News

Four Versions of Sasser Worm Spreading Chaos

Four variants of Sasser, the first major worm to exploit flaws patched by Microsoft's huge security bug fixing patch last month, were wreaking havoc on computer networks as of mid-day Tuesday.

Sasser attempts to exploit the LSASS Vulnerability, one of 14 security flaws patched with Microsoft security bulletin MS04-011 on April 13. The release of a security bulletin is often the starting line of a race between users and administrators patching machines and worm writers trying to exploit the new flaws.

Sasser spreads by scanning randomly selected IP addresses of vulnerable systems. Sasser can infect Windows 2000 and Windows XP machines, generally causing them to crash. While it can't infect Windows 95/98/Me, the worm can run on those platforms and so overtax the machines that they become unusable.

On a five-point severity scale, with five representing the most serious problems, Symantec rated Sasser.B a four, Sasser.A a three, Sasser.C a two and Sasser.D a two.

Meanwhile, researchers at Panda Software found that from Saturday to Monday, Sasser.A or Sasser.B were causing the most infections of any virus. At a peak on Sunday, Sasser.B accounted for 24.4 percent of virus infections and Sasser.A accounted for 15.8 percent. By Tuesday, Netsky.P was in the lead with 11.42 percent of infections -- Sasser.B was second at 8.2 percent and Sasser.A was at 4.9 percent.

"Clearly, these variants have not completed their course but it looks as if containment will probably be accomplished by the end of the week," Patick Hinojosa, CTO of Panda Software US, said in a statement. "The risk remains highest for home users who may not have the knowledge to patch their operating systems as via the Windows Update Feature that Microsoft has recommended."

Eric Schultze, chief security architect for patch management vendor Shavlik Technologies, said the Sasser worm has a similar attack profile to the infamous Blaster worm.

"If your corporation was open to it last time, unless you've made radical changes to your network, you're going to be vulnerable. If someone has a laptop at home, and they get infected, and bring it in your network's going to be infected," Schultze said. "This is an excellent time for a quarantine service."

Schultze also said the many vulnerabilities fixed in MS04-011 make it very likely that Sasser will be combined with other exploits. "Because the MS04-011 had 14 different flaws that it patched, I could see it turning into a Nimda-style worm where the worm tries several different ways to get into your network. The worm has just been exploiting the LSASS flaw and just on XP and 2000. I could see someone including this with SQL Slammer and Blaster into one humongous worm. I could see that happening, potentially by end of week," Schultze said.

Meanwhile, Microsoft announced it was working with the FBI and the U.S. Secret Service to find and prosecute the authors of Sasser and another worm called Agobot.

About the Author

Scott Bekker is editor in chief of Redmond Channel Partner magazine.

Featured

  • FTC Expands Microsoft Antitrust Investigation Under Trump Administration

    The Federal Trade Commission (FTC) is pressing ahead with a broad investigation into Microsoft's business practices, an inquiry that began in the final weeks of the Biden administration.

  • An image of planes flying around a globe

    2025 Microsoft Conference Calendar: For Partners, IT Pros and Developers

    Here's your guide to all the IT training sessions, partner meet-ups and annual Microsoft conferences you won't want to miss.

  • Microsoft to Shut Down Skype Services

    Microsoft will discontinue its Skype telecommunications and video calling services on May 5, 2025, marking the end of the platform's decades-long run.

  • Big Blue To Acquire Datastax in Enterprise AI Play

    In a bid to bolster its enterprise-aimed AI capabilities, IBM is planning to acquire Datastax, a leading AI and data solutions provider, for an undisclosed amount.