Accused MSBlaster Creator Placed Under House Detention

Techweb -August 29, 2003

A Minnesota teenager has admitted creating a copycat of the MSBlaster worm, Seattle-based U.S. Attorney John McKay said late Friday.

The 18-year-old, identified as Jeffrey Lee Parson of Hopkins, Minn., a middle-class suburb west of Minneapolis-St. Paul, was arrested early Friday morning on one count of intentionally causing or attempting to cause damage to a computer, and charged Friday afternoon in a St. Paul federal court.

“With this arrest, we want to deliver a message,” McKay said. “Hacking is a crime, and we will investigate, arrest, and prosecute hackers. To all hackers, the message should be: we have the capacity, the will, and the desire to find you and arrest you.”

Parson was placed under house detention and is being monitored electronically, said McKay. All computers in his home were seized by the FBI, and he has been denied access to the Internet. Parson will be transferred to Seattle, where the case will go to trial, beginning Sept. 19.

The maximum penalty for the crime is ten years in prison and up to $250,000 in fines, McKay said.

Parson is accused of modifying the original MSBlaster worm, and re-releasing it. The variant, second in a series based on MSBlaster, goes by the names W32.Blaster.B and Blaster.B, and was first detected on August 13, two days after the original appeared.

According to court papers, federal agents first searched Parson's home less than a week later, and seized several computers. During an interview with the FBI, Parson admitted to changing MSBlaster, then releasing the new worm back into the wild.

W32.Blaster.B shared the same destructive characteristics as its parent, attacking PCs which had not been patched against a vulnerability in the Windows operating system. The worm, which according to security firm Symantec infected more than 500,000 systems worldwide, caused some computers to constantly reboot, snarled enterprise network and Internet traffic, and forced Microsoft to take the unusual step of disabling one of the addresses used to connect with its WindowsUpdate service. Estimates by analysts as to the damage done by MSBlaster and its follow-ups range as high as $1.3 billion.

The FBI complaint accused Parson of infecting at least 7,000 computers, and causing “significant damage, without authorization, to Microsoft and other victim computers.”

“The damage done to Microsoft is but a small tip of the larger iceberg of damage done to individuals and businesses,” said Brad Smith, the general counsel for Microsoft, who also stressed the close cooperation between his company and law enforcement agencies that led to the arrest. “Microsoft engineers, for instance, disassembled the [worm's] code.”

No additional arrests have been made, although others were named in the complaint, including a group of Chinese hackers who originally posted code that led to the MSBlaster exploit of the Microsoft vulnerability.

Parson, who goes by the online handle of 'teekid,' seems linked not only to the worm variant -- the file placed on infected machines by W32.Blaster.B was named teekids.exe -- but also to other hacker activity.

The Web site t33kid.com is registered to Parson at a Hopkins, Minn. address. Although the site is now offline, a cached version stored by the Google search engine refers to several hacker-like programs, including one called p2p.teekid.c, which Parson bragged was “my little p2p worm spreads via kazaa and imesh, downloads a file from web. No biggie.”

While neither the original MSBlaster now Parson's alleged variant were distributed via peer-to-peer networks such as Kazaa, the tactic has been used by other attackers.

Teekid also appears on several discussion forums related to Trojan horses, including Trojanforge.net, where he posted a message as recently as August 3 saying he was “looking for a tiny irc bot that all it does is have a web download.” Such bots can be used within a worm to enable an attacker to place other code in an already-compromised PC.

The alias also appears to be behind a defacement last year of a Web site belonging to the Minnesota Government Finance Officers Association (MnGFOA), said Tom Kelly, the group's president.

It all points to someone who knew what he was doing. “Mr. Parson is a key and significant player in the Blaster worm problem,” said U.S. Attorney McKay.

Ken Dunham, the malicious code intelligence manager at iDEFENSE, a Reston, Va. security firm, agreed. “Parson's activities online indicate that he was very experienced in working with malicious code and Trojans. He knew enough to know better, but opted to make a new worm. This was not the first time Parson's had delved into code -- his website hosted a P2P worm in addition to other malicious code and underground website links.”

The U.S. attorney's office in Seattle has been leading the investigation because the worm targeted Windows, the operating system software made by Microsoft, which is based in nearby Redmond.

The arrest comes hard on the heels of claims by Robert Mueller, Director of the FBI, that his agency was “confident” that it would find and prosecute the makers of the MSBlaster worm and the Sobig.F virus.

However, the FBI and other law enforcement agencies are still looking for the creators of the original MSBlaster worm and the Sobig.F virus. While McKay admitted that law enforcement has evidence it's pursuing, he wouldn't comment about possible future arrests.

The hunt may prove difficult. “We're not aware of any connection between Blaster and Sobig,” said McKay.

The strange delay of the FBI

Wagkingdom.com -30th August, 2003

by Fintan Dunne

The high profile arrest of Jeff Parson on charges of writing a variant of the Blaster worm raises more questions than it answers. How come the FBI took so long? The culprit was immediately obvious.

Let's say you are a greenhorn FBI agent.
This is your first day working for the FBI.

It's August 13th, 2003, and you've been at your desk since 09:00am, with nothing to do. You play with your pencils and rearrange you desk layout five times. Eventually....

12:00pm: An office messenger drops a memo on your desk. It says that new variants of the Blaster worm have been identified by anti-virus company McAfee Associates. You read:

"Update 13 August 2003. Two new variants were discovered.. teekids.exe (5,360 bytes) [detected as W32/Lovsan.worm.b] ...functionally similar to the original worm."

12:01pm: So, one new variant creates a file called teekids.exe. You try Google for the search term "teekid" It's a pretty obvious place to start.

12:02pm: Some of the first few Google search results don't look relevant. They seem to be about a tee-shirt for kids.....

But... Bingo! The seventh Google reference is to a website called t33kid.com. OK. Now "33" is the reverse of "EE," so t33kid.com is really tEEkid.com. This has got to be the guy. You click on the website link.... The site is about viruses. Paydirt!

12:03pm: A quick check of the Whois domain name registration record for t33kid.com shows it is registered to: Jeff Parson, 603 8th Ave S. Hopkins, Minnesota 55343 US. The registration also gives Mr. Parson's email address. Gee, you never figured that being an FBI agent was this easy!

12:04pm: Time to send an email to Teekid:

Dear Jeff,
Hey dude, looks like you wrote that
Blaster variant going around.
Get back to us, ASAP.
regards
THE FBI

12:05pm: You just cracked your first case. Took 5 minutes. You deserve an early lunch.

According to the official, a witness reported having seen the teen testing the Blaster worm. http://washingtontimes.com

According to the complaint, FBI agents traced traffic the Blaster worm generated back to a Web site of a similar name to Parson's online alias. "I wouldn't characterize the work as being easy," U.S. Attorney John McKay said, but "he obviously left clues. news.com

"We employ the latest technology and code analysis to direct us to potential sources, and I am confident that we will find the culprits."
-- FBI Director Robert Mueller news.com