News

Four Versions of Sasser Worm Spreading Chaos

• By Scott Bekker
• May 04, 2004

Sasser attempts to exploit the LSASS Vulnerability, one of 14 security flaws patched with Microsoft security bulletin MS04-011 on April 13. The release of a security bulletin is often the starting line of a race between users and administrators patching machines and worm writers trying to exploit the new flaws.

Sasser spreads by scanning randomly selected IP addresses of vulnerable systems. Sasser can infect Windows 2000 and Windows XP machines, generally causing them to crash. While it can't infect Windows 95/98/Me, the worm can run on those platforms and so overtax the machines that they become unusable.

On a five-point severity scale, with five representing the most serious problems, Symantec rated Sasser.B a four, Sasser.A a three, Sasser.C a two and Sasser.D a two.

Meanwhile, researchers at Panda Software found that from Saturday to Monday, Sasser.A or Sasser.B were causing the most infections of any virus. At a peak on Sunday, Sasser.B accounted for 24.4 percent of virus infections and Sasser.A accounted for 15.8 percent. By Tuesday, Netsky.P was in the lead with 11.42 percent of infections -- Sasser.B was second at 8.2 percent and Sasser.A was at 4.9 percent.

"Clearly, these variants have not completed their course but it looks as if containment will probably be accomplished by the end of the week," Patick Hinojosa, CTO of Panda Software US, said in a statement. "The risk remains highest for home users who may not have the knowledge to patch their operating systems as via the Windows Update Feature that Microsoft has recommended."

Eric Schultze, chief security architect for patch management vendor Shavlik Technologies, said the Sasser worm has a similar attack profile to the infamous Blaster worm.

"If your corporation was open to it last time, unless you've made radical changes to your network, you're going to be vulnerable. If someone has a laptop at home, and they get infected, and bring it in your network's going to be infected," Schultze said. "This is an excellent time for a quarantine service."

Schultze also said the many vulnerabilities fixed in MS04-011 make it very likely that Sasser will be combined with other exploits. "Because the MS04-011 had 14 different flaws that it patched, I could see it turning into a Nimda-style worm where the worm tries several different ways to get into your network. The worm has just been exploiting the LSASS flaw and just on XP and 2000. I could see someone including this with SQL Slammer and Blaster into one humongous worm. I could see that happening, potentially by end of week," Schultze said.

Meanwhile, Microsoft announced it was working with the FBI and the U.S. Secret Service to find and prosecute the authors of Sasser and another worm called Agobot.