Sasser worm begins spreading
Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: Sasser worm begins spreading

  1. #1
    AO French Antique News Whore
    Join Date
    Aug 2001
    Posts
    2,126

    Sasser worm begins spreading

    A worm has started spreading through the Internet using a vulnerability in a widely used component of the Windows operating system.
    The worm--dubbed Sasser by antivirus firms--began spreading Friday night and seems to be moving at a moderate pace, said Vincent Gullotto, vice president of Network Associates' antivirus emergency response team.

    "We have had 25 to 50 reports from companies that have had up to a few hundred machines infected," he said. "One company wanted to patch this weekend, but the worm infected their network first."

    This worm spreads by exploiting a recent vulnerability in a component of Microsoft Windows known as the Local Security Authority Subsystem Service, or LSASS. As previously reported by CNET News.com, security experts widely predicted that a worm would soon start spreading using that particular flaw.

    The Sasser worm spreads from infected computer to vulnerable computer with no user intervention required. The worm scans for vulnerable systems, creates a remote connection to the system, installs a file transfer protocol (FTP) server and then downloads itself to the new host.

    The worm opens up the initial connection on a specific application data channel, or port, numbered 9996. After the worm infects the new host, the FTP server listens on port 5554 for new files.

    The worm uses multiple processes to scan different ranges of Internet addresses. The scans attempt to detect the vulnerable LSASS component on port 445. Microsoft has analyzed the worm and believes it also spreads through port 139. Both are data channels used by the Windows file sharing protocol and, in many cases, are blocked by Internet service providers.

    A team of Microsoft engineers worked through the night to analyze the worm, said Stephen Toulouse, security program manager for the software giant.

    "We are still studying the worm, but we do know customers that install the update are protected from Sasser," Toulouse said.

    The worm will cause the LSASS component of Windows to crash, according to analyses. Infected systems will then perform a 60-second countdown before restarting. Microsoft has created a Web page telling customers how to manually clean up the worm.

    Antivirus firms also continue to analyze the worm.
    Source : http://zdnet.com.com/2100-1105-5203764.html
    -Simon \"SDK\"

  2. #2
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    On the bright side, (corporately), none of those ports should have either ingress or egress rights through the firewall, except, maybe, through VPN..... Hence, your policy should be that VPN clients are firewalled and can be scanned by the IT staff at any time to ensure the firewall is in place and effective.

    Other than that, (corporately), it _shouldn't be too much of a bother..... Of course, some moron will change it to be a little more difficult to stop......
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  3. #3
    Sounds like that damn malware that is on a crap load of sites now

  4. #4
    AO French Antique News Whore
    Join Date
    Aug 2001
    Posts
    2,126
    The security researchers at eEye Digital Security are not impressed with the Sasser worm.
    The company, which found the flaws that were exploited by both the MSBlast worm and the Witty worm, on Saturday started analyzing the latest piece of attack code that takes advantage of a Microsoft Windows vulnerability discovered by its researchers. So far, eEye's analysts are surprised that the worm has spread so far.

    "It's so poorly written," said Marc Maiffret, chief hacking officer for the Aliso Viejo, Calif., company. "This could still have a lot of impact, but it's written by someone that could barely get the code working."

    The Sasser worm started spreading late Friday, and so far has not racked up the crowd of compromised computers that its predecessors have been able to claim. Such a limited spread could indicate that computer users are becoming more diligent about heeding warnings and patching their systems, but security researchers believe that the worm's poor programming has given network administrators a break.

    "If this virus was better written, you would have seen more impact," said Alfred Huger, senior director of security firm Symantec's response center.

    The Sasser worm spreads from infected computer to vulnerable computer with no user interaction required. The worm exploits a recent vulnerability in a component of Microsoft Windows known as the Local Security Authority Subsystem Service, or LSASS. After scanning for vulnerable Windows XP and Windows 2000 systems, the worm creates a remote connection to the system, installs a file transfer protocol (FTP) server and then downloads itself to the new host.

    So far, it's only spread at a moderate to slow pace, antivirus experts said.

    Symantec has received about 100 reports, but only 20 from companies. Rival Network Associates has had alerts of the worm from 25 to 50 companies, with some firms reporting hundreds of infections. Still, that's small compared wtih the nearly 10 million computer infected by the MSBlast, or Blaster, worm.

    Huger said he worries that the number of infections might jump on Monday if people take compromised laptops to work.

    "It still remains to be seen whether--when people take this to work--we will see a faster spread," he said.

    Currently, the infection rates do seem to be climbing steadily as well, said Johannes Ullrich, chief technology officer for the Internet Storm Center, which monitors network attacks.

    "It spreads like most of the other worms," he said. "It prefers local networks and it has the usual semi-random spread."

    Code in the worm will cause it to spread randomly half the time, to the same A-class network as the infected host a quarter of the time, and to the same B-class network the remaining time. There are about 65,000 address in a B-class network and about 16.8 million addresses in an A-class network. Ullrich added that the worm is not able to infect 100 percent of the time, perhaps indicating that Sasser itself has a bug.

    That par for the course for worms, eEye's Maiffret said.

    "It just goes to show that the people who are smart enough to create a good worm are either too responsible to do it, or they are the bad guys and they know that worms highlight vulnerabilities and make it more likely that people patch holes," he said.

    For those people, a worm only draws attention to flaws that they want to exploit themselves, he said.
    Source : http://zdnet.com.com/2100-1105_2-520...=zdfd.newsfeed
    -Simon \"SDK\"

  5. #5

  6. #6
    I just ran into a victim of this virus, and I have a few things to say real quick from my attempt to fix it...

    For details on each of these steps, read the following instructions.

    1. To end the malicious process
    To end the malicious process:
    Press Ctrl+Alt+Delete once.
    Click Task Manager.
    Click the Processes tab.
    Double-click the Image Name column header to alphabetically sort the processes.
    Scroll through the list and look for the following processes:
    avserve2.exe
    any process with a name consisting of 4 or 5 digits followed by _up.exe (eg 74354_up.exe).
    If you find any such process, click it, and then click End Process.
    Exit the Task Manager.
    a couple problems with this....

    First off, the shutdown message coming before you can do anything.

    Second-

    Scroll through the list and look for the following processes:
    avserve2.exe

    any process with a name consisting of 4 or 5 digits followed by _up.exe (eg 74354_up.exe).
    If you find any such process, click it, and then click End Process.
    The problem here, is that there are tons of these processes, and they move around, change names! There were over 20 instances of avserve2 at one point, and even more *_up.exe.


    Third-
    AVG and housecall failed to delete these files.


    I didn't get a chance to do some of this, but I will tonight.

    1. MemorY had a great idea, go to the command prompt and use "shutdown -a" to abort the shutdown. Great idea.

    2. To clean/ delete the files, you should be able to run AV in safe mode, (F8 at startup is it? Gosh I always forget...) because it prevents them from starting in the first place.

    Anyways, Symantec failed to warn about that happening, with the processes and all...

    Hope I helped somehow.

  7. #7
    The Doctor Und3ertak3r's Avatar
    Join Date
    Apr 2002
    Posts
    2,744
    Just happy happy happy..huh..NOT !!!!!

    Bad enough Sasser.. but a .b AND a .C versions.. in a little over day

    Not looking forward to work tomorrow... (Holiday here ).. at least I will be better prepared.. I hope..

    3 varients to keep us happy.. and by tomorrow.. how many more?.. I'm patched.. but haveing the double ended flows at the end of the week has resulted in a couple of my work systems not being patched...argh..

    yep. thanks for the thoughts Soda..


    Cheers
    "Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr

  8. #8
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,403
    Originally posted here by Und3ertak3r
    Bad enough Sasser.. but a .b AND a .C versions.. in a little over day

    Not looking forward to work tomorrow... (Holiday here ).. at least I will be better prepared.. I hope..

    3 varients to keep us happy.. and by tomorrow.. how many more?.. I'm patched.. but haveing the double ended flows at the end of the week has resulted in a couple of my work systems not being patched...argh..
    You can add a D variant to the list.

    http://vil.nai.com/vil/content/v_125012.htm
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  9. #9
    Macht Nicht Aus moxnix's Avatar
    Join Date
    May 2002
    Location
    Huson Mt.
    Posts
    1,752
    From http://zdnet.com.com/2100-1105_2-5204667.html
    A newer, better-built version of the Sasser worm has boosted the infectiousness of the original, spreading to more than 10,000 computers over the weekend, antivirus company Symantec said on Monday.
    The original version of the Sasser worm spread slowly, but the Sasser.B version released Saturday is infecting computers much faster.
    Panda has also detected Sasser.C and D variants, which could also be upgraded to red alerts Monday, Hinojosa said. These two variants can look for 1,024 separate IP addresses simultaneously--as a means to spread itself--making it more virulent than the original, he added.
    And as a kind of iceing on the cake:
    Huger warned customers that many compromised systems may not be visible to external security surveys and detection, meaning the actual number of infected systems could be higher. While Symantec, and other organizations that monitor Internet threats, had believed that a previous worm, MSBlast, had spread to perhaps 500,000 computers, Microsoft discovered that almost 10 million computers had been infected to date.
    In another related news item:
    A message buried in a new version of the Netsky e-mail worm is claiming responsibility for the Sasser Internet worm, and computer security experts say that there is evidence that the claim is legitimate.
    Analysis of the Sasser and Netsky code reveals many similarities between the two worms, even as a new version of the Netsky e-mail worm appeared on Monday that capitalized on fears caused by Sasser Internet worms by posing as an antivirus software patch, experts say.
    Second Source
    \"Life should NOT be a journey to the grave with the intention of arriving safely in an attractive and well preserved body, but rather to skid in sideways, Champagne in one hand - strawberries in the other, body thoroughly used up, totally worn out and screaming WOO HOO - What a Ride!\"
    Author Unknown

  10. #10
    Senior Member
    Join Date
    Feb 2002
    Posts
    1,210
    <me thinks that soon, a few of the topics concerning this should get merged>

    here's a report that microsoft own
    Sasser.A and Sasser.B Worm Removal Tool (KB841720)
    is flawed..

    http://www.microsoft-watch.com/artic...129TX1K0000535

    quoted here as the above link and the eweek link (leaves some systems unbootable) wants to put a few doubleclick things in as reported by spybot's resident IE feature..

    Sunday, May 02, 2004
    On the Worm Watch: Sasser
    By Mary Jo Foley

    Windows users beware: The Sasser worm is spreading. And the patch which Microsoft made available to block the hole in Windows which Sasser is exploiting leaves
    some systems unbootable. This weekend, Microsoft made available for download a tool designed to remove the Sasser.A or .B worms from systems where the aforementioned patch has not yet been applied. What a mess.
    the eweek link says this..

    By Larry Seltzer
    April 29, 2004

    Microsoft Corp. has confirmed in a knowledge base article that its patch for a critical bug can cause some Windows 2000 systems to lock up and fail at boot time.

    The patch is for a particularly critical vulnerability of which experts have begun to see exploits in the last few days.

    The knowledge base article goes by the unusually long name: "Your computer stops responding, you cannot log on to Windows, or your CPU usage for the System process approaches 100 percent after you install the security update that is described in Microsoft Security Bulletin MS04-011."

    The problem occurs, according to the article, because Windows tries repeatedly to load drivers that fail to load. Microsoft acknowledges that the problem is a bug in the patch and that the company is investigating solutions.

    The article also gives one specific example, where the Nortel Networks VPN client is installed and the IPSec Policy Agent is set to Manual or Automatic for the startup type. In such cases, the article suggests disabling the IPSec Policy Agent.

    But the problem is a more general one, and these specific drivers need not be involved.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •