A multi-million dollar Microsoft reward program to encourage people to identify computer virus writers has led to the arrest of a teenager in Germany on suspicion of writing the Sasser computer worm, however despite the arrest a new variant of the worm appeared on Sunday, according to computer security organizations.
Police in the state of Lower Saxony in northern Germany arrested an 18-year old on Friday after a search of his parent's house in the town of Rotenburg, they said on Saturday. He has confessed to creating the Sasser worm and is also being investigated on suspicion of creating the NetSky worm, said the Lower Saxony state crime office in a statement.
Sasser is estimated to have caused trouble for thousands of computer users and to have been responsible for disruptions at American Express, Delta Air Lines and some universities.
The investigation got its big break on Wednesday this week when Microsoft Deutschland GmbH was contacted by individuals who asked about the possibility of receiving a reward in exchange for information about the creator of the Sasser worm, said Brad Smith, senior vice president and general counsel at Microsoft.
"Microsoft's investigators informed the individuals that the company would consider providing a reward of up to $250,000 if their information led to the arrest and conviction of the Sasser perpetrator," he said.
As a result of the conversation, the informants provided information to Microsoft and to local authorities in Germany. Microsoft's US headquarters was alerted to the information within minutes and an investigation was subsequently begun by the software maker, the US Federal Bureau of Investigations (FBI), US Secret Service and German law enforcement authorities, said Smith.
"Within 48 hours of the informants coming forward our investigators and the German police were able to identify the perpetrator of the Sasser virus and to take him into custody," he said. "This individual is responsible we believe for all four variants of the Sasser virus."
Based on the investigation police suspect the same individual may be responsible for the NetSky worm that first appeared in February.
"Ultimately there were 28 variants of the Netsky worm and the German authorities are alleging today that all of these variants are connected to the individual who they have taken under arrest," said Smith.
A connection between the Sasser and NetSky worms had already been noted by antivirus researchers. A new version of NetSky that appeared on Monday last week includes a message within its code directed at antivirus companies that claims responsibility for Sasser.
"Hey AV (antivirus) firms, do you know that we have programmed the Sasser virus?!? Yeah, that's true," the message reads, in part.
Despite the arrest the investigation into the worm continues, said Smith. However, he would not comment on any details regarding the ongoing work of Microsoft or investigators.
Microsoft launched its virus-author bounty program, initially funded with $5 million, in November last year.
"Hopefully, people will see this reward announcement as reason to come forward when they have information. The more information that people can provide to law enforcement, the more likely we will have an arrest and a conviction for a malicious code launcher," said Hemanshu Nigam, a Microsoft corporate attorney, at the time of the reward program's launch.
Speaking on Saturday, Smith said he saw the German arrests as a success for the reward program and work the company has been doing over the last year to better respond to virus threats.
"We are very pleased with this fast progress and the ability of law enforcement to arrest the perpetrator within seven days of the launch of the worm," he said.
However, despite the arrest of the suspected author of the Sasser worm, a new variant of the worm appeared on Sunday, according to computer security organizations.
This shows that there is an "organized group of delinquents" engaged in creating and distributing these worms, security specialist Panda Software SL's PandaLabs unit said in a statement.
The Sasser.E worm exploits the same Microsoft Windows LSASS vulnerability targeted by its predecessors and has already infected millions of computers, according to PandaLabs. The situation is likely to get worse when company staff return to work after the weekend, PandaLabs said in its statement.
Sasser.E searches the Internet for vulnerable computers and then copies itself to the Windows directory, leading to a systems error that forces the infected computer to reboot every 60 seconds.
Security company McAfee rated the worm low risk, but noted that it attempts to confuse people trying to remove it by adopting a file named (lsasss.exe) which is very similar to a genuine filename present on most systems.
The same patch that protected against earlier versions of Sasser is also effective against Sasser.E, security experts said.
The Sasser.E worm also tries to remove any instances of the Bagle worm from users' computers, suggesting that there is some rivalry between the virus-writing gangs, according to Panda Labs.
"This seems to indicate that there is a kind of cyber-war being waged among the creators of the Bagle, Mydoom, Netsky and Sasser worms, and it will continue to cause many more variants of the virus," Panda Labs said in its statement.