- ---

 

     Home | Councillors | Previous Articles | Plans | Public Opinion | Madness

 

Get free protection from Computeractive:

AVG Free Edition
Anti-virus
ZoneAlarm
Firewall
Ad-aware
Spyware Remover
       


THE SASSER WORM

More than a million computers around the world have been infected by the "Sasser" computer worm or one of its variants, according to some estimates. The first version of worm was released on 30 April 2004, but three modified versions have appeared since, known as Sasser.B, Sasser.C and Sasser.D. The worm causes infected machines to restart continuously when a user attempts to connect to the internet. Even when not doing this the worm impairs the computer's performance.

Sasser does not rely on email to spread and requires no action by users to infect a machine. Each variant of the worm infects computers across a network by exploiting a bug in a part of Microsoft's Windows XP and Windows 2000 operating systems called the Local Security Authority Subsystem Service (LSASS). Microsoft revealed details of this flaw and also issued a software patch to fix on 13 April 2004.

Once a computer is infected, it scans local network connections and randomly generated IP (internet protocol) addresses to find fresh systems to infect. Once a vulnerable computer is discovered, the worm breaks in and then installs an FTP (file transfer protocol) server. This allows it to transport a copy of itself to the new machine. "Computers which are not properly protected with anti-virus updates, firewalls and Microsoft's security patch are asking for trouble," says Graham Cluley, senior technology consultant at UK anti-virus company Sophos.

Cluley says the number of infected computers is difficult to calculate. However, some anti-virus companies estimate that first version of Sasser has infected around 500,000 machines while later variants have gone on to hit about the same number. The first version of Sasser spread relatively slowly, but later variants were modified to scan for new machines more efficiently.

In a further twist, a bogus software patch for Sasser containing another computer virus has also been spreading via email. If a recipient runs this email attachment their computer becomes infected with a virus known as Netsky.AC. This sends the fake patch on to everyone in the victim's address book but does not delete files or cause other damage.

But Netsky.AC also contains a clue as to the identity of Sasser's creator. Buried in the virus's code is a message attacking anti-virus companies and claiming responsibility for Sasser as well as Netsky.AC. Cluley says the code of Sasser.D also includes a mention of Netsky. "There is a possibility these things are connected," he told New Scientist.

Up to a million computers may be hit by a new hi-tech virus which strikes when users simply log on to the internet. Small firms are thought to be most vulnerable to the Sasser bug as they are least likely to have the best "firewalls" and other anti-virus software. Unlike most viruses, which spread via email, Sasser can infect machines once users log on to the internet.

Visiting sites to view porn or illegally download software is thought to be riskiest. Some 2,000 machines have been infected but the global toll could be much higher. Graham Cluley of anti-virus company Sophos said, "If you don't have a firewall in place there's a good chance you'll be hit."

Home computer users are the main victims of the Sasser Windows worm, according to anti-virus firm Network Associates. Up to 80% of those hit have been home users and students, it reports. About 1.5 million people visited Microsoft's Sasser clean-up web page in the first 48 hours of its availability, the software giant said. The effects of worm could be felt for many months, believes anti-virus firm Sophos.

"There is a fear that background radiation of the Sasser worm could be felt for months to come," said Graham Cluley, senior technologist at Sophos. "The big danger is a raft of new computers that are not protected," he added. According to Mr Cluley new computers often do not have protection for up to nine months worth of virus outbreaks. The Sasser worm first appeared on 1 May and estimates vary widely on how many Windows PCs have been infected by it.

Some reports suggest that up to a million machines are infected. Whatever the final numbers the worm's four variants have racked up an impressive list of victims between them. The virus was reported to have hit up to 300,000 machines at Deutsche Post making it impossible for staff to hand over cash. Machines at investment bank Goldman Sachs, the European Commission and British Airways and 19 regional offices of the UK Maritime and Coastguard Agency all fell victim to Sasser.

Up to 500 hospitals in New Orleans were shut down for several hours and social and health services in Washington state were also hit by the worm. Half of British Airway's computers at the check-in desks in Terminal Four were put out of action leading to delays for customers. One customer of a Perth-based branch of WestPac bank threatened to charge it reconnection fees because he was unable to get his hands on cash ear-marked to pay telephone and electricity bills.

Sasser spread rapidly in the first few days said Richard Archdeacon, technical services director from security firm Symantec. "The fact that there have already been four variants tends to indicate that they are refining the code and looking for a way to spread it before the patches are in place," he told BBC News Online. Mr Archdeacon said worms like Sasser could potentially do more damage than many other recent viruses.

"Mass-mailing viruses are not as potentially dangerous because they can be cured with anti-virus software," said Mr Archdeacon. "But with Sasser you have to go and stick the patch in yourself". The vulnerability that Sasser exploits was first identified on 8 October 2003 by security firm eEye Digital Security. However the first code to exploit the vulnerability only appeared a few days after the first patch for the loophole was released by Microsoft on 13 April 2004.

The virus can infect PCs running Windows 2000 and XP that are not patched against the loophole it exploits or do not have a firewall to protect themselves. According to anti-virus firms machines running Windows 95, 98 and Millennium Edition can help spread Sasser even though they cannot be infected by it. The virus is called a worm because it searches out machines to infect by itself without any help from users.

The latest version, Sasser.D, scans so aggressively for new computers to infect that it may cause networks to become congested with packets of data and slow down. Poor programming by Sasser's creator makes infected machines shut down. Microsoft and many security firms have released tools that help people find out if they are infected and to help them remove the virus from their system.

Microsoft played down reports that millions were being infected by Sasser. It reported that almost four times as many PC owners were downloading patches for security problems now compared to autumn in 2003. Holidays in the UK, parts of Europe and Japan may also help to limit the spread of the worm. Creators of other malicious programs are trying to cash in on the success of Sasser. The latest version of the Netsky virus, the 29th variant, travels with a file that claims to be a cure for Sasser sent out by anti-virus firms. (Source: New Scientist)

Next >>>

Back to Top

     Home | Councillors | Previous Articles | Plans | Public Opinion | Madness

These articles have been collected from various sources. If you are the copyright owner of any of them contact us for either a credit and link to your site or removal of the article.