FBI arrests MSBlast worm suspect

The U.S. Attorney's Office believes the 18-year-old is a "key and significant player" in the worm attack that compromised hundreds of thousands of computers earlier this month.

David Becker
David Becker Staff Writer, CNET News.com
David Becker
covers games and gadgets.
4 min read
Federal law enforcement officials confirmed on Friday that they have arrested a suspect in the MSBlast worm attack that compromised hundreds of thousands of computers earlier this month.

U.S. Attorney John McKay of Seattle said 18-year-old Jeffrey Lee Parson of Minneapolis was arrested and charged with one count of intentionally damaging a protected computer.

Parson allegedly created MSBlast.B, a variation that differed from the original worm mainly in that two files had been renamed--one with Parson's screen name, "teekid"--and a couple of profane messages aimed at Microsoft and Bill Gates had been added. The B variant achieved only modest distribution in comparison to the original worm and the recent D variant.

McKay said the B variant was a significant part of the continuing spread of the so-called Blaster worm. "We believe he is a key and significant player in the Blaster worm problem and that his arrest is a significant step forward," McKay said during a news conference. "This was a significant attack not only against Microsoft but against thousands of home computer owners and business computer owners."

The MSBlast worm attacks computers that are equipped with Microsoft's Windows software via a flaw in some versions of the operating system. Microsoft had issued warnings about the dangers of the flaw on July 16. The worm, also known as W32/Blaster and W32.Lovsan, began spreading Aug. 11.

In the first 24 hours, MSBlast turned up on an estimated 120,000 computers around the world, despite what was seen as relatively crude programming. The worm was able to spread rapidly, because many home Windows users and corporate information technology departments had yet to implement a patch made available by Microsoft in July.

FBI agents arrested Parson at his home early Friday morning, McKay said, and he appeared before a judge in the U.S. District Court for Minnesota a few hours later. McKay said Parson was released under house arrest, with the condition that he not access the Internet. He faces possible penalties of 10 years in prison and $250,000 in fines if convicted.

Special coverage
'MSBlast' echoes across the Net
The latest worm to torment Internet users
exploits a widespread Windows flaw.

McKay said federal authorities were continuing their investigation to identify other suspects in the MSBlast attack, including those responsible for creating the original worm.

The B variant infected at least 7,000 computers and caused damage to Microsoft computers that "significantly exceeds $5,000," according to the complaint. McKay disputed suggestions that the figures indicate Parson was a minor player in the overall Blaster problem, saying the complaint cites a deliberately limited estimate. "We're not prepared today to quantify what that harm is, but it's substantial," he said.

According to the complaint, FBI agents traced traffic the Blaster worm generated back to a Web site of a similar name to Parson's online alias. The site allegedly had source code for other worms, including one designed to spread via file-sharing networks.

Agents were able to trace the site back to Parson using a public database, according to the complaint. "I wouldn't characterize the work as being easy," McKay said, but "he obviously left clues."

Agents searched Parson's home last week, according to the complaint, seized seven computers and obtained a confession from Parson. "Parson admitted modifying the Blaster worm and creating the variant," according to the complaint. "Parson also admitted that he renamed the original 'MSBlast.exe' executable 'teekids.exe' after his online name 'teekid.'"

Neighbors interviewed by the Associated Press described Parson as a big kid who drove too fast, changed his hair color often and spent a lot of time on his computers. Neighbor Curtis Mackey said the allegations surprise him. "I didn't think he had the smarts for it myself," he told the news service. "The profile kind of fits. He kind of liked to be alone a lot."

Earlier this week, FBI Director Robert Mueller said his agency was working alongside the U.S. Department of Homeland Security and with state and local law enforcement offices to track down suspects.

Security software companies lauded the government's increased effort to bring virus writers to justice. Craig Schmugar, research engineer at Network Associates, said the FBI and other law enforcement groups have clearly been placing greater emphasis on pursuing hackers and other Internet criminals.

"This arrest sends a message to other people who might try to create new variants of existing viruses," Schmugar said. "This sort of thing isn't going to go unpunished anymore."

Schmugar said he was not surprised that the suspect is a teenager, as that would fit the industry profile of the average virus writer. According to demographics collected by Network Associates, virus activity tends to increase when school is in session and wane during the summer vacation months.

"But this was the summer from hell," Schmugar said.