Sasser, Phatbot arrests coordinated, but not linked

A 21-year-old German man was arrested and has admitted to creating the ubiquitous and dangerous Trojan horse programs Agobot and Phatbot, but is not connected to the German author of the Sasser Internet worm, a police spokesman said.

German police arrested the man on Friday in the southern German town of Waldshut and charged him under the country's computer sabotage law for attacks on computers in Germany, the U.K. and the U.S. linked to Agobot and Phatbot. Five other men were also charged in connection to the so-called Trojan programs, but there is no link to the arrest of an 18-year-old in connection with the Sasser Internet worm, said Horst Haug, a spokesman for the State Bureau of Investigation in Baden-Wuerttemberg.

Authorities arrested the Phatbot author, a "self-taught" hacker, following tips in recent weeks from the U.S. Federal Bureau of Investigation (FBI), Haug said. Police searched the suspect's home and seized computer hardware, software and documents, he said.

Agobot is a Trojan horse program that surreptitiously runs on computers running Microsoft Corp.'s Windows operating systems, providing malicious hackers with secret access to the compromised system. Since first appearing in October 2002, hundreds of versions of Agobot have been detected, including variants called, variously, Gaobot, Phatbot, and Polybot.

The computer code for Agobot circulates widely on the Internet, and may have been modified by countless individuals with access to it, said Mikko Hyppönen, manager of antivirus research at F-Secure Corp. in Helsinki.

Despite that, German authorities believe they have the original author of the Trojan, Haug said.

"He confessed to being the original author. He said he created both Agobot and Phatbot," he said.

Two other Waldshut men was also arrested on Friday in connection with the Agobot Trojan. Arrests were also made in Bavaria, Lower Saxony and Hamburg in the case, Haug said. The men are believed to work together to make Trojan horse programs and "other viruses," Haug said.

Also on Friday, police in Lower Saxony, in northern Germany, arrested an 18-year old and charged him with creating the Sasser worm, which appeared on May 1. That man is also being investigated on suspicion of creating the Netsky worm, but does not appear to be connected to the Agobot group, Haug said.

The Sasser arrest followed a tip to Microsoft Deutschland GmbH from individuals who asked about the possibility of receiving a reward in exchange for information about the creator of the Sasser worm, said Brad Smith, senior vice president and general counsel at Microsoft, in a statement.

Information provided to the authorities leading to the Sasser arrest came from Microsoft rather than the FBI, and German authorities do not believe the two groups of malicious code writers knew each other or worked together, Haug said.

"It doesn't seem like there is any direct connection," he said.

Prior to the arrests, however, officials were not sure whether the groups communicated with each other, and timed their arrests in the two cases to prevent crucial evidence from being destroyed, Haug said.

German police are currently analyzing the information seized in the arrests Friday, but cannot identify any of the suspects they have arrested, or describe the evidence against them, he said.

F-Secure has provided information to authorities on Agobot and Phatbot before, including the IRC (Internet Relay Chat) logs files containing user names and the IP (Internet Protocol) addresses of individuals who were selling customized versions of the Trojan horse program online, Hyppönen said.

The capture of the original Agobot author will increase the pressure on others who create malicious programs. However, the availability of the Agobot and Phatbot source code make it almost certain that new versions of the Trojan will continue to appear, he said.