May 3, 2004 6:15 AM PDT

New worm's got sass, but not much else

The security researchers at eEye Digital Security are not impressed with the Sasser worm.

The company, which found the flaws that were exploited by both the MSBlast worm and the Witty worm, on Saturday started analyzing the latest piece of attack code that takes advantage of a Microsoft Windows vulnerability discovered by its researchers. So far, eEye's analysts are surprised that the worm has spread so far.

"It's so poorly written," said Marc Maiffret, chief hacking officer for the Aliso Viejo, Calif.-based company. "This could still have a lot of impact, but it's written by someone that could barely get the code working."

Alfred Huger, senior director of security firm Symantec's response center, agreed. "If this virus was better written, you would have seen more impact," he said.

Still, some companies were beginning to report problems from the worm Monday morning. Finnish financial group Sampo said Monday it had temporarily closed all of its branch offices, some 130 in all, as a precaution against Sasser. And in Australia, the worm forced Westpac Banking to turn customers from its branches.

Get Up to Speed on...
Enterprise security
Get the latest headlines and
company-specific news in our
expanded GUTS section.

The Sasser worm started spreading late Friday. As of Saturday afternoon, it had not racked up the crowd of compromised computers that its predecessors have been able to claim. If it weren't for the worm's poor programming, such a limited spread could have indicated that computer users are becoming more diligent about heeding warnings and patching their systems.

The Sasser worm spreads from infected computer to vulnerable computer with no user interaction required. The worm exploits a recent vulnerability in a component of Microsoft Windows known as Local Security Authority Subsystem Service, (LSASS). After scanning for vulnerable Windows XP and Windows 2000 systems, the worm creates a remote connection to the system, installs a file transfer protocol (FTP) server and then downloads itself to the new host.

Early on, the worm was spreading at a moderate to slow pace, antivirus experts said.

By Saturday afternoon, Symantec had received about 100 reports, but only 20 from companies. Network Associates had alerts of the worm from 25 to 50 companies, with some of them reporting hundreds of infections. Still, that's small compared wtih the nearly 10 million computers infected by the MSBlast, or Blaster, worm.

Huger said he was concerned that the number of infections might jump on Monday when people take compromised laptops to work.

"It still remains to be seen whether--when people take this to work--we will see a faster spread," he said.

Over the weekend, infection rates seemed to be climbing steadily, said Johannes Ullrich, chief technology officer for the Internet Storm Center, which monitors network attacks.

"It spreads like most of the other worms," he said. "It prefers local networks and it has the usual semi-random spread."

CNET Reviews
Prevention and cure
How the Sasser worms work, and
how to avoid and remove them.

Code in the worm will cause it to spread randomly half the time; to the same A-class network as the infected host a quarter of the time; and to the same B-class network the remaining time. There are about 65,000 address in a B-class network and about 16.8 million addresses in an A-class network.

Ullrich added that the worm is not able to infect 100 percent of the time, perhaps indicating that Sasser itself has a bug.

That's par for the course for worms, eEye's Maiffret said.

"It just goes to show that the people who are smart enough to create a good worm are either too responsible to do it, or they are the bad guys and they know that worms highlight vulnerabilities and make it more likely that people patch holes," he said.

For the "bad guys," a worm only draws attention to flaws that they want to exploit, he said.

Abby Dinham and Andrew Colley of ZDNet Australia contributed to this report. Reuters also contributed to this report.

See more CNET content tagged:
Sasser worm, worm, MSBlast worm, spread, eEye Digital Security


Join the conversation!
Add your comment
Why LSASS in stand alone computers?
One thing I do not understand is why the Windows setup program activates network management related functions such as LSASS.

Networked computers need them and have a sysop to patch the holes, but stand alone computers are mostly with computer uneducated persons, and the fewer ports open the better from a security viewpoint.

Posted by (1 comment )
Reply Link Flag
Perhaps CNET should do its own poll.
I know that the University of Oklahoma has found Sasser on several PC's on campus and issued a message to those on the network regarding this new virus.

The IT press is a joke and prints more stories with false facts than any other facet of the press. I believe that they are trying to downplay the serious issues that arise because of Microsoft's poorly written and designed software! It would be nice to get honest news from someone not under the influence of Microsoft's money and power.
Posted by bjbrock (98 comments )
Reply Link Flag
there's no such thing as a perfect software
while windows may have holes in them, this also holds true to any software or application in the market, be it freeware or payware.

there's no such thing as a perfect program. programmers know this as a fact, and the more powerful and complicated an application gets, the more holes it is expected to have.

windows' holes are closely monitored because more than 95% of desktops across the world use windows. virus/worm creators focus on windows because of the same fact. no one would create a virus or worm which would infect less than 5% of all the desktops worldwide. the idea of creating a virus would be useless if done so that way.

the only way to go is for microsoft to issue a patch once a hole is found, and then it's our responsibility to patch our systems.

and to put it on record, i am in no way connected with microsoft in any way.
Posted by (2 comments )
Link Flag

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot



RSS Feeds

Add headlines from CNET News to your homepage or feedreader.