Amex and Delta among US firms hit by Sasser

Corporate users are keeping a wary eye on their networks for signs of the W32/Sasser worm, even as antivirus firms are warning of...

Corporate users are keeping a wary eye on their networks for signs of the W32/Sasser worm, even as antivirus firms are warning of several new variants.

American Express was one of the largest companies to report infections from the Sasser worm on Monday and the Sans Institute's Internet Storm Center  (ISC) maintained a yellow warning yesterday despite expectations earlier in the day that the Sasser outbreak would wind down on Monday.

Amex experienced Sasser infections on employee desktops beginning on Sunday that disrupted the company's internal networks, but did not have an impact on customer services according to Judy Tenzer, a company spokeswoman.

The company refused to reveal how many computers were affected, or how the worm penetrated the company's network, but the infections were limited to employee desktops and did not affect critical servers at the company.

Delta Airlines, meanwhile, experienced technical difficulties on Saturday that forced the cancellations of some flights. The computer problems began at 2:50pm local time on Saturday and were fixed by 9:30 Saturday evening local time, said Katie Connell, a Delta spokeswoman.

Connell would not comment on the cause of the problems, or which systems were affected, citing a continuing investigation. Delta does use Microsoft products and the Windows operating system.

Among leading financial services companies, the impact of Sasser was generally light. Companies including Citibank and Lehman Brothers Holdings had around a dozen Sasser infections, rather than hundreds or thousands of systems infections, a source said.

Most of the infected systems so far belong to relatively unprotected home users, said Graham Cluley, senior technology consultant for antivirus firm Sophos.

The impact on businesses has been limited, thanks to the standard firewall, network-filtering and antivirus systems that most have in place, he said, although he warned that situation could begin to change as millions of mobile and home-based office workers connect infected PCs to corporate networks.

"So far, the Sasser worm has had a low impact," said Eric Beasley, senior network administrator at Baker Hill a provider of application services to the US banking industry.

The company started patching systems on Saturday and is checking all laptops used by employees before permitting them to log onto the corporate network. "This can be done by a company with only 160 employees. In larger environments, I am sure they have their hands full today."

Los Angeles law firm Latham & Watkins is "watching things very closely", said manager of technology Eric Goldreich. "We spent a long weekend - mostly Saturday afternoon and evening - patching servers. So far, so good - no problems."

Ohio-based ISP First Internet has seen a "substantial" increase in attempted connections to TCP Port 445, which is what Sasser uses to exploit systems, said Mike Tindor, the company's vice president of network operations. Since the Sasser outbreak began, hits on Port 445 have been about 2.3 times greater than hits on Port 135 which is usually the busiest port.

"However, we are blocking all associated Sasser ports, both inbound and outbound," Tindor added. "Our network has not been impacted by this worm to any extent thus far, nor is it being used to propagate this particular worm."

Sasser relies on a flaw in a Microsoft Windows component called the Local Security Authority Subsystem Service (LSASS) interface. The worm needs no user interaction to spread, nor does it travel through e-mails or attachments. It works by instructing any vulnerable internet connected system to download and execute a copy of the malicious code. The system can cause infected systems to repeatedly reboot, but does little damage beyond that.

Also floating around is what appears to be yet another variant of Netsky, which has been infecting systems worldwide since February. The latest variant, W32/Netsky-AC, poses as a cure for Sasser.

A user who clicks on the attached file will activate the virus and cause it to send copies of itself to other names in the victim's computer.

Microsoft's recent decision to move from weekly to monthly software patches has raised the stakes for companies that ignore the security bulletins and updates, said Firas Raouf, chief operating officer of eEye Digital Security, which discovered the LSASS vulnerability.

"Now you have a handful of vulnerabilities that are addressed by a single patch, so if you don't deploy a patch, you're opened four or five doors to your network," he said.

Large companies are often reluctant to press software patches into service out of fear they will break critical applications used by employees or customers. However, waiting too long to apply a software patch exposes companies to infection by a worm or virus that takes advantage of the software hole fixed by the patch, Raouf warned.

The most important thing is for organisations to have a process in place to handle new vulnerabilities when they are revealed so that they can act quickly to scan for vulnerable machines, test patches, deploy patches or apply workarounds as needed, he said.  

Jaikumar Vijayan writes for Computerworld and  Paul Roberts writes for IDG News Service

Read more on IT risk management