Minnesota teen arrested in MSBlaster Case
- By Wilson P. Dizard III, William Jackson
- Aug 29, 2003
Federal officials have arrested an 18-year-old Minnesota man in connection with the MSBlaster worm case, according to press reports and local police officials.
Connie Kurtz of the Hopkins, Minn., police department said her department provided 'the uniformed presence' when FBI and Secret Service plainclothes agents arrested Jeffrey Lee Parson. She said Parson had graduated from Hopkins High School.
Shirley Schmit, of the Hopkins Police Department Records Division, said federal officials planned to take Parson to the federal court in St. Paul.
Security experts said Parson did not appear to be the author of the original MSBlaster worm, which appeared Aug. 11 and carried a payload intended to launch a denial-of-service attack against a Microsoft Corp. patch update site. He apparently made minor modifications to the original worm and released his version, dubbed Blaster.B.
Ken Dunham, malicious code intelligence manager at iDefense Inc. of Reston, Va., characterized him as a 'script kiddy,' a derogatory term for a malicious hacker without the expertise to do original coding. But Dunham said arrests and prosecutions even at that level are important
If there is no accountability, there will be a lot of people who will decide to play on the dark side,' Dunham said. 'We can't rely on the morality of people. There must be consequences to have order on the Internet.'
The U.S. Attorney's office in Seattle plans to hold a press conference at 4:30 p.m. Eastern time about the worm case. Officials there and at the Justice Department declined to comment on media reports. Justice officials said they would release court papers when the press conference begins.
The Associated Press reported that Parson was known online as 'teekid.' AP added that FBI and Secret Service agents had searched Parson's home on Aug. 19 and seized seven computers, which are still being analyzed. The financial losses from the viruslike worm exceeded $5,000, the statutory threshold in most hacker cases, AP said.
Identifying an author of malicious code is not easy, Dunham said. 'Tracking the bad guys can be a complicated process,' he said. 'There is no formula for finding them over the Internet.'
Law enforcement and security personnel rely on investigative techniques such as examination of the code, tracking the spread of the code over the Internet and observing the behavior of suspects when they appear online. Although anonymity is one of the attractions of online activity, even hackers cannot avoid leaving footprints if investigators know where to begin looking, he said.
While investigators were tracking down authors of Blaster worms, a new worm exploiting the same Microsoft remote procedure call vulnerability has been discovered in the wild.
The Ralekab worm first appeared three days ago, and three variants have been found so far. The new worm carries a backdoor Trojan horse and can update itself from a remote Web site, according to iDefense. But Ralekab might not get the opportunity to spread as far or as fast as Blaster.
'New worms like Welchia or Nachi (which actually patched the vulnerability), and aggressive patching are helping to patch computers vulnerable to remote procedure calls,' Dunham said. 'As a result, this and future worms will likely have less success than former variants exploiting the same vulnerability.'
William Jackson is a Maryland-based freelance writer.