A series of arrests in Germany for alleged computer virus creation is likely to deter casual virus writers, but worms and variants continue and the most hardened computer criminals will probably be more careful, not quelled by the arrests, according to security experts.
The biggest arrest came last Friday when Microsoft announced it had worked through its virus-writer reward program to assist German authorities in apprehending an 18-year-old suspect who has since confessed to writing the Sasser and series of Netsky worms. Another separate arrest in Germany involved the smaller Agobot worm. While officials indicated the arrests were not related, virus fighters and security experts agreed that one virus writer’s arrest can often lead to others.
In addition, the potential US$250,000 payday for those who helped Microsoft and law enforcement in apprehending the alleged Sasser author might lead more malware-community members to turn in their own and also might deter those contemplating the launch of a virus.
However, despite hope that the latest arrests will dampen the amount of malicious code unleashed on the Internet, experts indicated that organized crime and the most hardcore virus writers are unlikely to stop their activities.
“It’s not going to deter everybody, but if Microsoft and law enforcement can get a conviction, it will greatly help,” iDefense malicious code director Ken Dunham told TechNewsWorld.
Start to the Stem
Dunham said it is not surprising to see arrests of alleged virus writers in Germany. He indicated that Germany, Russia, Pakistan and India are known virus hotspots that are regularly monitored for malicious code activity.
Dunham said he hopes the arrests will curb the “never-ending worm war” of 2004.
“I don’t believe that authorities have been able to nab all the bad guys in this worm war, but this is a great start,” he said. “It’s one step closer to making them feel like the big club of law enforcement agencies is going to come banging on their door.”
The war Dunham referred to arose earlier this year when the authors of the Netsky, Bagle and MyDoom worms — and their variants — included verbal spars against one another inside the virus code itself. The 18-year-old arrested in Germany reportedly has confessed not only to working on the Sasser worm, but also to contributing to more than 25 Netsky variants.
Dunham said he would not be surprised if there were multiple authors behind the Sasser worm family because the different versions vary so much. He also said the original virus code might have been hijacked and modified after the first variant emerged.
He added that the recent leak of Phatbot and Gabot code to the Internet’s underground network of virus writers might have aided authorities in their hunt for virus authors.
Dunham said one virus arrest is likely to lead to more, because law enforcement has a history of leveraging arrests in such crimes.
“It would not surprise me to see authorities maximize what’s taking place out there with other bad guys by working with [those arrested],” he noted.
Catching and Curtailing
Gartner research vice president Richard Stiennon told TechNewsWorld that the recent arrests are likely to deter low-level virus writers.
“It’s a good thing, and I hope it will curtail other casual hackers from doing this sort of thing,” he said. “That’ll be a huge inducement,” he added, alluding to the possible $250,000 reward if the German teen is convicted.
Stiennon said he was not surprised that the Sasser suspect turned out to be a teenager, because the worm had limited success and an ineffective payload.
Dunham praised law enforcement and international authorities for their success — but, at the same time, he is working on and watching the spread of a new virus that began circulating rapidly Tuesday morning.
Antivirus vendor Trend Micro rated the Wallon worm a medium threat right away. The mass-mailing worm, which takes advantage of two known Microsoft vulnerabilities, was spreading across Germany, the rest of Europe, the Middle East and Asia early this week, according to Trend.