Sasser worm
|
The Sasser worm is a computer worm that spreads on computers running the Microsoft operating systems Windows XP and Windows 2000. Unlike other recent worms, the Sasser worm does not "travel by email", but connects directly to open ports on a computer. Thus it is particularly potent in that it can spread without the help of the user, but it is also easily stopped by a properly configured firewall, or by downloading patches from Windows Update [1] (http://windowsupdate.microsoft.com). The specific hole Sasser exploits is documented by Microsoft here (http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx).
Sasser was first noticed and started spreading in the wild on April 30, 2004. It spreads by exploiting a buffer overflow in the component known as LSASS (Local Security Authority Subsystem Service) on the affected operating systems. The worm scans different ranges of IP addresses and connects to victims' computers primarily through TCP port 445. Microsoft's analysis of the worm indicates that it may also spread through port 139. Several variants called Sasser.B, Sasser.C, and Sasser.D appeared within days (with the original named Sasser.A). The LSASS vulnerability was patched by Microsoft in the April 2004 installment of its monthly security packages, prior to the release of the worm. Some technology specialists have speculated that the worm writers reverse-engineered the patch to discover the vulnerability, which would open millions of computers whose operating system have not been upgraded with the security update.
The effects of Sasser include the news agency Agence France-Presse (AFP) having all its satellite communications blocked for hours and the U.S. flight company Delta Air Lines having to cancel several trans-atlantic flights because its computer systems had been swamped by the worm. The Nordic insurance company If and their Finnish owners Sampo Bank came to a complete halt and had to close their 130 offices in Finland. The British Coastguard had its electronic mapping service disabled for a few hours, and Goldman Sachs, Deutsche Post, and the European Commission also all had issues with the virus. The X-ray department at Lund University Hospital had all their four layer X-ray machines disabled for several hours and had to redirect emergency X-rays to a nearby hospital.
Sasser was at first believed to have been authored in Russia by the same person(s) who created another worm usually referred to as Lovsan, MSBlast or Blaster (due to the media), a connection indicated by code similarities between the two, but on May 7 18-year old computer science student Sven Jaschan from Rotenburg, Lower Saxony was arrested for writing the worm. He immediately confessed to having written not only Sasser, but also Netsky.AC, a variant of the Netsky worm. Another variation of Sasser, Sasser.E, was found to be circulating shortly after the arrest. It was the only variation that attempted to remove other worms from the infected computer, much in the way Netsky did.
An indication of the worm's infection of a given PC is the existence of the file C:\WIN.LOG or C:\WIN2.LOG on the PCs hard disk, as well as seemingly random crashes of LSASS.EXE caused by faulty code used in the worm.
See also: Timeline of notable computer viruses and worms
External links
- Read here how you can protect your PC (from Microsoft) (http://www.microsoft.com/security/incident/sasser.mspx) (Includes links to the info pages of all big Anti-Virus companies.)
- New Windows Worm on the Loose (Slashdot article) (http://slashdot.org/article.pl?sid=04/05/01/1618224)
- Report on the effects of the worm from the BBC (http://news.bbc.co.uk/1/hi/technology/3682537.stm)de:Sasser