May 1, 2004 10:25 AM PDT
Sasser worm begins to spread
The Sasser worm began spreading Friday night and seems to be moving at a pace far slower than previous worms such as MSBlast and Code Red, said Alfred Huger, senior director of security firm Symantec's response team.
"It is a slow burn," he said. "It is picking up speed, but right now we aren't seeing too much activity."
Get Up to Speed on...
Get the latest headlines and
company-specific news in our
expanded GUTS section.
"Due to the release of this worm, we moved to infocon yellow for the next 24 hrs," the Internet Storm Center site said. "The exact impact is not clear at this point."
Security experts did not know how far the worm had spread, but many companies reported some infections, said Vincent Gullotto, vice president of Network Associates' antivirus emergency response team.
"We have had 25 to 50 reports from companies that have had up to a few hundred machines infected," he said. "One company wanted to patch this weekend, but the worm infected their network first."
The creation of the worm didn't surprise the Internet's security community. Security experts widely predicted that a worm would soon start spreading using that particular flaw by exploiting a recent vulnerability in a component of Microsoft Windows known as the Local Security Authority Subsystem Service, or LSASS.
The Sasser worm spreads from infected computer to vulnerable computer with no user intervention required. The worm scans for vulnerable systems, creates a remote connection to the system, installs a file transfer protocol (FTP) server and then downloads itself to the new host.
The worm opens up the initial connection on a specific application data channel, or port, numbered 9996. After the worm infects the new host, the FTP server listens on port 5554 for new files.
The worm uses multiple processes to scan different ranges of Internet addresses. The scans attempt to detect the vulnerable LSASS component on port 445. Microsoft has analyzed the worm and believes it also spreads through port 139. Both are data channels used by the Windows file sharing protocol and, in many cases, are blocked by Internet service providers.
A team of Microsoft engineers worked through the night to analyze the worm, said Stephen Toulouse, security program manager for the software giant.
"We are still studying the worm, but we do know customers that install the update are protected from Sasser," Toulouse said.
The worm will cause the LSASS component of Windows to crash, according to analyses. Infected systems will then perform a 60-second countdown before restarting. Microsoft has created a Web page telling customers how to manually clean up the worm.
Antivirus firms also continue to analyze the worm.