Don't catch me if you can

Around the world, computers are besieged by viruses. But of the thousands released this year, two have done more damage than all the others. And one person is accused of creating both. Malcolm Macalister Hall tells the story of the 16-year-old boy facing trial for crippling hospitals, closing banks and grounding planes - and all from the comfort of his bedroom
Click to follow
The Independent Online

It's just a really simple, ordinary place; a red-brick two-storey cottage, down a lane on the edge of a remote and tiny village, lost among the endless forests and cornfields on the great plains of northern Germany. It looks as if nothing has ever happened here in Waffensen. A woman is pushing a child in a pushchair down a deserted lane. A man is mowing his lawn. Two horses stand in a paddock. On a sunny afternoon in June, that is it. It would be hard to imagine a quieter, sleepier place. But in early May, just a few days after his 18th birthday, Sven Jaschan put Waffensen on the map, big time. Villagers couldn't believe the scrum of reporters and television crews he drew here. As I walk up to his address, a guy in a T-shirt is backing an old Mercedes out of the car-port beside the house.

It's just a really simple, ordinary place; a red-brick two-storey cottage, down a lane on the edge of a remote and tiny village, lost among the endless forests and cornfields on the great plains of northern Germany. It looks as if nothing has ever happened here in Waffensen. A woman is pushing a child in a pushchair down a deserted lane. A man is mowing his lawn. Two horses stand in a paddock. On a sunny afternoon in June, that is it. It would be hard to imagine a quieter, sleepier place. But in early May, just a few days after his 18th birthday, Sven Jaschan put Waffensen on the map, big time. Villagers couldn't believe the scrum of reporters and television crews he drew here. As I walk up to his address, a guy in a T-shirt is backing an old Mercedes out of the car-port beside the house.

He comes round the side of the car, unsmiling. I ask if I can talk to Sven. But I know that the family has signed a deal for his story with a German media group, so I'd already guessed what the answer would be.

"Not possible. We have - how do you say? - we already are with another newspaper. So is not possible," he says, turning towards the house.

"How is Sven? Is he OK?" I ask.

"Of course," replies the man. "Why not?"

The reason I'd asked is that, at that moment, teams of police and prosecutors in the nearby town of Verden and in the provincial capital, Hanover, were struggling to assemble an infernally technical case of "computer sabotage" against Jaschan, who lives in this cottage with his mother, his four brothers and sisters, and the man I'd met, his mother's common-law husband. Jaschan could face up to five years in jail.

In his bedroom - a typically messy teenager's room, according to police - in the basement of the house, Jaschan spent hours at his computer, a cheap no-brand-name machine that didn't look anything special. There is speculation that Jaschan - who's studying IT at a nearby vocational school - may have adapted the machine himself, removing one of the side-panels to get at the circuit-boards.

Some time during April, police and prosecutors allege, he downloaded some basic virus code from a hackers' website, and started adding strings of further code to it. Once he'd finished, it was about 15 screens long. Then, probably late in the evening of his 18th birthday - 29 April - he hit "send" and launched it on to the web.

As it spread via internet connections it infected PCs and systems running Windows 2000 and Windows XP, but mainly those whose owners or administrators had missed a vulnerability alert and the download of a protective "patch" which had been posted on Microsoft websites 16 days earlier. The virus - technically known as a "worm" - was quickly picked up by anti-virus companies, who named it Sasser, because it attacked and lodged in the operating system's Local Security Authority Subsystem Service (LSASS). And as it spread around the globe it had far-reaching effects which, police believe, the teenage Jaschan simply did not foresee.

It hit the computers of the postal service in Taiwan; at hospitals and government offices in Hong Kong, staff watched as their computers repeatedly crashed and restarted, or slowed to a crawl. It infected the systems of part of the rail network in Australia, leaving thousands of passengers stranded on platforms. Some German banks and post offices were forced to conduct transactions in handwriting. It stalled the computers of the Maritime & Coastguard Agency in Britain, so staff had to fall back on the old procedure of logging incidents on slips of pink paper. Sasser also hit some 1,200 PCs at the European Commission's Brussels headquarters; and one bank in Finland had to close all its 120 branches for several hours. On 1 May, Delta Airlines' systems at its headquarters in Atlanta malfunctioned for nearly seven hours, leading to the cancellation or delay of some 40 flights. (Delta will not confirm that this was as a result of the Sasser worm, saying that it "will not provide additional information about the issue to ensure the integrity of Delta's IT systems".)

These are merely a few headline incidents which happened to come to light - most corporations, anxious to protect their reputations and share prices, go to great lengths to avoid revealing that their IT systems have been hacked, compromised, or infected. And there is no way of logging the global total of business or home computers hit by a virus, so any "estimates" are purely guesswork. But it will almost certainly have run into millions of PCs and systems worldwide. In Germany alone, in the first week of May when Sasser was spreading fast, Microsoft Germany's headquarters in Munich saw helpline calls explode from the normal 400-odd a week to a switchboard-jamming 35,000 calls. And patch downloads soared from the usual weekly figure of 30,000 to 1.6 million.

At this point, no one knew where Sasser had come from. The usual suspects - Russian hacker gangs - were suggested. In the anonymous, global labyrinth of the world wide web, most virus writers manage to build a virtual bunker in which to hide, and are never identified. But the author of Sasser was to fall victim to Micro-soft's recently launched anti-virus reward programme, which in this case offered up to $250,000 (£135,000) for information leading to the arrest and conviction of the worm's creator.

On 5 May, a phone rang at Microsoft in Munich. The caller asked for details of the reward; he then offered to provide the information Microsoft so wanted. A meeting was arranged for the following evening, several hundred miles away at a hotel in Bremen in northern Germany. Here, the informant - who was accompanied by at least one other person - handed over the source code of Sasser, and a name. The informant turned out to be a teenage fellow-pupil of Jaschan at the vocational school he attended in the small town of Rotenburg, four miles from his home.

"One of his friends betrayed him," says senior state prosecutor Helmut Trentmann, adding that Jaschan's initial foray into virus writing may have taken place at the school. The IT students are taught in adjoining classrooms. Early this year, says Trentmann, Jaschan wrote a piece of code which crashed a PC in the next room.

In Hanover, detectives in the Lower Saxony Federal Bureau of Investigation (LSFBI) applied for a search warrant early on the morning of 7 May. By the time they'd got all the signatures and authorisations and driven the 100km to Waffensen, it was around noon when they knocked on the door of the redbrick cottage.

"He was surprised to see us," says the senior detective in charge of the case, asking not to be named. "He's a juvenile, and he thought he knew what he was doing; but we don't believe that he realised his virus would have such a complex worldwide result. We don't think he realised the implications of it."

The officers seized Jaschan's computer, and questioned him at the police station in Rotenburg for several hours. "He was very cooperative," says the senior detective. As well as allegedly admitting to writing the Sasser worm, Jaschan dropped a bombshell. He claimed to have written another virus which had been in the anti-virus companies' top-10 virus league for weeks: Netsky, which had vied with other worms and viruses - Bagle, MyDoom, Sober and LoveGate - for the top slot.

Just as amazing as finding that a teenager could create global mayhem with a cheap computer in his bedroom is the fact that, according to one of his four IT teachers, he isn't even the genius many supposed him to be. "He's good in the classroom, and good at the tests. He's a computer freak," smiles IT teacher Jurgen Ahlden. "But he's not an exceptional student; there are others in the class who are better than him."

At the prosecutor's office in Verden, there's grudging admiration for what Jaschan allegedly did. "He's not a genius - he's not Einstein," says Trentmann. "But he had a brilliant moment."

The old farms and cottages in Waffensen have been joined in recent years by the pin-neat commuter homes of office workers from Bremen, Hamburg and Rotenburg. But it's still the kind of place where people turn to look at any car that goes by. And when Jaschan's name got out and the television crews descended, the 800-odd inhabitants were stunned to find themselves at the centre of a global story.

"People were amazed that the name of our little village was on TV and radio," says Jurgen Holsten, 53, standing behind the counter of his farm shop where he sells produce from his 100 hectares, and, in May and June, the fat white asparagus for which the region is renowned.

"The people here were angry about what he did - but proud of him too," says Holsten. "They were angry that he made so many problems for companies around the world, but proud that he showed that the security of Microsoft's systems is not so good." And a picture of Jaschan emerges which fits every stereotype of the classic computer nerd: shy, few friends, even fewer social skills, no known girlfriend, the whole bit.

Holsten says the family had little contact with others in the community. "They stay at home, and he was almost unknown in the village - he has many problems when it comes to being sociable. What he was doing, I think it was like a game for him. And then the TV crews came, and they were filming through the windows of the house and everything - that was very bad. He was here in my shop five days ago buying ice-cream with his little brother, and he said he was very happy that all the media [attention] had come to an end."

Just along the lane, in the carpark of the Eichenhof Restaurant, trainee chef Christian Mueller and his friends are hanging out, * smoking, checking each others' cars, waiting for the Euro 2004 Sweden-Bulgaria game to start on television. "This was the most exciting thing to happen in Waffensen for a long time," says Mueller, 22. "People here were amazed when they knew it was him. I see him every day going to school on his bike - but no one wants to know him. He has no friends here. But his classmates in Rotenburg, I think they are his friends." Just then, Mueller's younger brother Sebastian turns up.

"I played football with him yesterday - he's OK," says Sebastian, 17. "We play on the same side; he's centre forward, and he's good. But we're not friends - we just play football. Everyone keeps asking him about Sasser. But he doesn't say anything."

The world's big anti-virus software companies calculate that there are anywhere between 60,000 and 90,000 viruses, virus variants, worms and other bits of "malware" (malicious software) roaming the web. Many are dormant, or too old to be effective now. But others are still trawling for victims, and new ones join them at a rate of 600 to 1,000 every month. Richard Sacre sees all this at first hand.

The IT manager for a London media and publishing company with some 300 staff, Sacre points to the "virus alerts" counter on one of the 10 monitors that jostle for space in his cramped office. The figure here is astounding. It shows that there have been 20,921 attempted virus attacks on the company's systems in the previous 17 days alone. As we watch, the counter clicks slowly upwards. "Sometimes it just races up," says Sacre. By the time I leave, the counter reads 21,009 - another 88 attempted attacks in about an hour. And screen after screen of virus attack logs show that in the past few months there were 44,533 attempted infiltrations by variants of Netsky - one of the virus allegedly created by Sven Jaschan in his bedroom in Germany.

The company subcontracts its anti-virus protection to its internet service provider. "Otherwise, dealing with it would be a full-time job," says Sacre. "But as an IT manager, this stuff keeps you awake at night. IT managers, people like me, probably believe that they've got their e-mail protection sorted. But virus writers will be thinking: 'If we can't get in through the front door or the back door, we'll have to tunnel in from beneath, or above, or airdrop in, whatever.' It's always a race against time with all forms of crime. And the criminals - the good ones - are generally one step ahead."

That week, the company's anti-virus service had thwarted 2,791 attempted attacks by the Sober virus alone, along with thousands more by Netsky, MyDoom, Bagle, and an unnamed worm listed as "Worm.xx".

"The speed these can spread is incredible: it makes binary look stupid," says Sacre. "Forget to the power of 10. If every person has 50 other people in their address book, it spreads 50 to the power of 50, and very, very quickly the outbreak is just phenomenal."

Meanwhile, in a steel and glass building on the outskirts of Abingdon in Oxfordshire, a select group of people sit hunched at their screens, oblivious of the view through the plate glass out over the tree-tops. This is the sealed "virus laboratory" and the people inside are the virus busters at Sophos, the award-winning UK anti-virus software company whose impressive raft of global blue-chip clients and 25 million end-users worldwide make it fourth in the world anti-virus league after Symantec, McAfee and Trend Micro.

"This is like a quarantined area, because live viruses are run in here," says Sophos anti-virus consultant Phil Wood. "These guys are real geniuses; they can look at binary code and work out what it does. They have to run the viruses to see what they do, then pull them to bits, see how they do it, and provide a fix. The network in here is totally isolated - to such an extent that any recordable media you take into the lab stays in the lab. If I went in with a hard disk in my hand, I wouldn't be allowed to leave with it. These are the real clever guys upon whom the whole company is based."

Wood explains that of the 600 to 1,000 new viruses they are seeing each month, very few pose a major threat. "Currently we're looking at a significant outbreak every couple of months or so," he says. "But we had three in a week a few months back, which was a nightmare. You're at the very highest alert level, you're here till 4am, the place gets full of pizza boxes, and everyone stops doing their day to day work and deals with customers. It's mission-critical stuff."

Among the biggest and most damaging viruses and worms of recent years, Wood cites Melissa, an e-mail virus written in 1999 by US computer consultant David L Smith. It generated so much e-mail traffic that it forced major US corporations to shut down their clogged servers (Smith, who reportedly named the virus after a lapdancer he'd met in Florida, was later sentenced to 20 months). Another big hitter was Loveletter - also known as Love Bug - which Wood says was the first to use "social engineering". "It relied on you double-clicking attachments. So masquerading as a love letter is a fantastic way of getting you to do that. Who can resist? Because it could be from the girl in the next office whom you've always had a crush on; it was very, very cleverly done." But Wood says the variant whose sure-fire psychology most impressed him read: "Thank you for buying this 24 carat diamond ring. We have debited your account $5,000. If this is not correct please click on the attachment below..."

Frequent source countries for viruses include Russia, Eastern European nations, Germany and India, but Loveletter originated in the Philippines. "The guy who allegedly wrote it appeared to have done it as part of his university thesis, and when it came out on 4 May 2000, we'd never seen anything like it," says Wood. "Even Melissa wasn't anything compared to Loveletter. This was the first really serious global virus." It not only mass-mailed itself to all contacts in an infected machine's address book, but also stole personal data and e-mailed this back to an address in the Philippines. It then deleted and overwrote files.

Another high-level threat was last August's Blaster worm, whose creator had intended it to launch a mass attack on Microsoft's update website. Microsoft foiled this, but the worm went on to hit an estimated worldwide total of 8 million computers running Windows XP, causing them to repeatedly shut down and restart. "Microsoft had issued a patch about three weeks before Blaster came out," says Wood, "but often there's a lag before people install the patch, or they may not even know about it - and pretty much all the computers that were infectable around the world were infected within about 15 minutes of the virus being released - millions of them. That's how fast viruses travel." It was also an example of an increasingly common tactic - alleged to have been used by Jaschan with Sasser - whereby virus writers scrutinise Microsoft's monthly vulnerability alerts and patches, and work backwards from the patch to discover the vulnerability. They then write a virus to exploit it.

Wood is sceptical, however, about the supposedly colossal financial damage that major viruses are said to cause. "Estimates vary widely, and I think most of them are probably exaggerated," he says. "How do you count the cost of a virus infection? Is it consultants coming in to clear things up? Or is it lost productivity? I think Blaster was quoted as having cost something like $25bn (£14bn) - and it just can't be. I would be interested to see how figures like that are [arrived at]. I don't even know how you'd do it."

He says that because of the anonymity of the web, one of the hardest jobs is to track virus writers; and if they are successfully tracked down, publicity-shy corporations frequently make it impossible for police to assemble any meaningful evidence against them.

"If you're a bank, and you admit to having a massive virus infection, you're going to shake * the confidence of your customers - it's one of the problems in prosecuting virus writers, because you need to establish how much damage the guy's done. But confidentiality is particularly important when it comes to IT security, and companies don't want it to be known; it's very bad publicity, and they probably rightly avoid it as much as they can. But it's quite frustrating from our point of view because we really want to see these people being [prosecuted]."

The once clear-cut distinction between hackers and virus writers is becoming increasingly blurred, as each side now employs techniques used by the other. Hard-core criminal hackers will try to break into the systems of specific companies or organisations in order to inflict damage, commit fraud, or mount "denial of service" attacks by secretly taking over thousands of unsuspecting users' machines (known as "zombies") to launch a crippling blizkreig on a specific system or website at a pre-programmed time. Virus writers, by contrast, are compared to graffiti artists, driven by little more than a desire to win respect in the virus writing underworld by leaving their "tag" on as many computers around the world as they can. The most derided are the so-called "script kiddies" who merely download a virus-writing kit, customise it with a few mouse-clicks, and send it out. One of these was 2001's Anna Kournikova virus, which promised a revealing picture of the tennis star.

"For a brief period, it spread very, very fast," says Wood. "But it was easy to detect because these [kit-built] viruses are almost all exactly the same. It required no technical skill - anyone who can read can generate a virus using a kit. So Kournikova caused very little problem; a virus analyst could work out what it was and get a patch out in about 20 minutes." And, Wood says that the virus-writer stereotype - young guy, no mates, no girlfriend, alone in his bedroom - is "probably not entirely inaccurate".

"A lot of them see virus writing as an intellectual challenge, and launch their attacks for fun, just to see what happens," says Wood. But he has worked on tech support during major virus attacks, and says he's heard some terrible things. "I once spoke to a guy who'd lost his entire university thesis a couple of days before it was due to be handed in," he says. "When you've spoken to real people who are deeply affected by these attacks, it's not funny any more."

After questioning Sven Jaschan, detectives from the LSFBI raided the homes of five of his fellow pupils at the vocational school in Rotenburg. A team of police IT specialists is now examining nine computers which were seized, along with several more harddrives.

"On one of the computers alone there are several thousand files containing bits of virus code. Every single one of these files had to be checked to see if the code was complete or usable," says the detective in charge of the case. "This case has got 'priority one' status; everything else has been put back. Something on this scale hasn't been done by us before. The mass of information and the sheer size of the data we have here makes this job extreme. We're using all the experts we can get."

There has been speculation that the raids smashed a major virus-writing gang named Skynet, but police say early indications are that Jaschan was working largely alone in creating Netsky and Sasser, as well as variants of each.

However, senior prosecutor Trentmann says there is a hint that Jaschan may have had collaborators. One version of Netsky contained a taunt to anti-virus firms which implied more than one author for Sasser: "Hey av [anti-virus] firms, do you know we've programmed the Sasser virus?!? Yeah thats true! - we are the Skynet". And since February this year, when Jaschan allegedly launched Netsky, it has been engaged in a three-cornered battle for supremacy with two other major worms, MyDoom and Bagle. Successive variants of each have tried to disable the others, and contain embedded abusive messages - which are never displayed onscreen - to the respective authors. Bagle-J carries the hidden message: "Hey, NetSky, fuck off you bitch, don't ruine our bussiness, wanna start a war?" And MyDoom-G contains the hidden script: "to netsky's creator(s): imho, skynet is a decentralized peer-to-peer neural network. we have seen P2P in Slapper in Sinit only. they may be called skynets, but not your shitty app."

Meanwhile, Trentmann and the police face a formidable task. Germany's relatively new computer sabotage law has not yet been tested in such a high-profile, global case. Protective of their reputations, corporate victims of Sasser have been reluctant to come forward with evidence. "We have [evidence from] a lot of small private users, and from two towns in Germany whose systems were damaged, but we have to find big companies whose computer systems were brought down by Sasser - but that's more difficult than we thought at the beginning," says Trentmann. One of the biggest suspected corporate victims has declined to help. "Their system administrators don't want to admit they had problems. And that's a big problem for us."

The law is another problem. The detectives in Hanover may be hindered trying to gather evidence and witnesses from international victims of Sasser - for example, the Taiwanese post office - unless they can prove it caused a specified level of damage in Germany itself. Britain's Computer Misuse Act 1990 allows a maximum penalty of five years but other countries have different laws and penalties, or none.

"The law says five years or a fine, but this isn't a small crime," says police spokesman Frank Federau. "Viruses are causing immense problems; the laws should be amended to allow far higher penalties. And the internet has no borders, but countries do - and the law in every country is different. We must have similar laws all over the world; only then we can we really do something about this."

Most experts believe that the threats from virus writers and hackers can only get worse. Ranged against them, Microsoft and the anti-virus companies are facing an indefinite war of attrition. "The better one side becomes, the better the other side will become," says Microsoft Germany spokesman Thomas Baumgaertner. "It will be a permanent head-to-head race." In May, Sophos identified 959 new viruses and worms - the highest rate since December 2001. While in June the first real mobile phone worm was found. Named Cabir it did not spread but was sent to an anit-virus firm as a demo by its creators, believed to be a European virus-writing group called 29A. Smartphones and PDAs have been described as a new "hackers' heaven".

Against this background, Trentmann is under no illusions about the importance of the Sasser prosecution, but "I'm not sure whether he [Jaschan] thought about all this," he says. "I think he just wanted to be the biggest, the best virus-spreader, and he didn't look beyond that. His motivation was not to get rich or anything; he just wanted to get famous on the scene. They all know each other on the internet and they're like graffiti artists, who can leave their mark around the world. And he did it."

Currently at liberty and back at his IT school, Jaschan will only be charged with "computer sabotage" if and when a valid case can be assembled. A court date is not expected before next month. Though the maximum penalty for computer sabotage is five years, this is unlikely to be imposed as Jaschan is likely to be treated as a minor, since he allegedly created the worm before his 18th birthday.

The family's media deal resulted in a long article in German news magazine Stern. Its reporters clearly had their work cut out trying to drag the story from the shy, monosyllabic teenager. The piece contains very few direct quotes from Jaschan. But he told them he'd created 29 versions of Netsky, and that his whole class knew about it - and were impressed.

"How Netsky spread was great, and my class thought I was great," he was reported as saying. He said he'd included some words in the worm to make it appear as though it had come from Russia or Eastern Europe, to throw investigators off the scent. When a German television news report said Netsky was believed to be Russian, "we were laughing our heads off - we looked on it as a game".

But Sasser was different. He said he watched, frightened, as it tore around the globe, knocking out systems everywhere, and knowing that he couldn't stop it. Some of the 50 people and organisations - including a major German city - who have so far reported damage to the investigators have enclosed their bill for compensation.

"I'm scared that my future is destroyed; that my life has gone down the pan," he told Stern. "How can I pay everything if I'm found liable for all those damages? The only thing I can do," he added, "is apologise to everyone."

Spread 'em: Top 10 viruses

Leading anti-virus company Sophos detected 6,677 new viruses in the first six months of this year. Despite only appearing in May, Sasser is in the top spot, accounting for over a quarter of the Top 10 viruses reported to Sophos. Six of the Top 10 may have originated with Sven Jaschan, making him responsible for 70 per cent of disruption

1 Sasser 26.1 per cent

2 Netsky-P 21.4 per cent

3 Netsky-B 11 per cent

4 Netsky-D 6.8 per cent

5 MyDoom 4.4 per cent

6 Zafi-B 4 per cent

7 Netsky-Z 3.1 per cent

8 Netsky-C 2.4 per cent

9 Sober-C 1.5 per cent

10 Bagle-A 1.2 per cent