Corporate users are keeping a wary eye on their networks
for signs of the W32/Sasser worm, even as antivirus firms are
warning of several new variants.
American Express was one of the largest companies to report
infections from the Sasser worm on Monday and the Sans Institute's
Internet Storm Center (ISC) maintained a yellow warning yesterday
despite expectations earlier in the day that the Sasser outbreak
would wind down on Monday.
Amex experienced Sasser infections on employee desktops
beginning on Sunday that disrupted the company's internal networks,
but did not have an impact on customer services according to Judy
Tenzer, a company spokeswoman.
The company refused to reveal how many computers were affected,
or how the worm penetrated the company's network, but the
infections were limited to employee desktops and did not affect
critical servers at the company.
Delta Airlines, meanwhile, experienced technical difficulties on
Saturday that forced the cancellations of some flights. The
computer problems began at 2:50pm local time on Saturday and were
fixed by 9:30 Saturday evening local time, said Katie Connell, a
Delta spokeswoman.
Connell would not comment on the cause of the problems, or which
systems were affected, citing a continuing investigation. Delta
does use Microsoft products and the Windows operating system.
Among leading financial services companies, the impact of Sasser
was generally light. Companies including Citibank and Lehman
Brothers Holdings had around a dozen Sasser infections, rather than
hundreds or thousands of systems infections, a source said.
Most of the infected systems so far belong to relatively
unprotected home users, said Graham Cluley, senior technology
consultant for antivirus firm Sophos.
The impact on businesses has been limited, thanks to the
standard firewall, network-filtering and antivirus systems that
most have in place, he said, although he warned that situation
could begin to change as millions of mobile and home-based office
workers connect infected PCs to corporate networks.
"So far, the Sasser worm has had a low impact," said Eric
Beasley, senior network administrator at Baker Hill a provider of
application services to the US banking industry.
The company started patching systems on Saturday and is checking
all laptops used by employees before permitting them to log onto
the corporate network. "This can be done by a company with only 160
employees. In larger environments, I am sure they have their hands
full today."
Los Angeles law firm Latham & Watkins is "watching things
very closely", said manager of technology Eric Goldreich. "We spent
a long weekend - mostly Saturday afternoon and evening - patching
servers. So far, so good - no problems."
Ohio-based ISP First Internet has seen a "substantial" increase
in attempted connections to TCP Port 445, which is what Sasser uses
to exploit systems, said Mike Tindor, the company's vice president
of network operations. Since the Sasser outbreak began, hits on
Port 445 have been about 2.3 times greater than hits on Port 135
which is usually the busiest port.
"However, we are blocking all associated Sasser ports, both
inbound and outbound," Tindor added. "Our network has not been
impacted by this worm to any extent thus far, nor is it being used
to propagate this particular worm."
Sasser relies on a flaw in a Microsoft Windows component called
the Local Security Authority Subsystem Service (LSASS) interface.
The worm needs no user interaction to spread, nor does it travel
through e-mails or attachments. It works by instructing any
vulnerable internet connected system to download and execute a copy
of the malicious code. The system can cause infected systems to
repeatedly reboot, but does little damage beyond that.
Also floating around is what appears to be yet another variant
of Netsky, which has been infecting systems worldwide since
February. The latest variant, W32/Netsky-AC, poses as a cure for
Sasser.
A user who clicks on the attached file will activate the virus
and cause it to send copies of itself to other names in the
victim's computer.
Microsoft's recent decision to move from weekly to monthly
software patches has raised the stakes for companies that ignore
the security bulletins and updates, said Firas Raouf, chief
operating officer of eEye Digital Security, which discovered the
LSASS vulnerability.
"Now you have a handful of vulnerabilities that are addressed by
a single patch, so if you don't deploy a patch, you're opened four
or five doors to your network," he said.
Large companies are often reluctant to press software patches
into service out of fear they will break critical applications used
by employees or customers. However, waiting too long to apply a
software patch exposes companies to infection by a worm or virus
that takes advantage of the software hole fixed by the patch, Raouf
warned.
The most important thing is for organisations to have a process
in place to handle new vulnerabilities when they are revealed so
that they can act quickly to scan for vulnerable machines, test
patches, deploy patches or apply workarounds as needed, he said.
Jaikumar Vijayanwrites for Computerworld
and
Paul Roberts writes for IDG News Service