Blaster worm trail leads to arrest

Federal authorities said they were still hunting for the original creator of the Blaster computer worm after arresting a Minnesota teenager yesterday on charges that he unleashed an insidious variant that infected at least 7,000 machines.

Jeffrey Lee Parson, a physically imposing 18-year-old from a Minneapolis suburb, is the first to be arrested in connection with a series of computer viruses that infected hundreds of thousands of computers earlier this month by exploiting a flaw in Microsoft Corp.'s Windows operating system. Authorities said their success in tracking down Parson should send a message to others like him.

"We've got other variants; we've got other viruses, and we're not going to stop until we find everyone involved," said one federal criminal-justice source.

Parson admitted during an interview with an FBI agent that he had modified the original "Blaster" infection and created a version known by different names, including "Blaster.B.," according to court papers.

Parson, 6-foot-4 and 320 pounds, was described by neighbors as a loner who drives too fast. They said he nearly always wears baggy jeans with T-shirts and the cut and color of his hair is constantly changing.

At his initial court appearance yesterday, he was placed on electronic monitoring and told not to access the Internet or any other network connection as a condition of his release. He did not enter a plea.

The teenager apparently took few steps to disguise his identity. As a byproduct of each infection, every victim's computer sent signals back to the "t33kid.com" Web site that Parson had registered in his own name, listing his home address. The computer bug also included an infecting file called "teekids.exe" that experts quickly associated with Parson's site.

At a news conference in Seattle yesterday, U.S. Attorney John McKay said a "very detailed and technical path" led investigators to Parson. He said the investigation is continuing in pursuit of the original creator of the Blaster worm.

The Seattle-based Northwest Cyber Crimes Task Force, a collaboration of federal, local and state law-enforcement agencies, was integrally involved in the investigation. Microsoft software engineers helped, disassembling the virus code and intentionally infecting a machine to see how the virus worked.

Microsoft issued a patch in mid-July that, when downloaded by computer users, corrects the flaw that was used by the original Blaster virus and its variants to infiltrate computer systems. Many users didn't download the patch, however, leaving their machines vulnerable.

Investigators said in court papers filed Thursday that a group of Chinese computer experts known as XFocus reverse-engineered the patch to find the vulnerability, then developed source code and a scanning tool to exploit it. The group then made the code and tool available to the public on the Internet, the court papers said.

Microsoft is considering using a service in future Windows operating systems that automatically downloads and installs software fixes on computers unless users decline.

"We are committed to doing more across the board" in pursuit of computer security, said Brad Smith, Microsoft's general counsel, during the news conference yesterday. "That means developing stronger software that is more resistant to attacks," in addition to educating consumers and fostering cooperation between the software industry and law enforcement.

Some people who have been dealing with the effects of the viruses and worms of the past few weeks reacted with mixed emotions to yesterday's arrest.

"I think it's good that they're able to track some people down and make them accountable," said Kris Harness, who owns Seattle-based KDH Consulting Inc., an information technology consulting company that has been cleaning the virus and installing patches on customers' computers. At the same time, he questioned whether the arrest would stop some other computer-savvy teen from doing the same type of thing.

Collectively, different versions of the viruslike worm, alternately called "LovSan" or "Blaster," snarled corporate networks worldwide, inundating more than 500,000 computers, according to Symantec Corp., a leading antivirus vendor. Experts consider it one of the worst outbreaks this year and found it particularly troubling because it was released less than a month after the patch was made available.

Parson's case is to be heard in U.S. District Court in Seattle, where it is being prosecuted because Microsoft is considered one of the main victims. Parson is scheduled to appear for a Sept. 17 hearing. The maximum penalty for intentionally causing and attempting to cause damage to a protected computer is 10 years in prison and a $250,000 fine.

FBI and Secret Service agents searched Parson's home Aug. 19 and seized seven computers, which are still being analyzed. One remaining computer will also be removed.

Each variant of the Blaster worm, including the one allegedly unleashed by Parson, scans the Internet for vulnerable computers and infects them. The infected computers, in turn, scan for more machines to attack. The worm also programmed computers to flood a Microsoft Web site with traffic beginning Aug. 16, but the company was able to avert that attack by taking the site offline.

Parson told the FBI he built into his Blaster version a method for reconnecting to victim computers later. Investigators said the worm allowed him to access individual computers and people's personal communications and finances. It wasn't immediately clear how he might have used that information.

This report includes information from The Associated Press.

Add P-I Business headlines to