Computers compromised by the Sasser worm may be vulnerable to a scavenging program that exploits a flaw in the software left behind by the worm, a security researcher said Thursday.
The worm--dubbed Dabber--has started spreading to Microsoft Windows systems, but likely won't have a large impact, said Joe Stewart, senior security researcher with network protection firm Lurhq.

"It is not going to be a big problem for anyone that is paying any attention at all to computer security," he said. "If somebody does get it, they probably already have Sasser and, most likely, Agobot as well."

Dabber is not the first worm to exploit back doors into compromised systems left behind by previous attackers. Two worms, Doomjuice and Deadhat, infected systems already compromised with the MyDoom virus.

However, Dabber may be the first worm to attack systems using a flaw in a previous malicious program. In this case, the file transfer protocol (FTP) server installed by Sasser to enable the worm to transfer itself to new hosts has a buffer-overflow vulnerability. Dabber uses that security flaw to spread to the new machine.

Once it copies itself to a new host, the worm will change the system settings so that operating system runs the malicious program every time it starts up. Dabber will also attempt to block other worms, which may have infected the machine, from running.

Finally, the worm will establish a back door into the software to allow knowledgeable attackers to take control of the system.

The scavenging worm arrives as German police are investigating more leads in the Sasser case. Already, the suspected author has been arrested in that country, based on information leaked to Microsoft by informants interested in reward money.


Source : http://zdnet.com.com/2100-1105_2-5212284.html?tag=zdfd.newsfeed

In this case, the file transfer protocol (FTP) server installed by Sasser to enable the worm to transfer itself to new hosts has a buffer-overflow vulnerability.

You gotta love it.... Even the worms have security vulnerabilities...... :D

That is great. LMAO!!!

i got the dabber backdoor open on my honeypot, port 9898, but i dont sem to be picking anything up other than port scans atm.

open it on 1023 and 5554. those are the one thats being searched for

"It is not going to be a big problem for anyone that is paying any attention at all to computer security,"
So anotherwards, it will in fact be a big problem for the general PC using population who could care less about security and have more of a click-and-go-gimmie-gimmie-gimmie mentality, that will inevitably cause the small percentage of people who are actually paying attention to security issues, to lose bandwidth and have thier firewalls bombarded by port scans of infected machines. :D
go figure.

Lol, I almost died laughing!

You gotta love it.... Even the worms have security vulnerabilities......

Doesn't this prove a point? These things are only as smart as we allow them to be.

hehe...yup dopeydadwarf...but ROFLMAO at the concept

I love it just goes to show even virus writers aren't safe any more. Whats the world coming too. :)

The virus author is much likely to think of a different "style" of spreading the worm, if s/he reads this article.

Good thing I retained my Win98 OS because it is not vulnerable to those kinds of worms that usually attacks XP :)

Good thing I retained my Win98 OS because it is not vulnerable to those kinds of worms that usually attacks XP


Silly rabbit, trix are for kids.
I'm glad you think that...gives me more work, hence more money :). I wish there was more people ignorant about worms....although there's still plenty to go around. I just helped my neighbor clean up her computer....she had 11 different types of viruses, including sasser, soBig, myDoom, netsky and a bunch of other ones...WEEEEEE FUN :D

I don't get it. Didn't sasser also leave a remote shell open to the world? Why exploit something when you can walk right in?

Originally posted here (http://www.AntiOnline.com/showthread.php?threadid=257731#post746581) by Tedob1
open it on 1023 and 5554. those are the one thats being searched for

those are the sasser.e ports
not seeing much on them.

"...the general PC using population who could care less about security and have more of a click-and-go-gimmie-gimmie-gimmie mentality..."

I have a friend who does not have her own computer yet. She has used PCs of two other people and she said they have at least a dozen icons in the tray. I know people who - even after having been told not to still do - click on the pop-ups to: stop pop-ups(!?!), block spam, update/upgrade security, etc.! And the general population that at least cares some about security is clueless and without common sense!
Oh, you want to sell me a miracle cleaner? Wait right here I'll get you a blank check!