 |
 Sasser Worm Clogs the Internet
May 7, 2004
The fast-spreading Sasser computer worm has infected hundreds of thousands of PCs around the world and computer security experts say the number will continue to grow rapidly. They also note that the worm payload and functionality are almost the same as of Blaster worm that hit Internet last summer. Experts add, that an average Windows PC connected to Internet without firewall or antivirus protection is infected within about 10 minutes.
Companies around the world had to close their Internet connections and shut down servers to prevent Sasser infection. For example, Finnish bancassurer Sampo temporarily closed all of its branch offices, some 130 in all, on Monday. In Australia, Westpac Bank said it was hit by the worm, and branches had to use pen and paper to allow them to keep trading. U.S. firm Delta Air Lines suffered a computer glitch on Saturday that caused delays and cancellations of certain flights across its system.
After getting control over a system, the worm copies itself to the Windows folder with the filename skynetave.exe and creates a registry entry, so the worm autoruns each time Windows is started. Users can find out more about the vulnerability and download the security patch at the Microsoft web site. Microsoft is also recommending that users enable a firewall to prevent intrusion on the vulnerable port.
Microsoft, as might be expected, is taking a dim view of this worm. Redmond says that it is working with law enforcement agencies, including the Northwest CyberCrime Taskforce (a joint effort between the FBI and US Secret Service) to track down those responsible.
It is also suspected that people who wrote Netsky are behind Sasser, and the fourth version of Sasser is spreading 10 times faster than the earlier versions. It looks like the Sasser authors are testing and learning how to infect machines very quickly. So while there has been no infected payload yet, there's no reason not to expect it. Sasser's authors have the complete ability to install any software they want.
Many compromised systems, however, may not be visible to external security surveys and detection, so the actual number of infected systems could be higher. Although Symantec and others that monitor Internet security believed that the recent MSBlast worm had spread to perhaps 500,000 computers, Microsoft later discovered that almost 10 million computers had so far been infected.
Antivirus software maker Network Associates believes that as many as 80 percent of those infected are home users and students. That poses a much greater problem than compromised corporate computers, in terms of Internet safety, said Vincent Gullotto, vice president of Network Associates' McAfee Anti-Virus Emergency Response Team, because "Home users don't generally know what to do to get rid of the infection."
Two new worm variations, Sasser.C and Sasser.D, have also started spreading this week.. Like the original Sasser, they take advantage of a vulnerability in unpatched versions of Windows XP and Windows 2000 systems. The worms infect vulnerable systems by establishing a remote connection to the victim computer, spawning an FTP server and then downloading themselves to the victim.
By the way, as we all remember, Microsoft has promised three $250,000 rewards for information leading to the arrest and conviction of the authors of MSBlast, Sobig and MyDoom. However, the company wouldn't comment on the likelihood of a reward for information about Sasser, except to say that the idea is being considered.
|
|
