Now Sasser.F confounds antivirus experts

Another version of the Sasser internet worm, Sasser-F, appeared on Monday, despite claims by German authorities to have arrested...

Another version of the Sasser internet worm, Sasser-F, appeared on Monday, despite claims by German authorities to have arrested the sole author of the worm on Friday.

Antivirus software companies issued warnings about the latest worm, which one antivirus expert called a crude adaptation that was unlikely to spread widely.

The discovery, more than three days after German authorities arrested 18-year-old Sven Jaschan for creating Sasser, suggests that the worm's code is circulating on the internet and raises the spectre of more Sasser versions.

Like earlier versions of Sasser, the F-variant exploits a recently disclosed hole in a component of Microsoft Windows called the Local Security Authority Subsystem Service, or LSASS. Microsoft released a software patch, MS04-011, on 13 April, which fixes the LSASS vulnerability. (See:

Symantec rated Sasser-F a "Category 2" or low-level threat and released a virus definition update for its products. Sophos and Panda Software also issued alerts.

Microsoft will update its Sasser cleaner tool to detect the latest variant.

Microsoft provided information to German authorities in Lower Saxony that lead to Jaschan's arrest. He provided an "extensive" confession when he was taken into custody, admitting to creating both the Sasser and Netsky worms in an effort to fight infections of the Mydoom and Bagle worms.

Based on that confession, authorities and Microsoft believed that Jaschan wrote all the versions of Sasser, including a new variant, Sasser-E, that appeared at the time of his arrest, according to Brad Smith, senior vice president and general counsel at Microsoft.

However, antivirus experts raised questions about the timing of the E-variant, which was not detected by antivirus companies until hours after the arrest. Experts also said that changes in the Netsky worm family over time and messages in both worms pointed to a group of virus writers, not a lone author.

Investigations are still going on and other arrests in the case were possible, said Smith.

The latest Sasser version does not disprove the lone-author idea, but suggests that the Sasser worm source code has been released on the internet, said Patrick Hinojosa, chief technology officer of Panda Software.

An analysis of the Sasser-F worm's code revealed that it is an offshoot of the original worm, Sasser-A, that does not include any of the changes or improvements to the worm introduced in previous variants, he said.

That would make sense, if the author released the Sasser source code with the initial worm, then made modifications to it himself, Hinojosa said.

"This is a variant of the [Sasser-A] source code. It's been out for more than a week and made the rounds of whatever computing underground [Jaschan] was connected to. Now somebody has had a chance to play with it," he added.
Hinojosa called the changes to Sasser-F "child-like". The changes include a switching the name of a process created by the worm to "Bill Gates", and the addition of new comments containing expletives, Hinojosa said.

The apparent release of the Sasser source code complicates the picture of who's responsible for Sasser. Once source code is available for a worm, it "lowers the bar" of technical knowledge needed to create a variant or a new worm, said Gerhard Eschelbeck, chief technology officer at Qualys.

Only an investigation of Jaschan's computer will confirm what role he had in the creation of the Sasser worm and its variants, and whether he worked with others to create and distribute the worms, Hinojosa said.

Paul Roberts writes for IDG News Service

Read more on IT risk management