Sasser Worm Arrest
Brad Smith Press Conference
May 8, 2004
LOU GELLOS: Thank you very much. Good morning, everyone. Joining us is Brad Smith to discuss the recent arrest in Germany regarding the Sasser Internet worm and Microsoft’s involvement because of the reward program. Brad?
BRAD SMITH: Thank you, Lou. Thank you for joining us this morning. I thought I would take a few minutes initially to provide you with some additional information about this case and the arrest announced in Germany today and then we have a few minutes to answer questions that you may have.
First, I would like to express Microsoft’s gratitude for the law enforcement agencies that were involved in today’s arrest. Today’s arrest resulted from a coordinated enforcement effort involving multiple agencies on two continents. It is the result of fast-moving efforts over the last eight days, this Sasser virus or Sasser worm having been launched only eight days ago on April 30th.
It is an arrest that results in part from the involvement of Microsoft investigators working under the auspices of our Antivirus Reward Program and I will provide you with some specific information about that.
As you may know, as you probably recall, Microsoft entered into a partnership last November to create a $5 million antivirus reward program. We did that in conjunction with Interpol, the FBI and the Secret Service.
Aware of this program, individuals in Germany approached Microsoft investigators this past Wednesday on May 5th. These individuals offered to our investigators to provide information about the creator of the Sasser virus and they inquired about their potential eligibility for a reward under our program.
Microsoft’s investigators informed the individuals that the company would consider providing a reward of up to $250,000 if their information led to the arrest and conviction of the Sasser perpetrator. Following this discussion, the individuals provided information to Microsoft and to local authorities in Germany.
Here at Microsoft our investigators and our technical experts reviewed this information and in conjunction with law enforcement authorities they pursued technical analysis to verify the accuracy of the information that was provided.
The FBI also provided investigative support for German law enforcement in conjunction with our technical experts.
Within 48 hours of the informants coming forward our investigators and the German police were able to identify the perpetrator of the Sasser virus and to take him into custody. This individual is responsible we believe for all four variants of the Sasser virus.
As the investigation unfolded, the German police concluded that this individual was also connected to the Netsky worm. The Netsky worm was launched on February 16th of this year. Ultimately there were 28 variants of the Netsky worm and the German authorities are alleging today that all of these variants are connected to the individual who they have taken under arrest.
I’d like to highlight a couple of aspects of this in particular with respect to Microsoft’s support for law enforcement as part of this endeavor.
As this case demonstrates, we at Microsoft will move quickly to support law enforcement worldwide to identify and hold responsible those who break the law by launching viruses and worms targeted at our customers.
The information leading to this arrest, as I’ve said, resulted in part from Microsoft’s Antivirus Reward Program as well as new technical and investigative techniques we have developed during the last year to address precisely this type of situation.
During the past year we at Microsoft have invested in creating a world-leading capability for antivirus analysis and we now assist law enforcement in multiple countries around the world in the analysis of viruses, worms and other malicious code. In this instance our technical experts were able to utilize these new capabilities to analyze the source code of the Sasser worm and through that analysis connect this individual with the worm itself. They were also able to undertake tests in a technical laboratory here in Redmond, Washington to analyze infected machines, machines that we deliberately infected in a secure and safe environment, so that we could ensure that we understood the worm and how it works.
So we are very pleased with this fast progress and the ability of law enforcement to arrest the perpetrator within seven days of the launch of the worm.
Finally, I would conclude both by thanking the law enforcement agencies involved and offering a few thoughts for consumers who may continue to have concerns about what this worm means for them.
As I’ve said, this was a coordinated, multinational law enforcement effort. Certainly we at Microsoft are very grateful for the very effective work of the Hannover State Police of Lower Saxony, for the support of the public prosecutor in Verden in Germany, as well as for the active support of the FBI and the ongoing support of the Secret Service. All of these were important in this specific case and in the broader law enforcement efforts.
I’d also then just like to conclude with three thoughts for consumers who may be focused on what the Sasser worm means to them. An individual who uses a computer that connects to the Internet should take the kinds of steps to protect their computer much the same way they do when they put on their seat belts when they get in a car. They should turn on the firewall in their operating system or other security software. They should regularly update their software. Indeed, we have an update available that was made available on April 13th that specifically addresses the issues that the Sasser worm seeks to exploit. And consumers should keep their antivirus software up to date.
For more information consumers can go to Microsoft.com/protect and they’ll find all of this spelled out in greater detail.
So with that, I’d like to open it up and take a few questions.
ROBERT LEMOS (CNET): Hey, Brad, how are you?
BRAD SMITH: Good, Robert. How are you?
ROBERT LEMOS: Good. So a couple questions. One is that you labeled the people who came forward as informants. Were they part of this group or were they researchers who had thought that they had some information because of technical analysis?
BRAD SMITH: These were individuals who were aware of who the perpetrator was. They did not stumble upon this simply through technical analysis. They were aware of who this individual was. But beyond that, we’re not in a position to disclose their identity.
ROBERT LEMOS: And my other question is do you believe there will be other arrests leading to other members of the supposed group who created the Netsky virus?
BRAD SMITH: Well, this investigation is ongoing, so I’m not in a position to comment on any other arrests that may arise in the future. I do think that the fast action in this case does send a message to people who are thinking about creating or launching malicious viruses and worms and that is that we together with law enforcement can and will identify individuals who launch malicious code on the Internet and law enforcement can and will bring these individuals to justice regardless of where they are in the world.
I do think that this is an important message for people to think about if they entertain any thoughts of launching malicious code on the Internet and I think as this case demonstrates, our entire industry has expanded its ability to support law enforcement over the last year, we have expanded technical capabilities and clearly this type of reward program does work.
One of our reactions this past week when these individuals came forward is that we definitely appreciate that the lure of a cash antivirus reward can prompt those with information to come forward and assist law enforcement. We believe that is an important thing for individuals with helpful information to do. And so we did not hesitate. We made a decision that we would offer a reward of $250,000 in this instance and that obviously made a very large difference in moving this case forward so quickly.
ROBERT LEMOS: Thank you.
BRAD SMITH: Sure.
BERNARD WARNER: You mentioned that German police say the 18-year old is connected with all of the Netsky viruses. Can you elaborate on that?
BRAD SMITH: Yes. We believe or the German authorities believe and have alleged that this individual is connected with all 28 variants of the Netsky virus, which is another way of saying that the German authorities allege that he is responsible for the creation of all 28 variants of Netsky.
BERNARD WARNER: So in other words he would be the kingpin then of Skynet, which is a larger group?
BRAD SMITH: I wouldn’t be in a position to say anything about that. This was one specific virus, the Netsky virus and its variants. I don’t think that’s the same thing as saying that he is the kingpin of any particular group. I’m not offering any view on his relationship to other individuals. I’m simply saying that our understanding is that the German authorities are alleging that he is connected to or responsible for all 28 variants of the Netsky virus.
BERNARD WARNER: I see. There was also an arrest yesterday of a 21-year old in Germany. What are the connections there?
BRAD SMITH: There are other investigations that are ongoing as we speak and there are law enforcement authorities moving forward in these other areas. These other areas are ongoing and I’m not in a position to confirm or disclose any other information relating to those other investigations at this time. We are working with German law enforcement on other matters. We are also working with law enforcement in the United States and elsewhere on other matters.
BERNARD WARNER: I see. And then one other point. Can you say how many informants? I’m just curious, $250,000 U.S. split between how many individuals?
BRAD SMITH: We’re not in a position to confirm the exact number. It is fewer than you could count with one hand, but I think other than that I wouldn’t want to offer an exact number.
BERNARD WARNER: Okay.
CHRIS DOLMETSCH (Bloomberg News): I just wondering have they, in fact, been paid?
BRAD SMITH: No. The way our Antivirus Reward Program operates is we pay rewards based on the arrest and conviction of an individual responsible for creating and launching a virus or other malicious code on the Internet. Obviously the German police and the public prosecutor have taken the first step in this case. During the last 24 hours they have arrested the individual. The reward itself would be paid when there is a conviction.
JUDY (Scotland on Sunday): Hi. This is Judy from the Scotland on Sunday here.
I wondered if you could confirm the name of the teenager who’s been arrested in Germany.
BRAD SMITH: I’m only able to confirm that there is an 18-year old man who has been arrested, but I’m not in a position to confirm his name.
JUDY: Right. Okay. The second question is I wondered if you could explain, you said that informants had contacted you from Germany. Do you know whereabouts they were and how that process went through when you got the information from them?
BRAD SMITH: They were in Lower Saxony. We can confirm that we were contacted by informants in Lower Saxony. Obviously Microsoft has subsidiaries around the world. We have subsidiaries in over 90 countries. We have investigators in Germany itself.
JUDY: So did they contact them?
BRAD SMITH: Yeah, and so the contact was made through our investigators in Germany and the information came from individuals in Lower Saxony, which, of course, is where the arrest was made yesterday.
JUDY: I’m sorry, where in Germany did they make contact with Microsoft?
BRAD SMITH: Well, the individuals are in Lower Saxony, which is where the individual who was arrested happened to reside as well. And they contacted our office in Germany and we have investigators based in Munich.
JUDY: In Munich, right, okay. And now did that go through to your main headquarters in Washington?
BRAD SMITH: Yes, we immediately literally within five minutes our investigators in Germany were working with our investigators and technical experts in Redmond, Washington.
JUDY: Right, okay. And also the FBI over there?
BRAD SMITH: The FBI in the United States was involved as well.
JUDY: Right. And then did you then contact the German police in Hannover?
BRAD SMITH: Yes, we did follow up then with the German police in Lower Saxony as well.
JUDY: Right, okay. Thanks very much.
BRAD SMITH: Sure.
BRIAN KREBS (Washington Post): Hi, Brad.
BRAD SMITH: Hi.
BRIAN KREBS: Hey, this guy who’s been arrested, you guys aren’t going to give any reward to somebody if they are somehow involved in the release of this thing, is that right?
BRAD SMITH: I won’t talk about this specific investigation in that respect but I will say that as a general matter of policy in terms of how our Antivirus Reward Program operates we would not pay a reward if an individual was involved in the launch of the virus about which they reported.
There may be times when individuals — and I’m not talking about this specific case, I’m just talking generally about policy and in effect our message to I’ll call it the hacker community — there may be times when individuals might have been involved in the past in activities that we would not applaud but our policy operates specifically so that you’re not eligible if you participated in the creation or launch of a virus and then came to us with respect to information about that particular virus.
BRIAN KREBS: Thanks.
BRAD SMITH: Sure.
OPERATOR: At this time there are no further questions. Are there any closing remarks?
BRAD SMITH: Nothing else. I would simply like to thank you for your time. We believe that this is an important step forward in the industry’s ability to fight viruses and other malicious code on the Internet. We believe that continued progress will require sustained efforts by companies like Microsoft, others in our industry and law enforcement agencies around the world.
We have clearly strengthened our ability over the last year to fight this problem and we look forward to going forward. This is just one of many ways that we are a company are focused on addressing the security needs of our customers and people who use the Internet. This partnership with law enforcement is a critical piece of it. Of course, we’re simultaneously very focused as a company in assisting consumers, providing educational material for them, making it easier for them to protect themselves on the Internet and through the strength of our products making customers more secure.
Ultimately we believe that this is a long-term effort that will turn in part on continued technical innovation as well as strong collaboration across our industry and with government.
So with that, thank you very much.