Plea Agreement in
U.S. v. Jeffrey Lee Parson

Introduction

On 11 August 2003, the first version of the Blaster (also called MS Blaster, MSBlast, or Lovsan) worm was found. Subsequently, many variants of this worm appeared. On 13 Aug 2003, Jeffrey Parson, then a few weeks past his 18th birthday, released the Blaster.B worm from his house near Minneapolis. On 19 Aug 2003, federal agents searched Parson's house on suspicion that he had released a malicious computer program, and Parson was arrested on 29 Aug 2003. On 11 Aug 2004, Jeffrey Lee Parson pled guilty. This document is an HTML version of the official Plea Agreement in U.S. v. Jeffrey Lee Parson. On 28 Jan 2005, Parson was sentenced by Judge Pechman in U.S. District Court in Seattle.

I have posted this Plea Agreement from the Blaster.B case because:
Because I believe that this historical document should be readily available, I acquired a photocopy from the court clerk of the U.S. District Court in Seattle, scanned it, used optical character recognition software to convert the document to ASCII text, formatted the text in HTML, and posted it on the Internet at my website.

Ronald B. Standler
27 March 2005



[Plea Agreement -- Page 1 of 9]

U.S. District Court

Western District of Washington
At Seattle

United States of America v. Jeffrey Lee Parson

PLEA AGREEMENT


Case Number: CR03-0379P

The United States of America, by and through John McKay, United States Attorney for the Western District of Washington, and Annette L. Hayes, Assistant United States Attorney for said District, and the defendant, JEFFREY LEE PARSON, and his attorneys, Carol Koller and Nancy Tenney, enter into the following Plea Agreement, pursuant to Federal Rule of Criminal Procedure 11 (c)(1)(C):

1. The Charges. Defendant, having been advised of the right to have this matter tried before a jury, agrees to waive that right and enter a plea of guilty to intentionally causing and attempting to cause damage to a protected computer, as charged in Count One of the Indictment, in violation of Title 18, United States Code, Sections 1030(a)(5)(A)(i), 1030(a)(5)(B)(i), 1030(b), and 1030(c)(4)A). By entering this plea of guilty, Defendant hereby waives all objections to the form of the charging document.

2. Elements of the Offense. The elements of the offense of intentionally causing and attempting to cause damage to a protected computer, in violation of


[Plea Agreement -- Page 2 of 9]

Title 18, United States Code, Sections 1030(a)(5)(A)(i), 1030(a)(5)(B)(i), 1030(b), and 1030(c)(4)(A), as charged in Count One of the Indictment, are as follows:
  1. First, Defendant knowingly caused and attempted to cause the transmission of a program, information, code and command to computers without authorization;
  2. Second, as a result of the transmission, Defendant intentionally impaired the integrity and availability of data, a program, a system and information;
  3. Third, the impairment of the data, program, system and information resulted in losses to one or more persons totaling at least $5,000 in value during a one-year period; and
  4. Fourth, the computers damaged were used in interstate or foreign commerce or communication.

3. The Penalties. Defendant understands that the statutory penalties for the ,offense of intentionally causing and attempting to cause damage to a protected computer, as charged in Count One, are imprisonment for up to ten (10) years, a fine of up to two hundred fifty thousand dollars ($250,000.00), a period of supervision following release from prison of between two (2) to three (3) years, and a one hundred dollar ($100.00) penalty assessment. If defendant receives a sentence of probation, the probationary period could be up to five (5) years. Defendant agrees that the penalty assessment shall be paid at or before the time of sentencing.

Defendant understands that in addition to any term of imprisonment and/or fine that is imposed, the Court may order Defendant to pay restitution to any victim of the offense, as required by law. Defendant further understands that a consequence of pleading guilty may include the forfeiture of certain property either as a part of the sentence imposed by the Court, or as a result of civil judicial or administrative process.

Defendant agrees that any monetary penalty the Court imposes, including the special assessment, fine, costs or restitution, is due and payable immediately, and further agrees to submit a completed Financial Statement of Debtor form as requested by the


[Plea Agreement -- Page 3 of 9]

United States Attorney's Office.

Defendant understands that supervised release is a period of time following imprisonment during which he will be subject to certain restrictions and requirements. Defendant further understands that if supervised release is imposed and he violates one or more of its conditions, he could be returned to prison for all or part of the term of supervised release that was originally imposed. This could result in Defendant serving a total term of imprisonment greater than the statutory maximum stated above.

4. Rights Waived by Pleading Guilty. Defendant understands that, by pleading guilty, he knowingly and voluntarily waives the following rights:
  1. The right to plead not guilty, and to persist in a plea of not guilty;
  2. The right to a speedy and public trial before a jury of Defendant's peers;
  3. The right to the effective assistance of counsel at trial, including, if Defendant could not afford an attorney, the right to have the Court appoint one for Defendant;
  4. The right to be presumed innocent until guilt has been established at trial, beyond a reasonable doubt;
  5. The right to confront and cross-examine witnesses against Defendant;
  6. The right to compel or subpoena witnesses to appear on Defendant's behalf;
  7. The right to testify or to remain silent at trial, at which such silence could not be used against Defendant; and
  8. The right to appeal a finding of guilt or any pretrial rulings.
  9. The right, to the extent required by law, to have sentencing factors charged in the Indictment or determined by a jury beyond a reasonable doubt.
5. United States Sentencing Guidelines. Defendant understands and acknowledges that, absent applicable intervening law:
  1. The United States Sentencing Guidelines (hereinafter "Sentencing


    [Plea Agreement -- Page 4 of 9]

    Guidelines"), promulgated by the United States Sentencing Commission, are applicable to this case;
  2. The Court will determine Defendant's applicable Sentencing Guidelines range at the time of sentencing; and
  3. Except as provided in paragraph 9. below, Defendant may not withdraw a guilty plea solely because of the sentence imposed by the Court.

6. Ultimate Sentence. Defendant acknowledges that no one has promised or guaranteed what sentence the Court will impose.

7. Restitution. Defendant shall make restitution to Microsoft Corporation and any other victims in an amount to be determined at the time of sentencing. Said amount shall be due and payable immediately and shall be paid in accordance with a schedule of payments as ordered by the Court.

8. Statement of Facts. The parties agree on the following facts in support of Defendant's guilty plea and sentencing. Defendant admits he is guilty of the charged offense and expressly waives any right to have these facts determined by a jury beyond a reasonable doubt.
  1. JEFFREY LEE PARSON learned about the MS Blaster worm via the Internet web site www.antivirus.com. PARSON learned that the MS Blaster worm was designed to randomly spread and infect individual computers with code that then directed the infected computers to launch a DDoS against Microsoft Corporation's web site windowsupdate.com at various pre-programmed dates and times, beginning on August 16, 2003. PARSON obtained a copy of the MS Blaster worm from a computer he had access to because he had previously infected it with a back door remote access program. PARSON downloaded the worm to his home computer, and edited it
  2. JEFFREY LEE PARSON created a new version of the MS Blaster worm. PARSON's version of the MS Blaster worm is known by various names including the "B" or "teekids" variant. PARSON's worm will hereinafter be referred to as "the B variant of the MS Blaster worm."


    [Plea Agreement -- Page 5 of 9]

  3. The B variant of the MS Blaster worm includes, among other things; (1) a version of the original MS Blaster worm renamed "teekids.exe;" and (2) a Lithium back door software program that when installed on an infected computer, allows anyone who knows it is there to freely access the infected computer and operate it remotely. JEFFREY LEE PARSON included the Lithium back door remote access software as part of his worm so that he could reconnect to the infected computers at a later time.
  4. On or about August 12, 2003, JEFFREY LEE PARSON knowingly caused the transmission of a program, information, code and command, onto the Internet, that is, the B variant of the MS Blaster worm. In particular, JEFFREY LEE PARSON released the B variant of the MS Blaster worm from his home computer, in Hopkins, Minnesota, onto approximately fifty (50) computers he had previously compromised with the Lithium back door remote access program.
  5. The B variant of the MS Blaster worm that JEFFREY LEE PARSON created was propagated across the Internet in two distinct generations. The first generation propagated the entire worm (including "teekids.exe" and the Lithium back door). The first generation of the B variant of the MS Blaster worm directed each of the infected computers to contact JEFFREY LEE PARSON's web site at www.t33kid.com so that he could maintain a list of the computers that had the Lithium back door remote access software installed on them. The second generation propagated just the renamed version of the MS Blaster worm (i.e., "teekids.exe" without the Lithium back door) via the propagation tool found in the original MS Blaster worm.
  6. By August 16, 2003, approximately 1222 IP addresses logged in at JEFFREY LEE PARSON's web site www.t33kid.com. Each IP address corresponds to a computer that was infected with the B variant of the MS Blaster worm (i.e., the entire worm including the Lithium back door). The parties do not agree as to the number of computers represented by the 1222 IP addresses.
  7. As a result of his transmission of the B variant of the MS Blaster worm, JEFFREY LEE PARSON intentionally impaired the integrity and availability of

    [Plea Agreement -- Page 6 of 9]

    data, a program, a system, and information, in two ways: (1) by infecting computers connected to the Internet with the B variant of the MS Blaster worm; and (2) thereby launching a DDoS attack against Microsoft Corporation's web site windowsupdate.com from those infected computers, on or about August 16, 2003, and the other preprogrammed dates and times. The DDoS attacks caused by the B variant of the MS Blaster worm did not succeed in shutting down Microsoft's web site. Microsoft was able to respond to the attacks in a number of ways in the days leading up to the first attack, on or about August 16, 2003.
  8. The impairment of the data, program, system and information caused by the B variant of the MS Blaster worm resulted in losses to Microsoft Corporation and the owners of the computers infected by the B variant of the MS Blaster worm (including the computers represented by the IP addresses registered on JEFFREY LEE PARSON's web site www.t33kid.com totaling at least $5,000 in value during a one-year period beginning on August 12, 2003.
  9. The computers damaged by the B variant of the MS Blaster worm were used in interstate or foreign commerce or communication.
  10. The B variant of the MS Blaster worm infected 50 or more victim computers.

8. [sic]   Sentencing. Pursuant to Rule 11 (c)(1)(C) of the Federal Rules of Criminal Procedure, the parties acknowledge and agree that Defendant should be sentenced to a term of imprisonment of not less than eighteen (18) months, and not more than thirty-seven (37) months. If the sentencing court does not adopt the agreement of the parties and instead imposes a sentence outside the agreed upon range, both Defendant and the United States reserve the right to withdraw from this agreement pursuant to Rule 11(c)(1)(C) of the Federal Rules of Criminal Procedure and to proceed to trial. No other agreement has been made with regard to the imposition of sentence in this matter, and the parties understand that the Court retains full discretion to impose a sentence within the range agreed to above. Further, the parties understand that the Court retains full discretion with


[Plea Agreement -- Page 7 of 9]

regard to the imposition of a term of supervised release, the conditions of supervised release, fines, forfeiture, or restitution, as may be applicable.

9. Non-Prosecution of Additional Offenses. As part of this Plea Agreement, the United States Attorney's Office for the Western District of Washington agrees not to prosecute Defendant for any additional offenses known to it as of the time of this Plea Agreement that are based upon evidence in its possession at this time, or that arise out of the conduct giving rise to this investigation. In this regard, Defendant recognizes that the United States has agreed not to prosecute all of the criminal charges that the evidence establishes were committed by Defendant solely because of the promises made by Defendant in this Plea Agreement. Defendant acknowledges and agrees, however, that for purposes of preparing the Presentence Report, the United States Attorney's Office will provide the United States Probation Office with evidence of all relevant conduct committed by Defendant.

10. Voluntariness of Plea. Defendant acknowledges that he has entered into this Plea Agreement freely and voluntarily, and that no threats or promises, other than the promises contained in this Plea Agreement, were made to induce Defendant to enter this plea of guilty.

11. Statute of Limitations. In the event that this Plea Agreement is not accepted by the Court for any reason, or Defendant has breached any of the terms of this Plea Agreement, the statute of limitations shall be deemed to have been tolled from the date of the Plea Agreement to: (1) 30 days following the date of non-acceptance of the Plea Agreement by the Court; or (2) 30 days following the date on which a breach of the Pica Agreement by Defendant is discovered by the United States Attorney's Office.

12. Acceptance of Responsibility. The United States acknowledges that Defendant has assisted the United States by timely notifying the authorities of his intention to plead guilty, thereby permitting the United States to avoid preparing for trial and permitting the Court to allocate its resources efficiently. If at the time of sentencing, the United States remains satisfied that Defendant has accepted responsibility, then it will


[Plea Agreement -- Page 8 of 9]

recommend a sentence that takes this acceptance of responsibility into consideration. Defendant understands and agrees that the United States will base its recommendation on the factors set forth in the United States Sentencing Guidelines, including Section 3E1.1.

13. Post-Plea Conduct. Defendant understands that the terms of this Plea Agreement apply only to conduct that occurred prior to the execution of this Agreement. If, after the date of this Agreement, Defendant should engage in illegal conduct, or conduct that is in violation of his conditions of release (examples of which include, but are not limited to: obstruction of justice, failure to appear for a court proceeding, criminal conduct while pending sentencing, and false statements to law enforcement agents, the Pretrial Services Officer, Probation Officer or Court), the United States is free under this Agreement to seek a sentence that takes such conduct into consideration. Such a sentence could include, to the extent the United States Sentencing Guidelines are applicable, a sentencing enhancement or upward departure.

14. Completeness of Agreement. The United States and Defendant acknowledge that these terms constitute the entire Plea Agreement between the parties.


[Plea Agreement -- Page 9 of 9]

This Plea Agreement only binds the United States Attorney's Office for the Western District of Washington. It does not bind any other United States Attorney's Office or any other office or agency of the United States, or any state or local prosecutor.

DATED this 11th day of August, 2004.

/signed/
Jeffrey Lee Parson, Defendant
Carol Koller, Attorney for Defendant
Nancy Tenney, Attorney for Defendant
Annette L. Hayes, signing for Floyd G. Short, Assistant U.S. Attorney
Annette L. Hayes, Assistant U.S. Attorney




this document is at   http://www.rbs2.com/parson0.html
28 March 2005

return to my essay, Examples of Malicious Computer Programs, Part 2

go to my homepage