Biting the hand that feeds IT
Biting the hand that feeds IT
|
|
Original URL: http://www.theregister.co.uk/2004/05/04/sasser_worm/
European sysadmins returning to work after a long Bank Holiday weekend are in for a nasty surprise with the appearance of a fast-spreading Blaster-like Internet worm.
Sasser (http://www.f-secure.com/v-descs/sasser.shtml) exploits a recently-announced serious Windows vulnerability - a buffer overrun in Windows' Local Security Authority Subsystem Service. The fix (http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx) for this bug has caused widespread problems (http://www.theregister.co.uk/2004/04/28/ms_testing_u-turn), but has now become double-plus critical. So apply with caution.
Since its arrival on Saturday, Sasser has spawned three new versions. None spread by email. Each targets vulnerable Win 2000 and XP PCs.
When launched, the worm registers itself in the system registry and begins to aggressively scan IP addresses for PCs which have the vulnerability described in MS04-011 (http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx). A vulnerable computer will accept commands to download and launch copies of the worm. Downloading is carried out by the FTP protocol. As with Blaster, infected systems will often become unstable, but it's the aggressive scanning behaviour associated with the worm that's causing the most problems.
Computer systems of Sampo (http://www.heraldsun.news.com.au/common/story_page/0,5478,9460659%255E1702,00.html), Finland's third largest bank, RailCorp (http://www.news.com.au/common/story_page/0,4057,9454774%255E26462,00.html) in Australia and various other networks were hard hit by Sasser, resulting in operational problems.
Defensive measures involve the use of firewalls and applying patches from Microsoft. Anti-virus software will help with disinfecting systems -but once again this been found wanting in stopping the outbreak of a fast-spreading Internet worm. ®
Blaster body count '8m or above' - MS (http://www.theregister.co.uk/2004/04/05/blaster_hits_8m_pcs/)
Blaster beats up British business (http://www.theregister.co.uk/2004/03/02/blaster_beats_up_british_business/)
Blaster rewrites Windows worm rules (http://www.theregister.co.uk/2003/08/14/blaster_rewrites_windows_worm_rules/)
MS score card: four patches, 20 vulns, heaps of trouble (http://www.theregister.co.uk/2004/04/14/ms_patch_bonanza/)
MS rethinks security patch test scheme (http://www.theregister.co.uk/2004/04/28/ms_testing_u-turn1/)
© Copyright 2008