May 12, 2004 8:47 AM PDT
New Sasser variant indicates copycat
Antivirus companies suspect that a copycat coder has written the new virus.
Systems infected with the Sasser worm randomly scan local networks and the Internet to look for Windows PCs that have not been updated with the latest Microsoft patch. The worm functions in a very similar way to the MSBlast worm, which caused millions of dollars in damage and disruption last summer.
A teenager suspected of writing the Sasser code has been arrested by police in Germany. Since his arrest, two variants of the worm have been detected in the wild. The suspected author had confessed to German police that he had released the fifth version of the worm, Sasser.E, four days before he was taken into custody. Antivirus firms didn't detect the variant until the day after the arrest. The most recent, Sasser.F, was first detected Tuesday.
Luis Corrons, head of antivirus company Panda's research labs, said the Sasser.F worm's source code looks like it was written by an inexperienced programmer who has slightly modified the original code but had not added any new functions or behaviors.
"Studying the evolution of Sasser, the fact that variant F does not include any new features confirms that it is the work of a different person," Corrons said.
The code and some messages hidden inside the original Sasser worm indicate its authors are closely linked with the Netsky virus, which has led many experts to question if the German teenager could be solely responsible for the Sasser outbreak.
David Kopp, head of Trend Micro's European research labs, said he doubts that the teenager in police custody could have been solely responsible for the Sasser worm because there have been around 30 variants of Netsky since mid-February.
"For just one guy, this is a lot of work. We are not sure that the German teenager is the real virus writer--it's more likely to be a group of virus writers," he said.
Kevin Hogan, senior manager at Symantec Security Response, said that even if there are new variants of Sasser or other malware that exploits the Windows vulnerability, such as the Cycle worm, are unlikely to cause any damage because most businesses have either applied the relevant Windows patch or are using an up-to-date antivirus application.
"The Sassers out there are not really spreading any more and the Cycle worm uses the same vulnerability as Sasser, so it has gone nowhere. People are probably patching to protect themselves against Sasser--that's why we are seeing very little of Cycle," Hogan said.
Munir Kotadia of ZDNet UK reported from London.
1 commentJoin the conversation! Add your comment