FBI Says Teen Put Worm on Internet

[InfoSec News <isn () c4i org>]

http://www.washingtonpost.com/wp-dyn/articles/A2306-2003Aug29.html

By Ben White and Charles Duhigg
Washington Post Staff Writers
Saturday, August 30, 2003; Page A01 

Government investigators yesterday arrested a Minnesota teenager on
charges of unleashing a version of the "Blaster" worm that snarled
Internet traffic and shut down computer systems from Maryland to
Sweden earlier this month.

FBI agents arrested Jeffrey Lee Parson, an 18-year-old high school
senior, early yesterday at the home he shares with his parents in
Hopkins, Minn. The U.S. attorney's office in Seattle, which is leading
the case, charged Parson with intentionally damaging thousands of
computers owned by Redmond, Wash.-based Microsoft Corp., other
businesses and individuals.

The 6-foot-4, 320-pound Parson -- described by a neighbor as an
academically advanced teen who often sported a Mohawk -- appeared
before a U.S. magistrate judge in St. Paul but did not enter a plea.  
He was released without posting bail and returned home. Parson's
lawyer, Lyonel Norris, an assistant federal defender for the district
of Minnesota, declined to discuss the case.

Parson did little to cover his tracks, according to the criminal
complaint. He appears to have boasted of unleashing viruses. According
to a version of his Web site, recorded by the Internet search engine
Google, Parson claimed to have created a worm called "p2p.teekid.c"  
that was spread by people using popular services such as Kazaa and
iMesh, which are used by millions of people to share songs, video and
movie files. Parson used the pseudonym "Teekid" online, according to
prosecutors. The site contained no references to Blaster, however.

Prosecutors alleged that Parson modified the existing Blaster virus,
which began circulating on the Internet on Aug. 11, and unleashed his
own, more insidious version known as Blaster.B, among other names.  
Computer security experts suggested yesterday that Parson probably
downloaded the original worm and simply added a bit more code.

The magistrate judge yesterday ordered that Parson be subject to house
arrest and denied access to the Internet. He faces up to 10 years in
prison and a $250,000 fine if convicted.

"With this arrest we want to deliver a message to cyber criminals here
and around the world that the Department of Justice takes these crimes
seriously," U.S. Attorney John McKay said at a news conference in
Seattle. Homeland Security Secretary Tom Ridge issued a statement
praising the arrest.

McKay said his office is still trying to find the author of the
original Blaster.

According to a criminal complaint, the trail to Parson picked up
quickly after federal investigators found a Web address --
www.t33kid.com -- embedded in the Blaster.B worm's program.

Federal agents subpoenaed California Regional Internet Inc., the owner
of the Internet protocol address corresponding to the Web site, to
determine who had registered the site. They found Brian Davis of
Watauga, Tex.

Davis told authorities that he controlled the computer hosting
www.t33kid.com, but the Web site had been set up and was operated by a
user named "teekid." Davis corresponded electronically with "teekid"  
and provided information to federal authorities that led them to
another Web site maintained by the same user, hosted on a home
computer. Using public databases, authorities tracked the computer to
the Parson home.

Authorities with a warrant searched the Parson home on Aug. 19,
seizing seven computers that are undergoing forensic analysis.  
According to the complaint, Parson admitted to federal agents during
the search of his house that he modified the Blaster worm.

"He's your average high school kid who likes to play with computers, a
good kid. I've never known him to get in any trouble at all," said a
neighbor, Curtis Mackey. "He's definitely not trying to hurt anybody."

The original Blaster exploited a flaw in a part of Microsoft's Windows
operating system, which runs more than 90 percent of the world's
personal computers, that allows data files to be shared across
computer networks. The fast-moving virus crippled computers around the
globe, forcing the Maryland Motor Vehicle Administration to shut down
on Aug. 12. Prosecutors allege that Parson's version infected at least
7,000 computers, which were instructed to attack Microsoft's Web site.

At the news conference in Seattle, Microsoft general counsel Brad
Smith said all the versions of Blaster had cost the company tens of
millions of dollars. McKay said the amount of damage Blaster.B did was
significant but declined to elaborate.

Blaster is one of a handful of viruses that have plagued home computer
users and businesses this summer and stoked fear that ever-more-savvy
hackers could launch attacks that could cripple an economy that
increasingly relies on e-mail and Internet access to conduct business.

Last week, officials in the United States and Canada raced to blunt
the effects of Sobig.F, a new strain of a virus that has infected
computers since January. Investigators said code in Sobig.F instructed
infected computers to contact one of 20 other computers to download
instructions for another possible cyber attack.

"A lot of the power of viruses that experts have been warning about is
now being unleashed," said Aviel Rubin, a professor at the Johns
Hopkins University Information Security Institute. "The combination of
vulnerable platforms, such as Microsoft's Windows, combined with
clever virus writers, is leading to an Internet that is quickly going
to make using computers a lot less efficient."

The Blaster worms, unlike some previous viruses, do not require users
to open e-mail attachments to spread. Instead, they propagate through
the Microsoft vulnerability. Experts at computer security firm
Symantec say infection rates of the various versions of the Blaster
worms peaked a little over a week ago, infecting a total of 1.2
million machines to date.

Some computer security experts cautioned that Parson's arrest probably
won't reveal the identity of the worm's original authors. "Blaster was
a sophisticated and complex worm," said Sharon Ruckman, senior
director at Symantec Security Response. "Whoever wrote it may be
clever enough that we can't track them down."

This case illustrates how easy it is for relatively inexperienced
users to launch computer attacks using tools created by others, and
how easily worms and viruses can spread, experts said.

"Whoever developed the Blaster worm had to know how to write effective
code," said Ken Dunham, malicious code intelligence manager for
Reston-based iDefense Inc. "Anyone after that could have spread it
without much technical ability."

Experts estimate there are more than 30,000 Web sites containing virus
programs and tools for launching attacks.

In 2001, a 21-year-old in the Netherlands created the Anna Kournikova
virus after downloading a "worm generator" program from the Internet
that allows users to create viruses by making choices from pull-down
menus, Dunham said.

The virus infected hundreds of thousands of computers. The code's
author was apprehended and eventually sentenced to 150 hours of
community service by a Dutch court.

Washingtonpost.com staff writer Brian Krebs and researcher Richard
Drezen contributed to this report.




-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.