Tech Talk Discuss PC Hardware, Software, Internet and Other Technology

Sasser Worm

Old 05-03-04, 02:40 PM
  #1  
DVD Talk Hall of Fame
Thread Starter
 
Join Date: Apr 2001
Location: Eugene, OR
Posts: 8,242
Sasser Worm

I could always use unexpected work.

http://www.globetechnology.com/servl...ry/Technology/
Newest Sasser worm a greater danger

By Robert Lemos and Dawn Kawamoto
CNET

A newer, better-built version of the Sasser worm has boosted the infectiousness of the original, spreading to more than 10,000 computers by Monday afternoon, antivirus company Symantec said.

The new worm, Sasser.B, like its predecessor Sasser.A, takes advantage of a vulnerability in unpatched versions of Windows XP and Windows 2000 systems. The worms infect vulnerable systems by establishing a remote connection to the targeted computer, installing a file transfer protocol (FTP) server and then downloading themselves to the new host.

The original version of the Sasser worm spread slowly, but the Sasser.B version is infecting computers much faster.

"The worm has improved significantly," said Alfred Huger, senior director for Symantec's security response centre, who added that Symantec was not yet sure exactly what changes had been incorporated into the new version.

By Monday afternoon, Symantec could confirm, by scanning for open FTP servers on computers from which the company's sensor detected potential attacks, that more than 10,000 computers had been infected by the Sasser worm.

The Sasser variants can spread rapidly from an infected computer to one that is vulnerable, without any user interaction required. The worm spreads by scanning different ranges of Internet addresses using a specific application data channel, or port, numbered 445. Microsoft has analyzed the worm and believes it also spreads through port 139. Both are data channels used by the Windows file sharing protocol and, in many cases, are blocked by Internet service providers. Once a vulnerable system is found, Sasser installs an FTP server and then transfers itself to the new host.

Symantec's Mr.Huger said the amount of data that addresses port 445 makes it difficult to differentiate worm traffic from other, legitimate traffic. Moreover, recent modifications to attack software known as bot software, causes other malicious programs to use the same port as well.

"Port 445 is the busiest port in existence," Mr. Huger said.

Symantec raised Sasser.B to a seriousness level of 4 from level 3 on its five-point scale Sunday afternoon. The security software company had only 200 reports of the original Sasser worm from its customers, but it's gotten more than 5,000 reports of the new version since Saturday.

Mr. Huger warned customers that many compromised systems may not be visible to external security surveys and detection, meaning the actual number of infected systems could be higher. While Symantec, and other organizations that monitor Internet threats, had believed that a previous worm, MSBlast, had spread to perhaps 500,000 computers, Microsoft discovered that almost 10 million computers had been infected to date.

Internal networks belonging to companies that didn't patch their systems in time could be teaming with infected systems, Mr. Huger said. "The majority of the damage that we are going to see [is] going to be on the internal network," he said.

Rival antivirus company Panda Software raised Sasser.A and Sasser.B to a red alert status from amber on Sunday.

"This worm could definitely hit as many computers as MSBlast," said Patrick Hinojosa, Panda Software U.S.A. chief technology officer. MSBlast, also known as Blaster, launched last summer and exploited a vulnerability as widespread as the flaw that Sasser uses to infiltrate systems.

Panda has also detected Sasser.C and D variants, which could also be upgraded to red alerts Monday, Hinojosa said. These two variants can look for 1,024 separate IP addresses simultaneously as a means to spread itself making it more virulent than the original, he added.

The Sasser worm does not carry a destructive payload, but it can result in system degradation, antivirus experts say.

"It can cause machines to reboot when connecting to the Internet. So, if you're a company, your edge servers will be continually rebooting," Mr. Hinojosa said.

Though Sasser.B does not feature a back door to allow spammers and others to enter a user's system, Symantec's Mr. Huger said he would not be surprised if that feature is added to later versions of Sasser.
dancinns is offline  
Old 05-03-04, 02:49 PM
  #2  
X
Administrator
 
X's Avatar
 
Join Date: Oct 1987
Location: AA-
Posts: 10,676
Oh, I was wonding why I get pages and pages of logs from my firewall with hits on port 445.
X is offline  
Old 05-03-04, 02:54 PM
  #3  
DVD Talk Hall of Fame
 
Join Date: Jun 1999
Location: PDX Metro
Posts: 8,953
It was a busy day yesterday for our client services group.

Sadly, I spent the day in shorts enjoying the sunshine.
Tsar Chasm is offline  
Old 05-03-04, 06:35 PM
  #4  
DVD Talk God
 
Deftones's Avatar
 
Join Date: Oct 1999
Location: Arizona
Posts: 74,269
A guy at work got it on his home computer. Wiped the poor bastards entire drive.
Deftones is offline  
Old 05-03-04, 06:48 PM
  #5  
DVD Talk Hall of Fame
 
Lateralus's Avatar
 
Join Date: Jun 2001
Location: Valley of Megiddo
Posts: 9,569
Nobody on our network got infected
Lateralus is offline  
Old 05-03-04, 06:52 PM
  #6  
DVD Talk Hall of Fame
Thread Starter
 
Join Date: Apr 2001
Location: Eugene, OR
Posts: 8,242
Hopefully no one will get infected on our network. I scanned and patched a bunch of computer today. I'm thankful I understand how to use psexec.
dancinns is offline  
Old 05-03-04, 06:56 PM
  #7  
DVD Talk Limited Edition
 
Join Date: Feb 2000
Location: College Station, TX
Posts: 6,223
I only had a few infected machines on my network, but the other department in my building got hit pretty hard. I mentioned SUS, but that only them.

dancinns, I hadn't seen psexec before. I think I'm going to have to try that one out.
BigDave is offline  
Old 05-03-04, 07:03 PM
  #8  
DVD Talk Legend
 
Join Date: Aug 2000
Location: Newberg, OR
Posts: 17,176
There is also a Sasser.C now.

My machines already had the hotfix before the virus started hitting, but lots of people at work got hit.
Jeremy517 is offline  
Old 05-03-04, 07:28 PM
  #9  
DVD Talk Ultimate Edition
 
Robert's Avatar
 
Join Date: Jun 1999
Location: Massachusetts
Posts: 4,507
Our network here at UMass had thousands of computers infected. My version of Norton Anti-virus was useless against it. I had to install McAfee which successfully removed it.
Robert is offline  
Old 05-03-04, 08:09 PM
  #10  
DVD Talk Hall of Fame
Thread Starter
 
Join Date: Apr 2001
Location: Eugene, OR
Posts: 8,242
BigDave: It's great. I didn't know about it until I started working for the County. It's a whole lot easier to use that than it is to go to individual machines and go to Windows Update...but it's still not easier than login scripts.
dancinns is offline  
Old 05-04-04, 12:12 PM
  #11  
DVD Talk Limited Edition
 
Join Date: Apr 2001
Location: Just north of Atlanta
Posts: 5,215
Has anyone run into the problem of the LS ASS service shutting down the computer even after the patch is applied and the virus has been removed?
johnglass is offline  
Old 05-04-04, 01:41 PM
  #12  
DVD Talk Limited Edition
 
Join Date: Feb 2000
Location: College Station, TX
Posts: 6,223
I haven't seen that problem yet. You might have to apply the patch in Safe Mode.
BigDave is offline  
Old 05-04-04, 04:34 PM
  #13  
DVD Talk Hall of Fame
 
Join Date: Jun 2001
Location: The Money Pit
Posts: 8,155
We just got whacked at 11:40 this morning. I've been busy all day.
vaporware is offline  
Old 05-04-04, 06:52 PM
  #14  
X
Administrator
 
X's Avatar
 
Join Date: Oct 1987
Location: AA-
Posts: 10,676
If you don't have port 445 or 139 open you won't have a problem.

I'm surprised companies have get this worm. Very few inbound ports should be open.
X is offline  
Old 05-04-04, 08:07 PM
  #15  
DVD Talk Limited Edition
 
Join Date: Apr 2001
Location: Just north of Atlanta
Posts: 5,215
Originally posted by X
If you don't have port 445 or 139 open you won't have a problem.

I'm surprised companies have get this worm. Very few inbound ports should be open.
That works fine until you get a laptop user that gets infected outside of work then brings it in the next day.
johnglass is offline  
Old 05-04-04, 09:39 PM
  #16  
X
Administrator
 
X's Avatar
 
Join Date: Oct 1987
Location: AA-
Posts: 10,676
Originally posted by johnglass
That works fine until you get a laptop user that gets infected outside of work then brings it in the next day.
Yes. A company that allows that should ensure that the laptop user's software firewall is enabled before allowing a mobile laptop computer on the internet outside of work. And it would be practical for even less ports to be enabled for its software firewall than for the corporate one.

Or they should only allow outside access through the company's network via VPN.
X is offline  
Old 05-04-04, 10:25 PM
  #17  
DVD Talk Special Edition
 
Join Date: Oct 1999
Posts: 1,935
Doe this also affect Macs? os 9 worked fine but when I changed to os X, computer crashed. Thanks.
matrixrok9 is offline  
Old 05-04-04, 11:06 PM
  #18  
DVD Talk Limited Edition
 
Join Date: Feb 2000
Location: Sunny Hawaii
Posts: 6,599
This worm only affects Win NT/2000/XP/2003.

There are no self-propogating worms for OS X (yet).
TheBang is offline  
Old 05-04-04, 11:15 PM
  #19  
DVD Talk Special Edition
 
Join Date: Oct 1999
Posts: 1,935
thanks!
matrixrok9 is offline  
Old 05-05-04, 05:49 AM
  #20  
Senior Member
 
Join Date: Jul 2002
Posts: 561
I caught this bitch a couple days ago actually, before the news had spread. The only firewall I use is the Windows one, and for some reason, I stupidly left it off for a 4 days. Noticed my computer was running slow, suspected a virus, ran Stinger, and found and removied 8 virii, Sasser included. Needless to say, I re-enabled the firewall (which many consider weak), and not a problem since.
groovrbaby is offline  
Old 05-05-04, 11:28 AM
  #21  
Senior Member
 
Join Date: Sep 2001
Location: My Mommy says I'm Special!
Posts: 302
Originally posted by Todd B.
This worm only affects Win NT/2000/XP/2003.

There are no self-propogating worms for OS X (yet).
I'm Deskside for Hewlett-Packard in Anaheim CA. We got hit hard on monday by this virus and I've been picking up pieces since.

So Todd? You think my Windows 3.11 machine at home should be shielded from this virus? I suppose 3.11 acts sort of like a firewall by itself doesn't it.
TheSilverSurfer is offline  
Old 05-05-04, 04:45 PM
  #22  
DVD Talk Legend
 
Mopower's Avatar
 
Join Date: Nov 2001
Location: The Janitor's closet in Kinnick Stadium
Posts: 15,726
Originally posted by Todd B.
This worm only affects Win NT/2000/XP/2003.

There are no self-propogating worms for OS X (yet).
Symantec says it can infect 98/ME but doesn't harm it. It just uses the computer to infect other computers.
Mopower is offline  
Old 05-05-04, 10:11 PM
  #23  
DVD Talk Hero
 
jfoobar's Avatar
 
Join Date: Jun 2000
Posts: 37,565
Originally posted by X
Yes. A company that allows that should ensure that the laptop user's software firewall is enabled before allowing a mobile laptop computer on the internet outside of work. And it would be practical for even less ports to be enabled for its software firewall than for the corporate one.
Sounds nice, in theory. In the real world, when you are trying to secure networks with 150,000 nodes and a laptop population in the thousands and consultants and/or contractors coming and going, deviations from enterprise security policy are simply not detected 100% of the time nor are they always preventable, even under the threat of severe disciplinary action.

The real answer is that there is absolutely no excuse for any enterprise to have not patched an overwhelming majority of their Win32 systems against the LSASS vuln in the more than 2 week interval between the time the patches were released and the time that Sasser.A hit store shelves.
jfoobar is offline  
Old 05-07-04, 02:10 AM
  #24  
DVD Talk Legend
 
Join Date: Jan 2002
Location: Danville, CA
Posts: 10,495
Alright it looks like I may have an infected machine at work that has been patched prior to the breakout. The AV is constantly updated and well as having spybot ran almost daily. It has had a handful of random restarts the last few days, but I looked around the registry and couldn't find any signs of the worm anywhere. Stinger and normal Norton scans have come up empty as well. Thoughts?

btw it is a Win 2000 machine.
Copenhagen is offline  
Old 05-07-04, 05:16 AM
  #25  
DVD Talk Legend
 
Join Date: Jul 2000
Location: Arizona, USA
Posts: 23,460
Man, I hope none of my clients get infected while I'm at E3 next week. What's a post-infection fix I can give them over the phone? These are mostly home users who don't always update this and that as they should. I saw on the news last weekend that this virus had infected much of ASU and that it would reboot your system after only being on less than a minute so getting online to download a fix would be impossible. However, this article suggests that it only will reboot you if you are connected to the internet - does that mean if I tell my clients to disconnect from the internet that they won't have to reboot? Then I could maybe go and run some fix for it once I return from my trip?
Trigger is offline  

Thread Tools
Search this Thread

Archive Advertising Cookie Policy Privacy Statement Terms of Service

Copyright 2018 MH Sub I, LLC dba Internet Brands. All rights reserved. Use of this site indicates your consent to the Terms of Use.