Two new variations of the Sasser internet worm were
identified by antivirus companies just days after the original
version appeared on Friday.
Antivirus experts said the Sasser outbreak is likely to
have peaked, and expected the rate of new infections to slow.
Sasser exploits a recently disclosed hole in a component of
Microsoft's Windows operating system, called the Local Security
Authority Subsystem Service, or LSASS. Microsoft released a
software patch, MS04-011, on 13 April.
Sasser is similar to an earlier worm, Blaster, because users do
not need to receive an e-mail message or open a file to be
infected. Instead, just having a vulnerable Windows machine
connected to the internet with communications port number 445 is
enough to catch Sasser.
After appearing on Friday, the worm spread quickly around the
world, and may have infected a few hundred thousand machines, said
Johannes Ullrich, chief technology officer at the Sans Institute's
Internet Storm Center, which monitors malicious activity on the
internet.
Given the large number of vulnerable computers that have been
infected by Sasser, a Windows machine connected to the internet
could be infected in as little as two minutes, said Graham Cluley,
senior technology consultant at antivirus company Sophos.
Early versions of the worm spread slowly, however, especially
compared with Blaster, which appeared in August 2003 and peaked
just hours after its release.
By comparison, Sasser.A contained features that prevented it from
rapidly scanning the internet for other vulnerable hosts and at
first appeared to be a low-level threat. However, new versions of
the worm that appeared over the weekend, especially Sasser.C,
improved on failures in Sasser.A, allowing infected machines to
scan for many more infected hosts, Ullrich said.
Sasser's spread was also slowed because it relied on port 445,
which has long been a target of malicious threats, such as Agobot,
a prolific Trojan program. As a result, many companies blocked
access to port 445 long before Sasser appeared, said Joe Stewart,
senior security researcher at LURHQ, a managed security services
provider.
Many of the infected machines are probably home computers
connected to the internet with broadband connections and already
infected with other viruses, including a malicious program called
"Phatbot" that has been modified to take advantage of the LSASS
vulnerability.
However, more Sasser versions appear to be on the way that could
use different communications ports to spread, Ullrich said.
Sophos identified yet another variant, Sasser.D, yesterday.
The Internet Storm Center set its internet alert or "Infocon"
level to "yellow" over the weekend, indicating a "significant new
threat". The alert level was expected to stay at "yellow", when
more infections were likely as workers returned to their offices,
possibly with laptop computers infected through home internet
connections.
However, Ullrich expected the alert level to return to green as
users repair infected systems.
Like other viruses, including Blaster, Sasser will linger on the
internet for a long time, Cluley said.
"We're still finding people who are infected with Blaster. Many
people won't even know they're infected with Sasser for months, and
those infected machines will continue to try to infect others in
the weeks and months ahead," he said.
Paul Roberts writes for IDG News
Service
Microsoft hunts Sasser author >>