A German judge on Friday handed down a suspended sentence of one year and nine months to the teenager who admitted he created last year's Sasser computer worm.
In addition, 19-year-old Sven Jaschan has to complete 30 hours of community service while on probation, the court in Verden, Germany, said in a statement. The probationary period is three years. Jaschan will have to fulfil the community service part of his sentence in a retirement home or a hospital, the court said.
Jaschan was found guilty on four counts of altering data and three counts of computer sabotage. The sentence marks one of few successful prosecutions of a virus writer. Authors of malicious code have typically proved difficult for law enforcement to track and catch.
During his trial, Jaschan admitted to charges of data manipulation, computer sabotage and interfering with public corporations. The trial started on Tuesday and ended on Friday. It was held behind closed doors because Jaschan was a minor at the time of the crime.
The Sasser worm and its six known variants started spreading in May 2004 and compromised hundreds of thousands of computers running the Windows operating system. Sasser exploited a flaw in the Windows 2000 and Windows XP operating systems and caused PCs to crash and reboot.
The suspended sentence was expected. In closing arguments on Thursday, prosecutors asked for a two-year suspended sentence with a three-year probation period. Jaschan's defense argued for a one-year suspended sentence.
Worm tracks
The teenager carefully planned the launch of the Sasser worm and released variants that would spread faster, maximizing the damage, the court found. The damage was immense and only a fraction of the total damage could be determined during trial, the court said.
Still, Jaschan's actions were typical of those of an isolated, troubled youth and not carried out for commercial gain, the court said. Jaschan created the worm in search of some form of acknowledgement from his peers, it found.
Jaschan, a resident of the town of Waffensen, was arrested in May last year after Microsoft received a tip from an informant seeking a $250,000 (£144,000) reward.
The Sasser case is the only success so far for Microsoft's Anti-Virus Reward Program, which was launched in November 2003. The program has offered a total of $1m to informants who help close official investigations into four major viruses and worms, including Sasser, and has another $4m earmarked for future rewards.
Microsoft has not disclosed the identity of the informants in the Sasser case, but the software giant said on Friday it will pay the reward money to two individuals who helped identify the worm's author. They will share the $250,000.
"It has been important and gratifying to collaborate with and support law enforcement in this case," Nancy Anderson, Microsoft general counsel, said in a statement. "We're glad to provide a monetary reward to those individuals who provided credible information that helped the German police authorities."
Under the program rules, informants cannot be involved in the crime and need to provide information that leads to the conviction of the suspect.
According to Microsoft's Web site, rewards of $250,000 can still be collected for information that leads to the arrest and conviction of those responsible for launching the MyDoom.B worm, the Sobig virus and the MSBlast.A worm, which is also known as Blaster.
CNET News.com's Dawn Kawamoto contributed to this report.
Talkback
Wow. That's a bit harsh, far too vigorous on the sentancing and 30hours community service on top. It's a scandle.
Sven Jaschan should appeal and if he wins he should be able to claim millions in compensation.
It's about time people recognised just how much work and effort Sven put into screwwing up millions of computers worldwide.
German justice WHAT A JOKE!
Isn't the joke on us? For making it possible that a student boy can graft up code that is capable of damaging countless PC's in a jiffy? And judging from sales figures here and there the average consumer seems to shout: MORE, MORE, MORE!
Do you actually believe what's said in the PR releases that are copied as is by plenty of news agencies as if it was actual news? It's like that story of the three little pigs. Or like that second hand car salesman that turns a car wreck into a hot machine with some duck tape and a repaint. People stand in line to buy such cars. And the few that complain can get a new car. Also held together with duch tape and a repaint. But hey, it does look cool, doesn't it? Never mind the lack of good safety belts and locks, how often do you need those anyway?
Juvenile justice.
It may sound frustrating, but the fact is that criminal liability, including liability for cyber crimes, can be fixed only if there is a culpable intention behind the same. This culpable intention is again bifurcated as per the “maturity level” of the offender. If he is a major and matured person, he has to face the consequences of his act or omission. But if the accused is a “juvenile” or “minor” then the law will presume him to be a “deviant” rather than “criminal”.
The suspended sentence and the release on probation is a benign step in right direction. It is as per the mandates and theme of “The Convention on the Rights of the Child”, to which most of the countries, including India, are parties. Now the options available to the learned and respected Judge, dealing with a “juvenile deviant”, are very few when it comes to sentencing if a country is party to such Convention or if the municipal law contains provisions for the protection of juveniles.
The learned judge has ordered for (a) Community service, (b) Suspended sentence, and (c) Probationary period.
These were the possible options available to the respected and learned Judge. There is, however, an option that could have been exercised in this case. The Judge could have asked, with due respect to the judgment, to render the “community service” in the form of assisting the “law enforcement agencies” in making the security system more effective and tamper proof. The “malware knowledge” of the accused could be used for strengthening the security base of the Internet at large. Recently, there was news that the creator of the “Sasser worm” has been hired as a “security software programmer” by a German firm, so that he can make firewalls, which will stop suspected files from entering computer systems. (The Times Of India (Delhi Times); “ Net gain for e-crime”, D/ 20-09-04, P-5.) The same could have been done for the purpose of “Securing Inetrnet at large” in public interest.
In any case, the decision of the learned Judge is as per the requirements of law, though it may be agitated on the basis of the “moral liability” and the “extreme damage” caused by the act of the accused.