Post Reply 
 
Thread Rating:
  • 0 Votes - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Sasser Worm
12-29-2004, 07:28 PM
Post: #1
Sasser Worm
For security administrators, this is not the welcome back they were hoping for after the weekend.

On Saturday May 1st, anti-virus software maker Panda Software issued a medium severity alert on the Sasser.A and B worms, which were already becoming the most heavily detected worms by the company's ActiveScan product. Besides its alarming spread, security experts are more concerned about the worm's similarity to Blaster and the threat it may pose when countless work and school machines are fired up at the start of the workweek.

Sasser.A exploits the LSASS vulnerability, one of several detailed in the MS04-011 bulletin released in April. The vulnerability was categorized as "critical" for Windows 2000 and XP, and "low" for Windows Server 2003. Attackers or malicious code taking advantage of this buffer overrun flaw have the ability to run and deposit code of their choosing on an affected system.

According to the Panda advisory page, Sasser.A mimics Blaster by casting a wide net for vulnerable systems

It behavior is similar to Blaster. The worm scans random IP addresses until it finds unpatched systems. Once found, it copies itself in Windows directory with the name AVSERVE.EXE and creates the following registry entry, to ensure it is launched when the system is booted

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

avserve.exe = %windir%\avserve.exe

In addition, the vulnerability uses a buffer overflow to make the LSASS.EXE application crash. Because of this, the system can fail.

Users are being asked to update their virus scanning software, already McAffee and Norton have updated virus definitions, for both A and B variants of the worm. One troubling scenario put forth by PandaLabs' Luis Corrons underscores the importance of patching operating systems and keeping anti-virus software up to date.

In a company release, Corrons states that "large companies which have remote users that go on line via virtual networks or which work with laptops without corporate firewall protection may go online on Monday and find themselves affected by the virus even though they have the patch installed and the antivirus upgraded, due to the fact that both variants use the TCP 445 port to spread and this port is the one used to share folders and printers on the Internet."

Sasser.B quickly outpaced its sibling by Sunday evening, claiming the highest number of new infections. At the time of this writing, Estonia, Taiwan, Malaysia and Turkey were among the most affected regions, with Sasser.B claiming infection rates of 17% - 14% in those areas.



«·´`·.(*·.¸(`·.¸ ¸.·´)¸.·*).·´`·»
«.......... S w a l a t ..........»
«·´`·.(¸.·*(¸.·´ `·.¸)*·.¸).·´`·»
Visit this user's website Find all posts by this user
Quote this message in a reply
Post Reply 


Forum Jump:


User(s) browsing this thread: 1 Guest(s)