill when the original MyDoom worm hit.

In the Sasser case, once the decision to move into immediate-response mode was taken, Kean gathered members of the Secure Windows Initiative Attack Team in a command center. Communications and public relations teams set up in a room nearby to begin getting the word out to customers about the worm.

For most of that weekend, the technical teams pored over Sassers code. Analysts on the team carry pagers at all times and worked in shifts throughout the event. By the end of the weekend, the team understood the worm well enough to build a cleaner tool capable of removing Sasser from infected machines.

"Making the process formal early on saved us time and confusion. Everyone knows exactly what to do," said Kean. "Everybody involved contributes to the analysis. We share what we learn with everyone."

At the same time, analysts were also looking for clues in the worms code about the authors identity and/or possible motives. As it turned out, they need not have worried. While Microsoft staff and federal agents were hunting for the authors fingerprints in the Sasser code using the latest in modern tools and techniques, what eventually delivered the suspected Sasser creator to authorities was the oldest lure on earth: money.

Click here to read Larry Seltzers take on why its a good time to beef up defenses against worms like Sasser. Several days after Sasser emerged, acquaintances of the worms suspected author contacted Microsoft officials in Germany and asked whether theyd be entitled to a reward if they handed over information on the worms creator. Microsoft has established a multimillion-dollar fund to pay rewards to those who supply evidence leading to the conviction of a virus author, so officials told the informants they could receive up to $250,000.

After that, things moved quickly. Microsoft officials contacted German investigators as well as the FBI and told them what they knew. After interviewing the informants, officials moved in and arrested the teenager at his parents home in Germany within 48 hours of the informants first contact with Microsoft. By Friday, May 7, one week after Sasser first appeared, the teen was in custody.

Back in Redmond, the MSRC team was winding down its investigation and going through its post-mortem analysis on the response effort.

"The response procedure doesnt stop after the initial analysis," Kean said. "This is the only way to learn and get any better."

Check out eWEEK.coms Security Center at for the latest security news, reviews and analysis.

Be sure to add our developer and Web services news feed to your RSS newsreader or My Yahoo page


Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel