The arrest of a Minnesota man for allegedly writing a variant of the Blaster worm provides security professionals with an opportunity to vent about having to scramble to disinfect and protect systems. But experts doubt the arrest will truly scare away worm writers.
Eighteen-year old Jeffrey Lee Parson is accused of writing Blaster-B, which spread to about 7,000 systems. Today, a Romanian university student was arrested for allegedly writing another variant of the worm. Instead of targeting Microsoft's Windows update page, Blaster-F targeted a Romanian university site.
Yet it was Blaster-A, the original worm, that gained most of the traction infecting hundreds of thousands of systems. The writer of it has not been apprehended. In fact, most virus and worm writers don't get caught. For every high-profile arrest, there are a plenty of other examples of writers getting away with it.
"Virus writers are not going to be deterred by [Parson's arrest]. The burden of protecting systems, whether it's fair or not, is going to continue to fall on your IT staff," said Mark Rasch, a former head of the Department of Justice's computer crime unit and now senior vice president and chief security counsel of Solutionary Inc.
"Virus writers say people get caught because they were sloppy. It wouldn't happen to them," Rasch said, noting most other types of criminals have the same attitude.
In a way, there is a disconnect between the act of creating a worm and the damage it can cause. Some creators may not even realize what they are doing is criminal. Even "good" worms are usually bad. For example, the recent Nachi worm sought to patch systems against a critical Windows Remote Procedure Call (RPC) vulnerability, which Blaster exploited. It also disinfected systems, but its method of scanning slowed local networks to a crawl.
"There will always be vulnerability issues with computer systems. If someone has a real talent, then they should come up with a fix and share it with the public," said Thomas Barna, a storage engineer with Government Micro Resources Inc., a solutions and service provider in Manassas, Va. "If they are just a vandal, then they destroy systems just for the fun."
The author of Blaster has the most culpability, but others have pieces of blame pie on their plate. Some blast Microsoft for creating software with such a security flaw in the first place, but the company did have a patch available for the flaw for a month before Blaster struck.
"Yes, I can blame myself, but I did not violate ethics or legislation," said Willem Greifenstein, head of information and communication infrastructure and security management for a provincial government in South Africa. "The culprit should be heavily punished, and the rest of us must wear our red faces and fix our systems and procedures."
Others are angry that exploit code for the flaw could be found easily on the Internet. "I agree that the person who made the virus should answer for his crimes. I also believe the people responsible for releasing the actual exploit should pay a price as well," said Bryan MacLeod, network security engineer for Denver-based Policy Studies Inc.
Experts believe the author of the first Blaster worm used publicly available exploit code for the worm. Essentially, the writer tweaked the exploit code enough that it wouldn't trip off filters, but it didn't add really add to it, said Mikko Hypponen, manager of antivirus research for Helsinki, Finland-based F-Secure Corp. "It wasn't particularly advanced; probably written by a kid."
The fact that many viruses are written by people Parson's age is troubling to many within the security community. People at that age often can't see the relationship between their actions and their consequences. "With other criminals, you literally have to go out to commit [crimes], but writing worms is done from the comfort of your basement," Rasch said. "A kid probably would say it didn't cause any damage."
Yet Blaster was hardly child's play. The worm cost companies an estimated $1.3 billion in damages and lost productivity. For example, Todd L. Stuewer, a vice president of IT at a large insurance company in the Midwest, had to dispatch someone to fix an infected remote machine. The repair of the one machine took five hours, including travel time, but that was not the only Blaster damage.
"During the first couple of days of this virus, we shut down access to our Citrix server and shut off access to consultants working to install a new release of our claims software application," Stuewer said. "The delays in implementing corrections to our claims application and lack of access to our remote users cost our company thousands of dollars."
FOR MORE INFORMATION: