May 13, 2004 4:30 PM PDT

Worm feeds on Sasser-infected computers

Computers compromised by the Sasser worm may be vulnerable to a scavenging program that exploits a flaw in the software left behind by the worm, a security researcher said Thursday.

The worm--dubbed Dabber--has started spreading to Microsoft Windows systems, but likely won't have a large impact, said Joe Stewart, senior security researcher with network protection firm Lurhq.

"It is not going to be a big problem for anyone that is paying any attention at all to computer security," he said. "If somebody does get it, they probably already have Sasser and, most likely, Agobot as well."

Get Up to Speed on...
Enterprise security
Get the latest headlines and
company-specific news in our
expanded GUTS section.

Dabber is not the first worm to exploit back doors into compromised systems left behind by previous attackers. Two worms, Doomjuice and Deadhat, infected systems already compromised with the MyDoom virus.

However, Dabber may be the first worm to attack systems using a flaw in a previous malicious program. In this case, the file transfer protocol (FTP) server installed by Sasser to enable the worm to transfer itself to new hosts has a buffer-overflow vulnerability. Dabber uses that security flaw to spread to the new machine.

Click here to Play

David Berlind, executive editor, ZDNet

Once it copies itself to a new host, the worm will change the system settings so that operating system runs the malicious program every time it starts up. Dabber will also attempt to block other worms, which may have infected the machine, from running.

Finally, the worm will establish a back door into the software to allow knowledgeable attackers to take control of the system.

The scavenging worm arrives as German police are investigating more leads in the Sasser case. Already, the suspected author has been arrested in that country, based on information leaked to Microsoft by informants interested in reward money.


Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot



RSS Feeds

Add headlines from CNET News to your homepage or feedreader.