When indications of a worm exploiting the LSASS vulnerability in Windows surfaced April 30, the staff at Microsoft Corp.s Security Response Center didnt hesitate; they knew exactly what to do.
Within an hour of the first reports of the worm, which would later come to be known as Sasser, Kevin Kean was on a conference call with the companys internal penetration testers, field representatives and partners in the Virus Information Alliance. The group went over details to determine whether the threat was serious enough to call out the heavy hitters and move into whats known as "immediate response" phase.
"It was pretty clear to us at that point that this could be serious, so we decided to mobilize," said Kean, director of the MSRC, in Redmond, Wash.
From there, the chase was on. Microsofts internal analysts and security and forensics experts worked around the clock with the help of law enforcement officials and outside specialists to analyze Sasser code, searching for any clue that might lead them to the worms creator. And in this case, after a week of long hours, hard work and not a little bit of luck, the effort paid off with the arrest and indictment of an 18-year-old German man who authorities say has confessed to writing not only Sasser but the Netsky family of viruses as well.
This is one of the rare cases in which a suspect was actually arrested and indicted for allegedly creating and distributing a worm or virus. More often, security experts and law enforcement officials end up banging their heads against a wall with little in the way of clues to go on. And thats part of the reason Kean and his team at Microsoft have developed a regimented quick-response program for cases such as Sasser where time is of the essence and the MSRC staffs unique expertise and experience are invaluable.