English French German Portuguese Russian Spanish
You are here Home
PDF Print E-mail

Netsky And Sasser Viruses

Computer virus creators can sometimes escape detention. However, authorities once in a while find a way of tracking the origin of a virus. Authorities managed to do so in the case of Netsky and Sasser viruses. The two programs were created by a German called Sven Jaschan, who later released them onto the Internet. Despite the fact that the two worms behaved differently, security experts were made to believe that they were created by the same person, owed to the fact that they shared a similar code.

Through vulnerability of Microsoft Windows, the Sasser worm attacked computers. In contrast to other worms, the Sasser worm did not spread through e-mail. Rather, the virus looked for other vulnerable systems once it infected a computer. Instructions to download the virus were given once Sasser worm contacted the vulnerable systems. Contrary to Sasser worm, Netsky virus can spread through Windows networks and e-mails (Leyden, 2001).

Prior to tracking down of Sasser Worm creator, Microsoft was contacted by sources inquiring if they would be given monetary reward for providing information about the author of the worm. The company declared in November 2003 that it would offer a reward amounting to $250, 000 for information that would led to prosecution of three major worms, Sobig, Blaster, and Mydoom. The process of tracking down Sasser Worm and Netsky worm creator began by analyzing the computer codes of the two viruses in order to identify important clues. The FBI took the code apart in order to find out whether it contained any information pointing to the creators of other viruses. An analysis of Netsky and Sasser viruses indicated a close link between the two, which led to the conclusion that one person was behind the creation of the two viruses (Leyden, 2001).

According to Microsoft, a source code that was provided by informants indicated that their lead was genuine. Microsoft’s general counsel, Brad Smith, said that “We had overwhelming technical evidence in this case provided by the informants and confirmed by our experts”. Other agencies that helped Microsoft in tracing the origins of Sasser virus were the Secret Service and the United States Federal Bureau of Investigation.

A message was found buried in the code of Netsky virus, which said that “Do you know that we have programmed the Sasser virus? Yeah, that’s true.” This message made the investigators to conclude that Sasser worm could have also been responsible for creating Netsky worm. Earlier evidence indicated that a gang of virus writers was responsible for creating Netsky virus. Vital clues to the identity of other members of the gang could be obtained from the suspect’s computer (Lyman, 2004).

It is therefore clear that by use of the virus code, the creator of Sasser worms, who is thought to have also created Netsky worm was arrested in May 2004. A Germany magazine, Der Spiegel, indicted that the creator of the worm was a technical secondary school graduate who was waiting his high school diploma. According to the magazine, upon raiding the suspect’s home, the police found useful incriminating evidence. After, the raid, the young man confessed right away (Lyman, 2004).

While Sasser worm and Netsky worm suspects were tracked down by tracing the origin of the worms, activities that led to the arrest of Goner creators are messages that were coded into the Goner virus as well as scrutiny of the IRC channel. Installing denial of service scripts for the mIRC Internet Relay Chat client is one of the actions of Goner virus, which normally spreads to vulnerable systems through e-mail. Security experts that worked for DALnet IRC managed to track down the suspected creators by monitoring the #pentagonex channel used to control the activities of the worm. According to one volunteer with DALnet’s exploits prevention team, Emma Monks, the DALnet’s team set to track down the virus creators after disabling the worm’s denial of service activities, believed to be directed at a rival gang’s ISP (Leyden, 2001).

A message was displayed by Goner worm upon activation, and it was believed that the message was sent by the creator to his friends. The message said “Pentagone - coded by: suid. tested by ThE_SKuLL and [satan]. greetings to: TraceWar, k9-unit, stef16, ^Reno. Greetings also to nonick2 out there where ever you are" (Leyden, 2001). Investigators were able to get vital clues from the records obtained from DALnet. The IP address of any person setting up an IRC channel in combination with nicknames featured in the message generated by the virus is presented in DALnet records. The IP addresses of gang members were drawn from cross references of the nicknames of those trying to control drones from vulnerable systems.

The information presented by Emma Monks was presented to the Federal Bureau of Investigation, which then presented in to the Israeli police. Four teenagers were identified as suspects and arrested in December 2001. Their computers were also seized (Leyden, 2001).

In conclusion, while there is substantial similarity between Sasser and Netsky worms and the fact that one suspect is thought to have created both viruses, Goner worm is quite different, and is four suspects were arrested for creating the worm.


Leyden, J. (2001) How Goner suspects were tracked down. Retrieved on July 5, 2012


Lyman, J. (2004) Author of Sasser, Netsky Worms Indicated. TechNewsWorld .Retrieved

on July 5, 2012 from

Warner, B. (2004) Hunt for Sasser worm culprit starts in earnest. USA Today, Retrieved

on July 5, 2012 from

Trusted Site Seal SSL Certificate Provider SSL