Sasser Worm Poses New Security Threats

A new worm that first materialized last Tuesday appeared in its third minor variant early this morning. The Sasser worm threatens any unprotected Windows computer tethered to the Internet via a broadband connection.

The rogue code was officially recognized and named early Saturday morning. The new worm also is known by a variety of aliases, including W32/Sasser-A, Sasser, W32/Sasser.worm, Win32.Sasser.A and W32.Sasser.Worm.

The key to sidestepping any intrusion from this new worm is up-to-date installations of patches released by Microsoft (Nasdaq: MSFT) last week, Internet security experts said.

VeriSign (Nasdaq: VRSN) engineers were first to report increased Internet traffic based on monitoring their customers' computer systems around the country since April 16th. The increase in suspicious activity since then has Internet security experts bracing for what some analysts are warning could be the next big worm attack worldwide.

Based on the latest tracking results, Charles Kaplan, a Managed Security Services division information security officer at VeriSign, told TechNewsWorld late Friday that he was very confident about his earlier predictions that a major worm infection was spreading across the Internet.

"It is now much more likely that this will become very large," Kaplan said.

How Sasser Works

The Sasser worm exploits the Windows Local Security Authority Subsystem Service (LSASS) vulnerability, which is a buffer overrun that allows remote code execution and enables an attacker to gain full control of an affected system. Unpatched computers tethered to the Internet via a broadband connection are at risk.

The worm causes a buffer overflow in LSASS.exe. This overflow, in turn, causes the computer system to crash. Each time a crash occurs, Windows must reboot.

This new worm spreads by scanning networks on which it intrudes for vulnerable systems attached to the network. If it finds unpatched systems, the worm sends a unique code to those computers. This produces a buffer overflow in LSASS.exe of each compromised computer.

The worm code creates a script file named CMD.FTP. This file has directions that tell the infected computer to download and execute a copy of a malware packet from a remote infected system using FTP on TCP port 5554.

Sasser's Risk Level Not Certain

Some Internet security sources said over the weekend that the Sasser worm is not destructive. Rather than taking down an infected computer, the intent behind the worm seems to be the formation of a vast botnet through which the worm-writers can direct denial-of-service attacks and other directed attacks.

Most virus protection companies have set the Sasser warning level at medium risk and declared that its potential for damage and distribution is high.

Infection reports have been received from Europe, Asia and the United States since Saturday. Emory Lundberg, research analyst in the Managed Software Services division of VeriSign, said the worm has been moving very slowly. Both he and VeriSign's Kaplan predicted this new worm will not spread at the rate of previous massive worms but will be more durable.

In an advisory to its customers issued Saturday night, VeriSign said, "Presently Sasser does not appear to be destructive in nature, but like MS-Blaster, it may lead to significant network performance problems, or it may take on a malicious payload in a new variant."

Worm Scope Expanded

The first signs of increased Internet activity revealed a surge in scanning activity looking for servers running the SSL/PCT protocol used by Microsoft IIS Web servers. Additional monitoring found evidence of automated attacks against LSASS.

"These are two separate but unique working exploits," Charles Kaplan, MSS information security officer at VeriSign, told TechNewsWorld. "The LSASS exploit is far more significant because it will impact all unprotected PCs."

With these two exposed vulnerabilities, different hacker groups will focus their attacks on the weakness of their choice. If the worm only attacked SSL/PCT-based Web servers, consumers would be spared intrusions on their own computers. The result would be limited to various degrees of disruption of Internet traffic as Web servers became compromised.

But attacks to the LSASS structure involves consumers more directly, said Kaplan. LSASS affects broadband Internet connections. So, in theory, consumers who connect to the Internet by dial-up are less likely to be harmed by this new worm.

Symantec (Nasdaq: SYMC) and one other Internet security firm obtained the rogue codes late last week. The codes were posted on several hacker Web sites. The fact that the worm code, which analysts said was generated by an automatic worm-making program, is readily available for download makes it even more threatening.

Is Sasser Worm or Trojan?

Some news accounts prior to the weekend quoted Internet security firm Symantec and the Internet Storm Center, which monitors Internet security intrusions worldwide by analyzing firewall records, as calling the malicious code activity a Trojan and not a worm.

But Kaplan disputed those claims. The characteristics of the captured code meet the definition of a worm, he said.

A Trojan is a malicious program masked by another program. It must be manually activated by a computer user who is unaware that the malware is being installed.

A worm, on the other hand, gains access to a computer automatically. In essence, it crawls into a computer through an open port. A worm is self-propagating code that distributes itself to new hosts and continues the infection process.

Entry Points

Several agencies have verified the existence of an automated attack agent, or bot, known as AgoBot in the captured code. The AgoBot runs undetected on an infected computer. Once activated, the AgoBot gives an intruder full control of the system. Such compromised computers then can be used to continue the intrusion attacks over the Internet in a wormlike fashion.

According to The Storm Center's Web site, computers infected with AgoBot scan some of these TCP ports: 2745, 1025, 80, 3127, 6129, 1433, 5000, 445, 443 and 135.

The Microsoft LSASS exploit makes these ports vulnerable: TCP 135, 139, 445 and 593; plus UDP 135, 137, 138 and 445.

VeriSign verified increased scanning activity on port 445 in its customers' computers early last week.

Bot Component Causing Concern

A bot program can stealthily enter a computer through vulnerabilities in the Internet Protocol. The SSL/PCT Windows Web server protocol and the LSASS structure exploit provide an unlocked back door for such bot programs. Once it finds an infected computer, the intruding code runs undetected, executing commands as they come from whoever is controlling the code.

The latest bot codes show signs of having been upgraded, according to security experts. This new bot variant is fine-tuned to exploit the LSASS weakness in computers that do not have the latest Microsoft patch.

It is precisely that risk that has security watchers worried. Depending on whose guesses are considered more accurate, the number of already-infected computers ranges from the hundreds of thousands to the millions.

Bot codes are extremely versatile, experts said, so bots that already infect computer systems from previous intrusions can easily be upgraded to accept new instructions that reflect the latest vulnerabilities.

Earlier estimates of the extent of infections caused by the various MSBlaster Worm variants leveled off at around 500,000 computers. But Microsoft more recently announced that its Windows Update process had found and removed as many as 9.5 million cases in the patching process.