RealTime IT News

Sasser Worm Reined But Variants Sprout

The first major virus attack targeting a well-known Microsoft Windows vulnerability has started spreading across the Internet, prompting the software giant to issue a worm removal tool.

Microsoft issued the weekend alert with a warning that the Sasser worm (W32.Sasser.A) and several variants have been unleashed on the Internet.

It's only the second time that Microsoft has issued a removal tool to help clean up from a worm attack. Late last year, it took similar action in the wake of the Blaster virus.

"Microsoft has verified that the worm exploits the Local Security Authority Subsystem Service (LSASS) issue that was addressed by the security update released on April 13."

A patch for the LSASS flaw was issued earlier this month but malicious hackers have already reverse engineered the patch and released working exploits to attack unpatched machines.

Even though anti-virus firms are reporting the distribution level for Sasser as low, some experts believe a Blaster-type attack is just days away. "It's been slow to start but this will pick up quickly and will have Blaster-like implications, said Eric Schultze, chief security architect at Shavlik Technologies.

The appearance of the Sasser worms follow last Friday's news that a backdoor Trojan with port-scanning capabilities was already in circulation. At the time, Symantec's Jonah Paransky warned that it was "highly likely" that self-propagating malicious code would be widely distributed.

In its weekend advisory, Microsoft urged users to activate the embedded Internet Connection Firewall (ICF) available in Windows XP or install and enable a third-party firewall. The company also stressed the importance of applying the security update that came with the MS04-011 monster patch.

A removal tool was also released to search a user's hard disk and disinfect for Sasser.A and other mutants.

According to Shavlik Technologies' Schultze, enterprises must be on alert for remote users that may have been infected at home and then bringing a machine inside the corporate firewall. "That's one of the biggest fears from my side. When an employee at home brings in an infected laptop into the office and infects machines inside the network."

Schultze also believes the Sasser threat will grow considerably over the next week. "We haven't seen the last of this. We'll see better variants of this worm and there's also the issue of new attack scenarios developing."

The MS04-011 patch, which was released with some disruptive bugs, is a "critical" fix for 14 serious Windows vulnerabilities.

According to experts, virus writers could unleash a worm to target several flaws at the same time.

In addition to the LSASS vulnerability, the patch covers an LDAP vulnerability, a hole in the PCT protocol, a Winlogon vulnerability, a Metafile vulnerability, a flaw in the Windows Help and Support Center, a Utility Manager vulnerability, a Windows Management vulnerability, a flaw in the Local Descriptor Table, a bug in the H.323 protocol, a Virtual DOS Machine vulnerability, a bug in the Negotiate SSP feature and flaw in SSL.

The patch also corrects a vulnerability in ASN.1 "Double Free."

Separately, security consulting firm Sophos said Monday that it had quarantined a new variant of W32/Netsky-AC which is masquerading as a cure for the newer Sasser worm. The company said the Netsky code author has claimed responsibility for Sasser.

"The very worst thing you can do is fall for this trick by clicking on the attached file," said Sophos spokesman Graham Cluley. "The Netsky author is preying on user's fear of computer attack."

If triggered, the worm can forward itself to addresses found on the victim's computer, spreading the virus even further. The latest NetSky mutant also opens a backdoor to allow remote attackers to gain the control of the infected computer.

As IT admins battle to secure internal networks, iDEFENSE director Ken Dunham warned that Sasser worms are still being updated and released into the wild. "I wouldn't be surprised to see several new updated variants emerge in the very near future."

At press time, Symantec reported four different Sasser variants. Even as damages remain under control, Symantec has rated the distribution as high.

In addition to Microsoft, anti-virus firms have also released free tools and disinfection instructions:

http://www.sarc.com/avcenter/venc/data/w32.sasser.removal.tool.html
http://vil.nai.com/vil/stinger/
http://www.bitdefender.com/html/virusinfo.php?menu_id=1&v_id=248
http://www.f-secure.com/tools/f-sasser.zip
http://www.pandasoftware.com/download/utilities/
http://www.pspl.com/download/cleanss.htm