When indications of a worm exploiting the LSASS vulnerability in Windows surfaced April 30, the staff at Microsoft Corp.s Security Response Center didnt hesitate; they knew exactly what to do.
Within an hour of the first reports of the worm, which would later come to be known as Sasser, Kevin Kean was on a conference call with the companys internal penetration testers, field representatives and partners in the Virus Information Alliance. The group went over details to determine whether the threat was serious enough to call out the heavy hitters and move into whats known as “immediate response” phase.
“It was pretty clear to us at that point that this could be serious, so we decided to mobilize,” said Kean, director of the MSRC, in Redmond, Wash.
From there, the chase was on. Microsofts internal analysts and security and forensics experts worked around the clock with the help of law enforcement officials and outside specialists to analyze Sasser code, searching for any clue that might lead them to the worms creator. And in this case, after a week of long hours, hard work and not a little bit of luck, the effort paid off with the arrest and indictment of an 18-year-old German man who authorities say has confessed to writing not only Sasser but the Netsky family of viruses as well.
This is one of the rare cases in which a suspect was actually arrested and indicted for allegedly creating and distributing a worm or virus. More often, security experts and law enforcement officials end up banging their heads against a wall with little in the way of clues to go on. And thats part of the reason Kean and his team at Microsoft have developed a regimented quick-response program for cases such as Sasser where time is of the essence and the MSRC staffs unique expertise and experience are invaluable.
Response program has
The program now in place at the MSRC has evolved over time as the nature and speed of threats on the Internet have morphed. Driving the program are checklists that assess the potential level of damage from the worm or virus and how many customers are likely to be affected. Team members practice regularly; in fact, they were in the middle of a drill when the original MyDoom worm hit.
In the Sasser case, once the decision to move into immediate-response mode was taken, Kean gathered members of the Secure Windows Initiative Attack Team in a command center. Communications and public relations teams set up in a room nearby to begin getting the word out to customers about the worm.
For most of that weekend, the technical teams pored over Sassers code. Analysts on the team carry pagers at all times and worked in shifts throughout the event. By the end of the weekend, the team understood the worm well enough to build a cleaner tool capable of removing Sasser from infected machines.
“Making the process formal early on saved us time and confusion. Everyone knows exactly what to do,” said Kean. “Everybody involved contributes to the analysis. We share what we learn with everyone.”
At the same time, analysts were also looking for clues in the worms code about the authors identity and/or possible motives. As it turned out, they need not have worried. While Microsoft staff and federal agents were hunting for the authors fingerprints in the Sasser code using the latest in modern tools and techniques, what eventually delivered the suspected Sasser creator to authorities was the oldest lure on earth: money.
Several days after Sasser emerged, acquaintances of the worms suspected author contacted Microsoft officials in Germany and asked whether theyd be entitled to a reward if they handed over information on the worms creator. Microsoft has established a multimillion-dollar fund to pay rewards to those who supply evidence leading to the conviction of a virus author, so officials told the informants they could receive up to $250,000.
After that, things moved quickly. Microsoft officials contacted German investigators as well as the FBI and told them what they knew. After interviewing the informants, officials moved in and arrested the teenager at his parents home in Germany within 48 hours of the informants first contact with Microsoft. By Friday, May 7, one week after Sasser first appeared, the teen was in custody.
Back in Redmond, the MSRC team was winding down its investigation and going through its post-mortem analysis on the response effort.
“The response procedure doesnt stop after the initial analysis,” Kean said. “This is the only way to learn and get any better.”