Sasser variants spawn headaches

Two new variations of the Sasser internet worm were identified by antivirus companies just days after the original version...

Two new variations of the Sasser internet worm were identified by antivirus companies just days after the original version appeared on Friday.

Antivirus experts said the Sasser outbreak is likely to have peaked, and expected the rate of new infections to slow.

Sasser exploits a recently disclosed hole in a component of Microsoft's Windows operating system, called the Local Security Authority Subsystem Service, or LSASS. Microsoft released a software patch, MS04-011, on 13 April.

Sasser is similar to an earlier worm, Blaster, because users do not need to receive an e-mail message or open a file to be infected. Instead, just having a vulnerable Windows machine connected to the internet with communications port number 445 is enough to catch Sasser.

After appearing on Friday, the worm spread quickly around the world, and may have infected a few hundred thousand machines, said Johannes Ullrich, chief technology officer at the Sans Institute's Internet Storm Center, which monitors malicious activity on the internet.

Given the large number of vulnerable computers that have been infected by Sasser, a Windows machine connected to the internet could be infected in as little as two minutes, said Graham Cluley, senior technology consultant at antivirus company Sophos.

Early versions of the worm spread slowly, however, especially compared with Blaster, which appeared in August 2003 and peaked just hours after its release.
By comparison, Sasser.A contained features that prevented it from rapidly scanning the internet for other vulnerable hosts and at first appeared to be a low-level threat. However, new versions of the worm that appeared over the weekend, especially Sasser.C, improved on failures in Sasser.A, allowing infected machines to scan for many more infected hosts, Ullrich said.

Sasser's spread was also slowed because it relied on port 445, which has long been a target of malicious threats, such as Agobot, a prolific Trojan program. As a result, many companies blocked access to port 445 long before Sasser appeared, said Joe Stewart, senior security researcher at LURHQ, a managed security services provider.

Many of the infected machines are probably home computers connected to the internet with broadband connections and already infected with other viruses, including a malicious program called "Phatbot" that has been modified to take advantage of the LSASS vulnerability.

However, more Sasser versions appear to be on the way that could use different communications ports to spread, Ullrich said.

Sophos identified yet another variant, Sasser.D, yesterday.

The Internet Storm Center set its internet alert or "Infocon" level to "yellow" over the weekend, indicating a "significant new threat". The alert level was expected to stay at "yellow", when more infections were likely as workers returned to their offices, possibly with laptop computers infected through home internet connections.

However, Ullrich expected the alert level to return to green as users repair infected systems.

Like other viruses, including Blaster, Sasser will linger on the internet for a long time, Cluley said.

"We're still finding people who are infected with Blaster. Many people won't even know they're infected with Sasser for months, and those infected machines will continue to try to infect others in the weeks and months ahead," he said.

Paul Roberts writes for IDG News Service

Microsoft hunts Sasser author >>

Read more on Antivirus, firewall and IDS products