Govt. Explains How It Caught "Blaster" Author

 
 
By Mark Hachman  |  Posted 2003-08-29
 
 
 
U.S. law enforcement agents said the arrest of the alleged author of the "Blaster" variant sends a message to virus writers that the federal government will seek out and prosecute similar crimes.

The U.S. Attorneys office confirmed Friday afternoon that federal agents had arrested 18-year-old Jeffrey Lee Parson of Hopkins, Minn. for intentionally damaging a computer, a violation of U.S. criminal code. If prosecuted, Parson will face a maximum penalty of 10 years in federal prison and/or $250,000 in fines.

"With this arrest we want to deliver a message, here and to around the world: the DOJ takes these crimes very seriously," said U.S. Attorney John McKay, who said his office in Seattle is dedicated to fighting cybercrime..

"Let there be no mistake about it, cyber hacking is a crime," McKay added. "It harms persons, it harms individuals, it harms businesses. We will investigate, track down and prosecute cyberhackers."

Parson is being charged with modifying the original "Blaster" or "LovSan" virus and releasing it on the Intenet, infecting at least 7,000 PCs and using them as "drones" to mount a distributed denial of service (DDoS) attack, according to the complaint filed by the U.S. Attorneys office. Antivirus vendor Symantec Corp. said the worm infected over 500,000 machines, which were programmed to attack Microsofts WindowsUpdate.com web site, which Microsoft redirected in a successful bid to avoid the worm.

"We will not be deterred by national boundaries, we are never deterred by state boundaries and we will pursue people as far as we can to prosecute crimes," McKay said. How agents tracked Parson down

Although McKay said that Parson was identified through standard police work, the complaint filed by the U.S. Attorneys office describes a common methodology of seeking out and determining an online users identity. McKay described the investigation as "ongoing".

In July 2003, the Last Stage of Delirium group discovered and notified Microsoft of a potential hole in the Windows operating system. Microsoft issued a patch to fix the vulnerability, but a Chinese hacker group named XFocus reverse-engineered the patch, rediscovered the vulnerability, and developed scanning software that exploited the hole, according to the complaint. XFocus published the code to the Internet.

At or about the same time, Microsoft discovered several variants of the virus, among them the so-called Blaster.B ("W32/Lovesan.worm.b"), which renamed the executable to "teekids.exe", according to the compliant. When executed, the worm contacted the www.t33kid.com hacker site, where the machine was added to a list of infected machines. The t33kid.com site has since been taken down.

Federal agents then tracked down the domain www.t33kid.com to an ISP in Southern California, and found out the customer who leased the IP address. That customer had communicated with Parson over IRC, and subsequently discovered a related site, dl.t33kid.com. According to the complaint, Parson hosted the second site on his own PC, which agents discovered mirrored the www.t33kid.com site, including the Blaster code and list of infected computers.

Agents then resolved the dl.t33kid.com IP address, and discovered that the physical location of Parsons house, which was confirmed by Parsons cable provider, Time Warner Cable. Parson later confessed to modifying the code and holding a list of infected computers, according to the complaint.

Parson was arrested in his hometown at 8 AM this morning and transported to the courthouse, where he was formally charged, McKay said. Although the government asked a Minnesota court to hold Parson in prison before he was trial, the court ruled that house arrest was sufficient. The government seized all of the computers in Parsons house, McKay said, and Parson is being prevented from accessing the Internet. McKay said he did not know whether Parson was a student.

Although the governments formal compliant against Parson only puts the total damage at $5,000 the minimum necessary to charge an individual with malicious damage of a computer, the total damage will run into the "millions, according to Brad Smith, general counsel of Microsoft. The total cost includes technical support for customers and rebuilding its communications infrastructure.

Meanwhile, Smith said, Microsoft is working to develop stronger, more secure software thats resistant to the types of attacks Parson launched, while providing greater technical assistance to consumers, and providing more cooperation to law enforcement. "We need to keep moving forward on all three fronts," Smith said.

McKay said that, for now, Parson was being charged only with modifying and releasing the original Blaster code, and that the government had no evidence he was involved with any other derivatives of the worm or other hacking tools. However, he did say that agents were actively investigating other leads in the case.

"Its not unusual that a young individual at a young age has substantial knowledge and ability," McKay said. "But unfortunately, this has been turned to crime."

Rocket Fuel