 |
 New threats prey on prostrated computers
May 14, 2004
Security experts around the world warn the users about new worm that spreads in Internet. This malware, nicknamed Dabber, attacks computers that have previously been infected by the Sasser worm. Dabber exploits vulnerability left behind in the Sasser worm itself.
Dabber spreads to Microsoft Windows systems, but security analysts say it’s not likely to have a large impact. Joe Stewart, senior security researcher with network protection firm Lurhq says that "It is not going to be a big problem for anyone that is paying any attention at all to computer security," he said. "If somebody does get it, they probably already have Sasser and, most likely, Agobot as well."
Surprisingly, we see a worm that exploits security breach left behind in another worm. However, Dabber is not the first worm to behave in such a way. Two earlier worms, Doomjuice and Deadhat, infected systems already compromised with the MyDoom virus.
Dabber uses a flaw in the file transfer protocol (FTP) server installed by Sasser to enable the worm to transfer itself to new hosts has a buffer-overflow vulnerability. Dabber uses that security flaw to spread to the victim machine.
After it copies itself to a victim host, Dabber changes the system settings so that operating system runs the malicious program every time it starts up. Dabber also attempts to block other worms, which may have infected the machine, from running.
Finally, the worm establishes a back door into the software to allow knowledgeable attackers to take control of the system. The scavenging worm arrives as German police are investigating more leads in the Sasser case. Already, the suspected author has been arrested in that country, based on information leaked to Microsoft by informants interested in reward money.
|
|
