Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

MS04-011: Sasser Internet Worm


  • Please log in to reply
4 replies to this topic

#1 harrywaldron

harrywaldron

    Security Reporter


  • Members
  • 509 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Roanoke, Virginia
  • Local time:01:26 AM

Posted 01 May 2004 - 05:52 AM

MS04-011: Sasser Internet Worm
http://vil.nai.com/vil/content/v_125007.htm
http://www.symantec.com/avcenter/venc/data...asser.worm.html
http://www.trendmicro.com/vinfo/virusencyc...e=WORM_SASSER.A
http://www3.ca.com/threatinfo/virusinfo/virus.aspx?id=39012
http://www.sophos.com/virusinfo/analyses/w32sassera.html

Sasser is an Internet worm spreading through the MS04-011 (LSASS) vulnerability. This vulnerability is caused by a buffer overrun in the Local Security Authority Subsystem Service, and will affect all machines that are:

* Running Windows XP or Windows 2000
* Haven't been patched against this vulnerability
* Are connected to the Internet without a firewall


W32.Sasser is a worm that attempts to send code that exploits the MS04-011 vulnerability. This worm scans random IP addresses for exploitable systems. When one is found, the worm exploits the vulnerable system, by overflowing a buffer in LSASS.EXE. It creates a remote shell on TCP port 9996. Next it creates an FTP script named cmd.ftp on the remote host and executes it. This FTP script instructs the target victim to download and execute the worm (with the filename #_up.exe as aforementioned) from the infected host. The infected host is accepts this FTP traffic on TCP port 5554. The worm spawns multiple threads, some of which scan the local class A subnet, others the class B subnet, and others completely random subnets. The destination port is TCP 445


One sign of infection is this message:

Posted Image


Infected systems should install the Microsoft update to be protected from the exploit used by this worm:

http://www.microsoft.com/technet/security/...n/MS04-011.mspx

F-Secure's weblog compares Sasser and the original Blaster outbreak:

You would expect a new automatic network worm like Sasser to hit even harder than it seems to be hitting right now. Of course, it's weekend time, but most infected machines would be home computers, many of which are turned on and online always.

Sasser could be compared to the Blaster/Lovsan outbreak in last August in many ways. Both are automatic network worms affecting Windows 2000 and XP users, scanning random IP addresses and using FTP (or TFTP) to transfer the actual worm file to infected host. Also, both worms cause unpatched machines to start to reboot.

Blaster was a massive case, partly because the patch was only available for 32 days before the outbreak started - and that was during best holiday season. With Sasser, the time difference between the patch and the worm was just 18 days.

But the bottom line is that although Sasser starts several threads which constantly scan random addresses with minimal time delay, we aren't seeing massive amounts of infections. Not yet anyway.



BC AdBot (Login to Remove)

 


#2 harrywaldron

harrywaldron

    Security Reporter

  • Topic Starter

  • Members
  • 509 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Roanoke, Virginia
  • Local time:01:26 AM

Posted 01 May 2004 - 09:53 AM

McAfee, Trend, and F-Secure have all just declared MEDIUM RISK as this new worm is starting to spread.

Microsoft has posted information (including removal information)
http://www.microsoft.com/security/incident/sasser.asp


McAfee has just updated their free cleaning tool to handle the new Sasser Internet worm.

McAfee STINGER standalone CLEANING TOOL
http://vil.nai.com/vil/stinger/

Edited by harrywaldron, 01 May 2004 - 10:43 AM.


#3 harrywaldron

harrywaldron

    Security Reporter

  • Topic Starter

  • Members
  • 509 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Roanoke, Virginia
  • Local time:01:26 AM

Posted 01 May 2004 - 04:49 PM

Trend's reporting a new "B" variant

We're bound to see a lot more activity now that a good working model is in the wild. Patching the MS04-011 vulnerability is the most critical protective step.

http://www.trendmicro.com/vinfo/virusencyc...e=WORM_SASSER.B

#4 harrywaldron

harrywaldron

    Security Reporter

  • Topic Starter

  • Members
  • 509 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Roanoke, Virginia
  • Local time:01:26 AM

Posted 03 May 2004 - 05:44 PM

Update on the status of Sasser Worms

MS04-011: Sasser.A - MEDIUM RISK
http://secunia.com/virus_information/9142/sasser.a/

With only 18 days between the patch and first MS04-011 LSASS worm, most companies were prepared but there were some significant impacts. Early media reports reflect hundreds of thousands of individual PCs impacted. Thankfully damages so far appear to be less than those of the Blaster worm, although it is early and many new variants continue to emerge.

MS04-011: Sasser.B - HIGH RISK
http://secunia.com/virus_information/9147/sasser.b/

Symantec has issued a rare "4" HIGH ALERT condition, along with Trend, and Panda

MS04-011: Sasser.C - MEDIUM RISK
http://secunia.com/virus_information/9155/sasser.c/

This particular variant spawns 1024 threads for the infection routine, where as previous variant W32.Sasser.B.Worm uses 128 threads. This should make this variant spread faster.

MS04-011: Sasser.D - LOW RISK (new)
http://secunia.com/virus_information/9155/sasser.c/

This new variant has an updated routine for finding vulnerable computers. It sends an ICMP echo request before attempting to make a connection. W32.Sasser.D.Worm can now run on (but not infect) Windows 95/98*Grinler computers. Although these operating systems cannot be infected, they can still be used to infect other vulnerable systems that they are able to connect to. Firewall port blocking is the best defense to keep these systems from generating unnecessary network traffic

#5 harrywaldron

harrywaldron

    Security Reporter

  • Topic Starter

  • Members
  • 509 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Roanoke, Virginia
  • Local time:01:26 AM

Posted 05 May 2004 - 08:54 AM

Posted Image

For now a little good news, as I'm hoping the worst is over for the current Sasser Internet based attacks. There will probably be more new attacks ahead, but moving to green indicates peaking or even some decline in the number of port attacks at this point.

Internet Storm Center returns to Green Condition
http://www.incidents.org/




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users