(Information on this virus from Symantec &
Microsoft found below.)Security experts warn
of nastier Sasser worm 06.05.2004
LONDON/SAN FRANCISCO - Computer security experts are warning that the Sasser
worm could merge with earlier virus-like programs to wreak more havoc on the
internet, just as companies and PC users clean up from the last attack and
authorities hunt for those responsible.
Since appearing on the weekend, the fast-moving Sasser computer worm has hit
PC users around the world running the ubiquitous Microsoft Windows 2000, NT
and XP operating systems, but it is expected to slow down as computer users
download anti-virus patches.
But Sasser could mutate by combining with the two-month-old Netsky worm,
making it a launching pad for further web attacks that would put it on par
with Blaster, the destructive worm that appeared last year and used infected
computers to attack Microsoft's website.
For now, the more benign Sasser worm does its harm by duplicating itself and
slowing down internet connections.
"My expectation is that Netsky and Sasser variants will merge and become
what we call one 'abundant threat' that attacks through email and software
vulnerabilities," said Jimmy Kuo, a research fellow at Network Associates
Inc.'s McAfee anti-virus unit.
The fast-moving Sasser worm, which has hit home users, corporations, and
government agencies throughout Europe, North America and Asia, does not
appear to damage hardware such as disk drives but it may damage software
applications on PCs, analysts said.
Estimates on how many users have been hit globally by the virus vary from
150,000 to 1 million, although analysts say the final tally could be in the
millions by the time the four Sasser variants work their way through the
internet.
Analysts were also unsure what economic damage Sasser had caused so far but
said the costs associated with things such as installing new software on PCs
and labour costs are likely to make it an expensive clean-up process.
Infected computers - if they are not cleaned up with a security patch and
protected by firewalls and anti-virus software - could be used by virus
writers to launch future attacks, experts said.
Microsoft said on Wednesday it was working with the Northwest Cybercrime
Task Force, a joint effort by the Federal Bureau of Investigation and Secret
Service, to hunt down those responsible for the latest worm outbreak.
Microsoft created a page on its corporate website to deal with the Sasser
threat and also offered a clean-up tool to rid infected computers of the
worm, said Stephen Toulouse, security program manager for the company's
Security Response Centre.
The world's largest software maker declined to say whether it planned to
offer a bounty, such as the US$250,000 reward it offered for the Blaster
worm creator.
One theory about the motives behind Sasser is that the creator is part of a
Russian group calling itself the "Skynet anti-virus group," the same group
behind the recurring Netsky email virus outbreak.
A message found deep in the coding of a recent Netsky variant claimed
responsibility for Sasser, analysts said.
Police say criminal groups, many of whom are believed to operate from
Eastern Europe, have hatched a string of computer viruses and worms capable
of taking over PCs.
The origin of internet threats is notoriously difficult to track, but
authorities managed to find teenagers responsible for creating a copycat
version of the Blaster worm. Minnesota teen Jeffrey Lee Parson was arrested
in August, followed by the arrest of an unidentified juvenile in Seattle in
September.
Sasser worm spreads, spurs hoax 'fix' 04.05.2004
The fast-spreading "Sasser" computer worm continues to spread
causing infected systems to reboot without warning and disrupting banking
and other business in one of the biggest virus-like attacks on the internet
since last year.
The worm, which first struck over the
weekend and is already on its fourth variant, exploits a flaw in Microsoft's
Windows operating system identified in mid-April, computer security experts
said.
Unlike previous internet worms, Sasser
enters and infects vulnerable PCs without any action on the part of the
user, allowing it to spread quickly, they said.
By early today computer security companies
were also warning of a new twist on the virus: an email, claiming to be from
an antivirus company with an attachment purporting to fix Sasser infections,
that was actually a new form of the widespread, email-clogging Netsky virus.
Investment bank Goldman Sachs said its
Asian and US trading operations were back "at close to normal" after the
worm disrupted some its systems by forcing computers to automatically
reboot.
Lucas van Praag, a Goldman Sachs
spokesman, declined to elaborate on the extent of the disruptions.
In Australia, Westpac Bank said it was hit
by the worm, and branches had to use pen and paper to allow them to keep
trading, The Australian newspaper reported.
US carrier Delta Air Lines also suffered a
computer glitch on Saturday that caused delays and cancellations of some
flights in its system. The company's computer systems were back to normal
Monday but the cause of the weekend problem is still being investigated,
said Peggy Estes, a company spokeswoman.
Finnish financial company Sampo
temporarily closed all of its 130 branch offices on Monday as a precaution.
"Compared to what happened with Blaster
... last August ... this virus has all the same features," said Mikko
Hypponen, Anti-Virus Research Director at Finnish data security firm
F-Secure, noting that both worms exploited relatively new holes in Windows
and frequently caused computers to reboot.
However, because the virus seeks out
infectable computers automatically and does not use email to spread, experts
said personal machines may be most vulnerable.
"I think this is more likely to hit home
users than businesses," said Graham Cluley, senior technology consultant for
Sophos, adding that those at the most risk were people who had not installed
a personal firewall. "They're basically going out there with a sign on their
head saying 'punch me."'
Cluley said the fake email is actually
spreading a virus called Netsky-AC, which includes a message buried in its
code that seems to indicate the two viruses share the same author.
In the message, the virus writers refer to
themselves as "Skynet," which may be a reference to the computer system that
caused a nuclear war in the "Terminator" movies.
Virus experts said Sasser also contains a
hole of its own, in the file transfer protocol server that it installs,
which could be either a second way into an infected system or author error.
"Either the author brilliantly included a very difficult to detect backdoor
or the author himself wrote vulnerable code," said Chris Rouland, vice
president of X-Force, the research and development arm of internet Security
Systems Inc.
Stephen Toulouse, a manager at Microsoft's
Security Response Center, said the software company was working with the FBI
to track down those responsible for the worm.
The Sasser worm exploits a flaw in a part
of Windows known as the Local Security Authority Subsystem Service, or LSASS,
which had been targeted in a Microsoft security update released on April 13.
A link on Microsoft's home page instructs
users to make sure that they have installed a protective firewall, updated
Windows to close the security loophole the worm exploits and then remove the
worm from their hard drives.
Experts said that while the Sasser worm
does not seriously damage infected computers, hackers could try to spin off
more malicious variants in the coming days.
The impact of the fast-spreading virus was
also seen as tempered by holidays which closed many offices on Monday in the
United Kingdom, parts of Europe and Japan.
Information from Symantec
