Alleged Internet worm launcher wouldn't need much sophistication
In the underground world of Internet attackers, Jeffrey Lee Parson is a small fish, security experts say.
Parson is the 18-year-old Hopkins high school senior who was arrested Friday for allegedly releasing the second of several variations of the Internet Blaster worm. Beginning about Aug. 11, the worm and its variants shut down consumer and business computers around the world and virtually stopped many corporate networks by flooding them with data traffic. About 500,00 computers were infected.
But security experts said it appears that Parson is far from being a key player in the worm attacks. Instead, he appears to be one of thousands of largely self-taught programmers.
Such programmers generally use normal computers and relatively simple software to copy the work of more creative programmers that is readily available on the Internet.
The innovations that disrupted computers worldwide were the work of Blaster's creator, who remains unknown and at large, the experts said.
The FBI, in papers filed in U.S. District Court in Seattle, said Parson, known online as "teekid," was responsible for attacking about 7,000 of the 500,000 computers that were infected by Blaster and its variants. Experts say it is difficult to tell how many computers were affected by Parson's version because the first three worm versions were so similar.
Parson was charged with one count of intentionally causing damage to a protected computer for releasing his worm, called Blaster.B or Lovsan.B. He did not enter a plea; his next court hearing is scheduled for Sept. 17 in Seattle, where the federal investigation of the Blaster attacks is based because it is near Microsoft's headquarters.
The Blast worm attack has been a setback for Microsoft's Trustworthy Computing initiative, a highly publicized effort to make the company's software more secure. Chairman Bill Gates launched the initiative in January 2002, after the Code Red and Nimda worms demonstrated severe vulnerabilities in Microsoft software. He said security would be the company's top priority.
Microsoft, which said it spent $100 million last year on secure-computing efforts, still is working to improve its image.
"We are committed now more than ever to building more secure software that is resilient to attack while preserving the rich computing experience that our customers expect," Microsoft said Friday.
When the software patch for Windows was offered in July, Jeff Jones, senior director for Microsoft's Trustworthy Computing effort, promised that in the future such flaws would be detected and fixed earlier through the use of automated software scanning tools that look for security holes.
'Script kiddie'
Those efforts are vital for stopping the top tier of malicious hackers, as well as the copycats, one of which Parson is alleged to be.
"I rate him as an advanced 'script kiddie,' meaning he is one of those people that don't invent their own ideas," said Eric Schultze, chief security architect for Shavlik Technologies of Roseville. "He didn't do anything supernew and exciting. He just took other people's ideas and cobbled them together without adding a lot."
Script kiddies "do it for the bragging rights," Schultze said.
"The majority of script kiddies are teenage boys," said Sharon Ruckman, senior director of Symantec Security Response in Santa Monica, Calif. "They are looking for publicity, and they like to see notice of their work in the press. But script kiddies are not criminals. They're not trying to steal credit card numbers or financial information from your computer."
Because Parson is believed to be a copier of the original Blaster worm code, experts also say there is no reason to think that he knew the original author of Blaster. Capturing the worm would have been simple, experts said. Once the original Blaster worm infected a computer, Parson could have used a piece of software called a text editor to view it and make changes in its code.
"Not just anybody could do it, but it's not that difficult," said Vincent Gullotto, vice president of the antivirus emergency response team at Network Associates, a security firm in Beaverton, Ore.
Another aspect of the case, Parson's Web site, loaded with malicious computer code, doesn't really brand him as an experienced Internet attacker, experts said.
The FBI said in court papers that Parson maintained a Web site that contained the source code for other Internet worms and had links to other Web sites that offer downloadable code, such as "back doors" that provide unauthorized computer access.
But experts say it is not illegal or unusual for programming enthusiasts to maintain such a site.
"There are 30,000 Web sites that contain hacker and virus-writing tools," Ruckman said. Such sites are often protected by passwords so that only people who know the operator can access them, she said. "If a person has general programming knowledge, putting those pieces together is not too difficult."
One thing that sets Parson apart from other Internet attackers is that he got caught, something that rarely happens even when the attacks are extremely damaging, Ruckman said.
"The creators of the Code Red, Nimda and Slammer worms have not been caught at this point," Ruckman said.
The Code Red worm swept the Internet in July 2001, causing an estimated $2 billion in damage. The Nimda worm infected hundreds of thousands of computers in September 2001, causing billions of dollars in damage. The Slammer worm caused an estimated $1 billion in damage in February.
Lacking sophistication
Some experts say the ease with which Parson was caught betrays him as an amateur. The FBI's court filing indicates that Parson made two mistakes that enabled the government to trace him. He changed a computer file name within the worm to "teekids," a name he frequently had used when visiting Internet chat rooms and game Web sites. He also directed computers infected with his version of the worm to send their Internet addresses to his own Web site.
"His lack of sophistication in hiding his tracks means he is newer to the game," Ruckman said.
But, sophisticated or not, it would be wrong to say this contribution to Internet worm attacks was insignificant. MS Blast and its variants became one of the worst computer attacks of the year, and their impact was even more keenly felt because they overlapped with an unrelated computer attack, the SoBig.F computer virus, which clogged e-mail inboxes worldwide in late August. (A worm acts without human intervention; a virus such as SoBig works only if an unsuspecting recipient clicks on an e-mail attachment.)
Authorities say Parson's version of the worm maintained the impact of the original one while adding some features. Like the original, it infected a computer and commandeered it for a later attack on a Microsoft Web site (the attack was foiled by Microsoft, but at the expense of considerable time and effort). The worm also spread itself to other computers, then shut down the original computer.
This version added two features and some insulting remarks about Microsoft founder Bill Gates. The worm created a back door to the infected computer that would allow Parson to revisit it later, and it caused infected computers to register their Internet addresses on Parson's Web site,
http://www.t33kid.com.Parson also is credited with adding remarks chiding Gates for not being more careful about software security.
While he would be far from the first person to criticize Microsoft's security lapses, one analyst said it's only natural that the software giant is a frequent target of Internet attackers, because its software is so widely used that an attack has huge ripple effects.
"You would not get a lot of respect among your peers for attacking Apple Computer software," Schultze said. "You'll get more respect if you attack Microsoft software, and there are more opportunities to do so."
http://feeds.bignewsnetwork.com/redir.p ... 77c08caf19