Experts consider Sasser's Netsky connection

A message buried in a new version of the Netsky e-mail worm is claiming responsibility for the Sasser internet worm, and computer...

A message buried in a new version of the Netsky e-mail worm is claiming responsibility for the Sasser internet worm, and computer security experts say there is evidence that the claim is legitimate.

Analysis of Sasser and Netsky code reveals many similarities between the two worms, even as a new version of the Netsky e-mail worm appeared on Monday that capitalised on fears caused by Sasser internet worms by posing as an antivirus software patch, experts said.

Netsky-AC is the 30th version of the mass-mailing e-mail worm to be released since Netsky-A appeared in February. Like earlier versions, the AC-variant uses e-mail messages and infected file attachments to spread from computer to computer. 

A message buried in the worm's code and directed to antivirus companies claims responsibility for Sasser, which first appeared on Friday and infected computers around the world by exploiting a recently disclosed hole in a component of Microsoft Windows called the Local Security Authority Subsystem Service, or LSASS.

"Hey av firms, do you know that we have programmed the sasser virus?!? Yeah, thats true," the message reads, in part.

The message is attributed to "the Skynet", a virus writing group that also claimed responsibility for other Netsky variants. The worm's author or authors included a sample of the Sasser worm raw "source" code as proof of the legitimacy of the claim, said Graham Cluley, senior technology consultant at Sophos. 

Analysis of that code, and other elements of the Sasser code, reveal similarities with the Netsky worm, said Joe Stewart, senior security researcher at LURHQ, a managed security services provider. 

After being run through a computer code compiler, the source code matches samples of the finished worm that LURHQ researchers obtained, said Stewart.

Other parts of Sasser are also very similar to elements of Netsky. "If you take Netsky apart, you can see similarities in the style," he added.

Those similarities include almost identical code to generate random numbers and a number of subroutines that Sasser and Netsky both use to interact with Windows, Stewart said.

The proliferation of new Sasser variants within hours of the first worm's release, each with subtle modifications of the original worm, also recalls the Netsky worm's proliferation, Cluley said. 

Recent Sasser variants, such as Sasser.C and Sasser.D, discovered yesterday, make changes to the worm's code that are designed to increase the number of infections. Sasser.C increases the amount of system resources devoted to searching for infected hosts. Sasser.D introduces a faster technique for determining whether Windows machines are online and worthy of trying to infect, though the change only works on Windows XP systems and causes Sasser to crash on computers running Windows 2000, Stewart said.

A similar pattern followed the release of Netsky-A, which most antivirus companies called a low risk when it appeared. Later versions of the worm improved on the first version and spread more widely. Different Netsky variants accounted for the top five viruses reported to Sophos in April.

However, the fact that Sasser contains code from Netsky does not mean the people created both viruses, Stewart said.

An author's message buried in the Netsky-K worm promised to be "the last version", after which the author would publish the worm's code on the internet. Many more variants followed that release and the code is believed to be widely available within virus writing circles, meaning that Sasser could be the work of anybody with access to that code. The exploit code for the LSASS vulnerability was also circulated widely on the Internet in the days preceding Sasser's release, he said.

"I think that they just saw the [LSASS] exploit out there and saw that it worked pretty well, so they borrowed elements of the code already written for Netsky and threw together Sasser in a short time frame," he said.

However, internet worms like Sasser have a shorter window of time in which to spread than e-mail worms, which can continue to thrive as long as they find new ways to trick e-mail users. Despite the release of new variants, the rate of new Sasser infections was falling yesterday. The number of infected machines also appeared to be dropping, according to LURHQ statistics, Stewart said.

The decreases were most likely because internet users heeded warnings about Sasser and patching vulnerable Windows systems or blocking the ports that Sasser uses to spread, he said.

Paul Roberts writes for IDG News Service

Microsoft hunts Sasser author >>

Sasser variants spawn headaches >>

Read more on IT risk management