News

Sasser Saga Ends With Conviction of German Teen

The Sasser worm exploded onto the Internet in May 2004, taking down hundreds of thousands of computers, slowing network traffic and causing millions of dollars of damage with its automated exploitation of a flaw in Windows 2000 and Windows XP. The worm's trajectory ended Friday with a conviction and 21-month suspended sentence for Sven Jaschan, who succeeded spectacularly in what German authorities suggested was his motive -- gaining fame as a programmer.

Because Jaschan was not quite 18 when he wrote the worm, his trial was conducted behind closed doors and his sentence was much lighter than the maximum. Found guilty of computer sabotage and illegally altering data, Jaschan, now 19, could have been sentenced to five years in jail. He was also sentenced to 30 hours of community service at a hospital or home for the elderly and will not have to pay court costs.

Having admitted creating the worm at the time of his arrest in May 2004, Jaschan reiterated the confession at the beginning of his four-day trial last Tuesday in Verden, Germany.

Microsoft announced within hours of the conviction and sentence on Friday that it was paying $250,000 in reward money to two informants that the company says helped identify Jaschan. The informants were not identified, and they will share the reward, which came out of the Microsoft anti-virus reward program first announced in November 2003.

"We're pleased that the author of the Sasser worm has admitted responsibility for the damage he caused and is being held accountable," said Nancy Anderson, vice president and deputy general counsel at Microsoft. "It has been important and gratifying to collaborate with and support law enforcement in this case, and we're glad to provide a monetary reward to those individuals who provided credible information that helped German police authorities solve this case."

As with any informant program in any law enforcement or intelligence gathering effort, questions swirl about the potential complicity of the people who provided information to Microsoft and who will now share the reward. Jaschan was arrested based on a tip passed to Microsoft under the reward program. Prosecutors later said the informant was among five people under investigation as possible accomplices. Microsoft did not say whether the reward recipients were among the five people under investigation or whether they included the original informant.

Sasser got its name from a flaw it exploited in LSASS (Local Security Authority Subsystem Service). Microsoft patched the flaw in a critical security bulletin numbered MS04-011 on April 13, 2004. Likely reverse-engineered from that patch, Sasser was especially damaging because it didn't travel by e-mail but connected to victim computers through open ports, primarily Port 445. Infected computers would crash and reboot in a cycle that made them unusable.

The worm emerged on April 30, 2004, and began causing heavy damage in early May. Reported damage to government agencies and companies included:

  • U.K. Maritime and Coastguard Agency, where staff returned to manual map reading;
  • European Commission headquarters in Brussels had 1,200 PCs taken down;
  • Delta Airlines in Atlanta had seven hours of downtime, leading to the cancellation of 40 flights;
  • Australian Railcorps had to stop running trains when drivers and signalmen could no longer talk due to computer problems;
  • 400 branches of Taiwan's post office saw desktop computers crash;
  • Agence France-Presse had all satellite communications blocked;
  • Sampo Bank in Finland and its subsidiary insurance company If closed offices;
  • Goldman Sachs and Deutsche Post also reported problems.

    Within the first two days of Sasser's release, Microsoft released a cleaner tool to help customers remove the worm. Shortly thereafter, Microsoft began hearing from informants and collaborating with authorities.

    About a week after Sasser hit, authorities arrested Jaschan sitting at his computer in the house of his mother, who ran a computer store in Waffensen, Germany.

    Under questioning, Jaschan admitted creating Sasser and a Netsky variant called Netsky.AC. According to published reports, the teen told officials his intention was to create a Netsky virus that would combat the Mydoom and Bagle viruses that were then circulating. He allegedly said that intention led him to develop Netsky further and modify it to create Sasser. There was a variant of Sasser, Sasser.E, that attempted to clean computers of other viruses, but a Wikipedia entry on Sasser notes that the variant didn't emerge until after Jaschan's arrest.

    Jaschan's trial began last Tuesday with Jaschan again confessing to writing Sasser. Prosecutors had sought a two-year suspended sentence and 200 hours of community service. The defense sought one year. Both sides accepted the verdict. When authorities originally questioned Jaschan, they said they got the impression his motive was to gain fame as a programmer. In its ruling, the court found Jaschan "acted out of a need for recognition" as opposed to for commercial aims.

  • About the Author

    Scott Bekker is editor in chief of Redmond Channel Partner magazine.