May 3, 2004 10:15 PM PDT

Sasser variants pose greater danger

Three new versions of the Sasser worm boosted the infectiousness of the original, spreading to about 500,000 computers by Monday, security researchers said.

News.context

What's new:
After a slow start, new versions of the Sasser worm spread to more than 500,000 computers.

Bottom line:
The growing outbreak is partly the result of businesses reopening Monday morning. Among those hit are universities.

More stories on this topic

Like the original worm, the three new programs--Sasser.B, Sasser.C and Sasser.D--take advantage of a vulnerability in unpatched versions of Windows XP and Windows 2000 systems. The worms infect vulnerable systems by establishing a remote connection to the targeted computer, installing a File Transfer Protocol (FTP) server and then downloading themselves to the new host.

The original version of the Sasser worm spread slowly, but Saturday, online vandals released Sasser.B, which infected computers much faster. By Monday, two new variants had appeared, and the worm had spread to hundreds of thousands of systems.

"The worm has improved significantly," said Alfred Huger, senior director of Symantec's security response center. Early Monday, Symantec had counted at least 10,000 confirmed infections, and acknowledged that hundreds of thousands of computers have likely been infected.

The University of Massachusetts at Amherst discovered just that, when students connected their already infected computers to the campus networks on Monday. The ensuing outbreak resulted in 1,100 computers compromised with Sasser, said Scott Conti, network operations manager for the university.

"All the machines that have gotten the virus haven't been patched," he said, adding that university security lists have been active, with other network administrators reporting the same. "I think everybody has got it pretty bad."


CNET Reviews
Prevention and cure
How the Sasser worms work, and
how to avoid and remove them.


While many other universities battled with the worm over the weekend, others--like University of Massachusetts--weren't infected until someone connected to the network with an infected computer.

Sasser is proving to be an ordeal for the university, which has to deal with about 5,000 compromises by worms, viruses and bot software every semester, Conti said.

"It is unfortunate that dealing with these outbreaks now has to be part of our whole business plan," he said.

Delta Air Lines encountered problems in Atlanta with its computers for more than six hours, resulting in delays. However, the cause of the problems was still unknown, spokeswoman Catherine Stengel said.

"We won't know until at least tomorrow what caused the issues," she told CNET News.com.

Airline Air Canada canceled flights in August due to its network being infected with a variant of the MSBlast worm. The MSBlast.B worm, also called Welchia and Nachi, spread so aggressively that it inundated many companies' networks with data. Air Canada said its network couldn't deal with the amount of traffic generated by MSBlast.B.

This time around, telephone company SBC Communications tried to minimize the problem for its Internet customers. The company warned them by e-mail this weekend about the worm and urged them to patch their systems.

"It is extremely important you (patch your systems) now, because it's likely you will not be able to take these measures, if your computer becomes infected," the company told customers.

The original worm did not spread very quickly on Friday and Saturday, according to security experts. Some Windows XP users asked for help on a support list when, as a side effect of infection, their computers displayed an error message and restarted.

"The number of home users seeking help on cleaning the Sasser worm in the MS Windows XP Technical Support newsgroup is far less than last year, when the MSBlast worm was released," said Yan Kei "Kenrick" Fu, a Hong Kong college student and a frequent adviser on Microsoft's support lists.

By Monday morning, Symantec was able to confirm--by scanning for open FTP servers on computers, from which the company's sensor detected potential attacks--that 10,000 computers had been infected by the Sasser worm.


Get Up to Speed on...
Enterprise security
Get the latest headlines and
company-specific news in our
expanded GUTS section.


The Sasser variants can spread rapidly from an infected computer to one that is vulnerable without any user interaction. The worm spreads by scanning different ranges of Internet addresses using a specific application data channel, or port, numbered 445.

Microsoft has analyzed the worm and believes that it also spreads through port 139. Both are data channels used by the Windows file-sharing protocol and, in many cases, are blocked by Internet service providers. Once a vulnerable system is found, Sasser installs FTP server software and then transfers itself to the new host.

Symantec's Huger said the amount of data that addresses port 445 makes it difficult to differentiate worm traffic from other, legitimate traffic. Moreover, recent modifications to attack bot software cause other malicious programs to use the same port.

"Port 445 is the busiest port in existence," Huger said.

Symantec raised Sasser.B to a seriousness level of 4 from level 3 on its five-point scale Sunday afternoon. The security software company had only 200 reports of the original Sasser worm from its customers.

Huger warned customers that many compromised systems may not be visible to external security surveys and detection, meaning that the actual number of infected systems could be higher. While Symantec and others that monitor Internet security believed that previous worm MSBlast had spread to perhaps 500,000 computers, Microsoft later discovered that almost 10 million computers have been infected to date.

Internal networks belonging to companies that didn't patch their systems in time could be teaming with infected systems, Huger said. "The majority of the damage that we are going to see is going to be on the internal network," he said.

Rival antivirus company Panda Software raised Sasser.A and Sasser.B to a red alert status from amber on Sunday.

"This worm could definitely hit as many computers as MSBlast," said Patrick Hinojosa, Panda's U.S. chief technology officer. MSBlast, also known as Blaster, launched last summer and exploited a vulnerability as widespread as the flaw that Sasser uses to infiltrate systems.

Panda had also detected Sasser.C and Sasser.D variants, Hinojosa said. These two variants can look for 1,024 separate IP addresses simultaneously--as a means to spread itself--making it more virulent than the original, he added.

The Sasser worm does not carry a destructive payload, but it can result in system degradation, antivirus experts say.

"It can cause machines to reboot when connecting to the Internet. So, if you're a company, your edge servers will be continually rebooting," Hinojosa said.

Although Sasser.B does not feature a back door to allow spammers and others to enter a user's system, Symantec's Huger said he would not be surprised if that feature is added to later versions of Sasser.

4 comments

Join the conversation!
Add your comment
Are Mac OS X systems affected?
I didn't think so. HaHaHaHaHaHa! Bwah ha ha ha!!!
Posted by Dr Dude (49 comments )
Reply Link Flag
MS providing incorrect information
MS in giving incorrect information about this threat. There is one page "What you should know about the Sasser worm..." that says the only affected systems are Win 2K and XP. NT, 2003 and all 64 bit editions are claimed not to be affected.
However if you look at the security bulletin (MS04-11) you can find fixes for 2003, 64 bit editions, NT, whatever you like.
Weird to have fixes for OS versions that are not vulnerable??
Posted by Steven N (487 comments )
Reply Link Flag
Umm....
The virus was released for only certain operating systems. I believe XP, 2000, and 2003 all non 64 bit. The other operating systems however all did have the LSASS vulnerability, which is why you can get the security fixes for so many operating systems.

Unless I misread your comment, I think that should explain a bit for you.
Posted by (19 comments )
Link Flag
Typical these days, IT idiots...
everywhere. While the IT press was telling us how poorly written sasser is, the author of sasser is preparing the real payload in subsequent versions.

We have been misled on the severity of every piece of malicious code to date. While we are being told how benign is each threat, if you listen carefully, you can hear the screams from those who listened to the same crap but find the threat to be serious indeed.

IT has turned to sh.. , and second only to Microsoft, the IT press is the enemies biggest ally. Is the entire IT press community full of only morons?
Posted by bjbrock (98 comments )
Reply Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.