August 29, 2003
Feds Send Message With Blaster Arrest
By Mark Hachman

The arrest of the alleged author of the Blaster worm sends a message to virus writers that the federal government will seek out and prosecute such crimes, so say U.S. law enforcement agents.

The U.S. Attorney's office confirmed Friday afternoon that federal agents have arrested 18-year-old Jeffrey Lee Parson of Hopkins, Minn., for intentionally damaging a computer, a violation of U.S. criminal code. If prosecuted, Parson will face a maximum penalty of 10 years in federal prison and/or $250,000 in fines.

With this arrest we want to deliver a message, here and around the world: The DOJ takes these crimes very seriously, said U.S. Attorney John McKay, who said his office in Seattle is dedicated to fighting cybercrime.

Let there be no mistake about it, cyber-hacking is a crime, McKay added. It harms persons, it harms individuals, it harms businesses. We will investigate, track down and prosecute cyber-hackers.

Parson is being charged with modifying the original Blaster, or LovSan, virus and releasing it on the Intenet, infecting at least 7,000 PCs and using them as drones to mount a distributed denial-of-service (DDoS) attack, according to the complaint filed by the U.S. Attorney's office. Anti-virus vendor Symantec Corp. said the worm infected over 500,000 machines, which were programmed to attack Microsoft Corp.'s WindowsUpdate.com Web site; Microsoft successfully redirected the attack.

We will not be deterred by national boundaries, we are never deterred by state boundaries, and we will pursue people as far as we can to prosecute crimes, McKay said.

Although McKay said that Parson was identified through standard police work, the complaint filed by the U.S. Attorney's office describes a rather mundane methodology of seeking out and determining Parson's identity. McKay described the investigation as ongoing.

In July 2003, the Last Stage of Delirium group discovered and notified Microsoft of a potential hole in the Windows operating system. Microsoft issued a patch to fix the vulnerability, but a Chinese hacker group named XFocus reverse-engineered the patch, rediscovered the vulnerability and developed scanning software that exploited the hole, according to the complaint. XFocus published the code to the Internet.

At or about the same time, Microsoft discovered several variants of the virus, among them the so-called Blaster.B (W32/Lovesan.worm.b), which renamed the executable to teekids.exe, according to the compliant. When executed, the worm contacted the www.t33kid.com hacker site, where the machine was added to a list of infected machines. The t33kid.com site has since been taken down.

Federal agents then tracked down the domain www.t33kid.com to an ISP in Southern California and found out the customer who leased the IP address. That customer had communicated with Parson over IRC, and subsequently discovered a related site, dl.t33kid.com. According to the complaint, Parson hosted the second site on his own PC, which agents discovered mirrored the www.t33kid.com site, including the Blaster code and a list of infected computers.

Agents then resolved the dl.t33kid.com IP address and discovered that the physical location of Parson's house, which was confirmed by Parson's cable provider, Time Warner Cable. Parson later confessed to modifying the code and holding a list of infected computers, according to the complaint.

Parson was arrested in his hometown at 8 a.m. Friday and transported to the courthouse, where he was formally charged, McKay said. Although the government asked a Minnesota court to hold Parson in prison until his trial, the court ruled that house arrest was sufficient. The government seized all the computers in Parson's house, McKay said, and Parson is being prevented from accessing the Internet. McKay said he didn't know whether Parson was a student.

Although the government's formal compliant against Parson only puts the total damage at $5,000, the minimum amount necessary to charge an individual with malicious damage of a computer, the total damage will run into the millions, according to Brad Smith, general counsel of Microsoft. The total cost includes technical support for customers and rebuilding the company's communications infrastructure.

Meanwhile, Smith said, Microsoft is working to develop stronger, more secure software that's resistant to the types of attacks Parson launched, while providing greater technical assistance to consumers, and providing more cooperation to law enforcement. We need to keep moving forward on all three fronts, Smith said.

McKay said that, for now, Parson is being charged only with modifying and releasing the original Blaster code, and that the government has no evidence he was involved with any other derivatives of the worm or other hacking tools. However, he did say that agents are actively investigating other leads in the case.

It's not unusual that a young individual at a young age has substantial knowledge and ability, McKay said. But unfortunately, this has been turned to crime.

Reuters Photo


Copyright (c) 2003 Ziff Davis Media Inc. All Rights Reserved

eWeek