Sasser Worm Prompts New Security Strategies

Computer virus attacks are up dramatically from 2,400 in 1995 to more than 80,000 in 2002. It seems that almost every week, there’s a new, threatening virus. Now the Sasser worm — which could in fact be a clone, at least in its effects, of last year’s MSBlaster and Slammer worms — is said to have affected more than one million systems worldwide so far.

Traditionally, protection has been available to consumers and corporations as downloadable software in the form of antivirus packages or software firewalls. But several companies are stepping up with alternative technologies to combat the malware threat.

For example, a new AMD processor on the market contains built-in protection against viruses like Sasser and MSBlaster. This hardware, when used in combination with the upcoming Windows XP Service Pack 2, is said by the company to be able to prevent these types of worms and viruses before they infect a PC.

Meantime, Secure Computing and SonicWALL have announced enterprise technologies designed specifically to combat treats such as the malicious Sasser worm and the predicted nastier Sasser variant that industry analysts and virus experts are predicting will break out over the upcoming weekend. PandaSoft, a security-services firm, is attempting to trace the virus writers through analysis of the Sasser code.

Enterprise Firewalls for Sasser Defense

Security experts have predicted the Sasser worm might soon merge with Netsky and create a far more destructive worm. In addition to antivirus software, a worm can be stopped at the perimeter of networks that are protected by hardware firewalls designed to monitor malicious activity.

“The recent outbreak of malicious attacks such as Sasser, MyDoom and Netsky should be a wake-up call to industry,” said Mike Gallagher, senior vice president of product development for Secure Computing. “Many companies are relying on react-and-patch firewalls that are not able to cope with such zero-day outbreaks as Sasser, and the consequences can be devastating.”

Hardware firewalls that are designed to thwart application-based attacks, said Gallagher, offer much greater protection than relying on a desktop-patching approach alone.

Other Malware Defenses

Meanwhile, SonicWALL, a provider of integrated security systems, announced that SonicWALL’s new Intrusion Prevention Service (IPS), officially released yesterday, will protect customers from both externally-originating Sasser worm attacks as well as internal propagation of the worm.

The Sasser worm takes advantage of a weakness in the Local Security Authority Subsystem of the Windows 2000 and Windows XP operating systems. The worm creates an FTP server on infected hosts and also uses these hosts to scan for vulnerable systems connected to the Internet.

Once a vulnerable target has been found, the worm establishes a remote connection to the target system and installs itself on the targeted system via an FTP request back to the original infected host. The propagation does not require any user intervention — such as opening an attachment — and the worm can cause random crashing and rebooting of infected computer systems.

“Small to midsize businesses need advanced intrusion prevention services like SonicWALL’s to protect them from disruptive and highly sophisticated worms like Sasser,” said Douglas Brockett, SonicWALL vice president of worldwide marketing. “The size of one’s business is almost irrelevant when confronted with a threat that propagates rapidly and indiscriminately.”

Deep-Packet Inspection

Using what the company calls a deep-packet-inspection engine, SonicWALL’s IPS is able to analyze network packet contents as a whole rather than just packet header information, allowing for the identification and prevention of threats, such as Sasser, that disguise themselves deep inside network communications.

“With hackers and virus writers becoming more and more sophisticated, companies must consider additional measures to protect their networks until updated virus signatures and OS patches are available and implemented,” said Mike Chaput from PCSNetworks, a Berkeley, California, security reseller and SonicWALL partner.

While a number of government agencies, such as Britain’s Coast Guard and Taiwan’s Postal Service, were seriously affected by the Sasser worm, those using hardware firewalls or outsourced network protection are typically better able to cope with worm outbreaks than customers who use no firewalls, routers or security methods other than simply patching the at-risk operating system.

“Just as with earlier worms like Blaster, our Sidewinder protected us from the Sasser worm,” said Jim Johnson, Network Manager of the Maryland Department of Planning. “We appreciate the way Sidewinder G2 has been built from the ground up, including a hardened operating system, to thwart such attacks — even before they occur.”

Secure Computing’s application-defense strategy is at the heart of the design of the company’s Sidewinder G2 security appliance.

Antivirus Firms Hunt for Sasser Writers

While the Sasser worms continue to look for new victims to infect, the hunt for their creators has started. By applying proprietary forensic IT techniques to the code of these worms, PandaLabs, a security firm, is already on the lookout for clues that could lead to the arrest of their authors.

“The authors of Sasser must also be treated as particularly dangerous criminals, as evidence suggests that they also created the Netsky worms, and who knows how many other viruses, but letting viruses loose is a crime that should be investigated,” said Luis Corrons, head of PandaLabs.

The clues to the authors of computers viruses are hidden in the source code, lines of special characters that to the untrained eye don’t make any sense but that can disclose a lot of information to experts.

“The authors of computer viruses usually have delusions of grandeur and therefore don’t miss any opportunity to leave their mark in the viruses they create,” explained Corrons. “However, this is often their undoing: It can be a date, the name of a city, a reference to a friend or girlfriend, etc., the slightest clue could be the key to detaining the author of the virus.”

Highly Probable Sasser Variants

However, until these delinquents are caught, users should continue to keep their guard up against the probable appearance of new viruses — by patching their operating systems, using software firewalls and considering some of the alternative, enterprise-class techniques, such as hardware firewalls, to protect their networks.

Considering how the previous attacks were carried out, it is likely that the authors of the Sasser and Netsky worms are putting the final touches on an extremely dangerous malicious code that — as they have done up until now — they will unleash over the weekend.

More companies and institutions are reporting that they have felt the effects of Sasser in one way or another. These include Heathrow airport in London, where one of the terminals was brought to a standstill, some governmental departments in Hong Kong, as well as the Suntrust Bank and American Express in the United States.

1 Comment

  • I would have liked to hear a little about the fact that Microsoft had a patch for the worm before it was released.
    I don’t really want send the wrong message here, but would it be such a bad idea for microsoft or a collective of companies, to pay people to find loop holes. These guys that are developing this kind of code, probably are just trying to get some attention for all the hard work that they have invested to no avail in a society that only recognizes people with a phd or a badge.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

Technewsworld Channels