Sasser Worm Begins To Spread
A worm, dubbed Sasser by antivirus firms, was spreading slowly throughout the Internet on Saturday, taking advantage of a vulnerability in unpatched Windows systems to infect new hosts.
Source: ZDNetThe Sasser worm began spreading Friday night and seems to be moving at a pace far slower than previous worms such as MSBlast and Code Red, said Alfred Huger, senior director of security firm Symantec's response team. "It is a slow burn," he said. "It is picking up speed, but right now we aren't seeing too much activity."
0
Comments
This is very good, the slow spread, I mean. Means lots of folks updated boxes and servers. I have been getting warnings from reliable folks that SSL on unpatched boxes would be attacked, for about 10 days now-- as well as the other vulns that Microsoft offered April patches for. Problem is, details were lacking. If anyone has an unpatched box that is NOT a Windows 2000 box, please fully patch your box. Note, there might also be patches for LSASS specificly forthcoming.
IF you have a Win2K box, there is an in-the-patch bug that is hitting some Win2K installs whihc is contained in the SSL patch. It is only hitting SOME Win2K boxes. If you have a Win2K box, please backup important stuff before you patch SSL, as if your box is affected it might not boot into Windows after installing this patch. I have several-reliable-source deep confirmation of this, TechRepublic, CNET, and eWeek all are saying Microsoft has confirmed this "bug in latest SSL patch" issue, on SOME Win2K boxes ONLY. Problem is, it is not global to even Win2K boxes, or it would have been caught. ONLY SOME win2k boxes fail, and those fail to get back into Windows after being patched. Expect a win2K-specific SSL patch rerelease after Microsoft figures out what happened and codes around it. Might even apply only to boxes with certain service packs on them at time of patch.
Not enough detail is known now publicly to specify what is happening in enough detail to give a simple workaround, right now workaround is a reload of Win2K for boxes affected by this patch in a bad way.
I brought this up mostly because of the SSL thing, and wanted both warning and encouragement for others with other windows versions than win2K running to patch SSL pronto in same message.
Note that LSASS and SSL base layers are partially interlinked in Win2K and XP, to understand why I seem to have sidetracked into talking about SSL in a thread about an LSASS trojan\worm hybrid (the listening part is a trojan in behavior categorizing).
I would suggest looking at http://www.microsoft.com/security/ once a week or so now, as good reading site. SysAdmins especially need to watch Technet and Security areas of Microsoft more often than in past.
And, there is a site that PCWorld is calling Editor's Choice site of the year which is very relevant for us in times of virus attacks:
http://www.viruslist.com/ is run by Kaspersky Labs. It has info before US sites do in many cases, especially for viruses that spread primarily east to west. It in essence is a quite good AV encyclopaedic reference. Folks might want to bookmark this site. It is an open access site.
John D.
http://www.f-prot.com/news/vir_alert/windows_security_report_040414.html
They also have released two def updates in less than 24 hours and rate it now as high risk due to the spread vectors used. Note the date of the HTML page, it is in year\month\day format.
John D.
Sasser.c can and wants to spawn over 1000 simultaneous threads on an infected box as it infects. This number of threads from one malware is not at all good for a computer, and can overwhelm it with threads runnig from a malware process.
Sasser.d is a network-overload attempting attack primarily.
One more pair of reasons to get your virus defs updated often withj accurate defs that do not false-hit, and do a full system scan right after updating. AND, this virus can be infection-prevented on Windows boxes with security packing, the most applicable of which is the security patch package talked about in MS04-011. But, if box is already infected, the virus also needs to be killed.
John D.-- Who stuck this in the only Sasser-speciific thread in Short-Media's forum deliberately. Sources have been confirmed several ways for this, and I do not want to post a bibliographic link set here unless forced. Sources include CERT, TechRepublic's security specialists, F-Prot, and eWeek.
KingFish