- ---

 

     Home | Councillors | Previous Articles | Plans | Public Opinion | Madness

 
         


THE SASSER WORM 2

Microsoft revealed a total of 20 software bugs in a bulletin issued on 13 April 2004 and the first version of Sasser appeared on 30 April 2004. Over the next few days this and three variants, tweaked to improve the speed of infection, succeeded in infecting many hundreds of thousands of computers worldwide. Previously, the Blaster worm held the record for the fastest written Windows worm. It was unleashed on 11 August 2003, using a vulnerability revealed 25 days before it started to spread itself.

Yet, despite the shrinking gap between the disclosure of a bug and the appearance of a worm or virus, experts say trying keeping flaws secret would be more dangerous. A worm could cause far more damage if it were based on a vulnerability that was not widely known about, they say, as very few people would have a patch in place.

"There's a false notion that secrecy equals security," says computer security expert Bruce Schneier. "What you end up with is very fragile security, as soon as you lose your secrecy you're insecure." Many computer worms, viruses and hacking tools exploit bugs that are openly disclosed by software companies.

Stuart Okin, chief security advisor for Microsoft UK, says flaws are often discovered by researchers outside of Microsoft. Microsoft says customers should apply software patches quickly and use firewall and anti-virus software to keep their systems secure. But Schneier believes this may disguise the main issue. "I believe the real problem is that software quality sucks," he told New Scientist.

Schneier suggests that software companies would improve the quality of their code if they were held legally liable for any damage resulting from bugs. Okin points out that Microsoft that is working to improve the security of its code through a programme that began three years ago.

Microsoft credited its virus bounty scheme for the arrest of a German computer programmer who is suspected of unleashing the Sasser computer worm. The unnamed 18-year-old student from Rotenburg, a small town in the northern state of Lower Saxony, is reported to have confessed to creating the worm, after being apprehended by police.

"Given detailed statements by the student on the viruses that he created, he has been identified without doubt as being behind them," said a spokesman for Lower Saxony police. The suspect was tracked down after sources contacted Microsoft to ask if it would give them a financial reward for information about the author of the worm.

Microsoft says the informants provided source code that showed their lead was authentic. "We had overwhelming technical evidence in this case provided by the informants and confirmed by our experts," Brad Smith, Microsoft's general counsel, told The Washington Post. Smith said Microsoft would give the informants $250,000 if there was a successful prosecution.

The US Federal Bureau of Investigation and the Secret Service also helped Microsoft trace the origins of the Sasser outbreak. More than a million computers were infected by Sasser, which spread rapidly. The arrested student is also suspected of creating another computer worm called Netsky.ac. Buried in the code of this worm was a message taunting investigators.

It read: "Do you know that we have programmed the sasser virus?!? Yeah, that's true". Earlier evidence suggests the Netsky virus was the work of a gang of virus writers. Graham Cluley, senior technology consultant with UK anti-virus firm Sophos, says the suspect's computer could hold vital clues to the identity of other gang members.

"If this is the case, this could be one of the most significant cybercrime arrests of all time," Cluley says. "Seizing this man's computers could provide the vital clues which will bring down the infamous 'Skynet' virus-writing gang. We would not be surprised if more arrests follow in due course."

A computer worm that spreads using flaws in the code of the Sasser worm has been identified by computer experts. Called "Dabber", the new worm is the first to scavenge access to computers using another worm. An analysis of the worm was published online by the computer security firm LURHQ, based in Michigan in the US. "Even though we have seen worms utilize backdoors left behind by other worms, this is the first time we have seen a worm using a vulnerability in another worm in order to propagate," says the analysis.

The analysis was updated to state that Dabber's code is largely based on another worm called Doomran, which also feeds off another piece of malicious code. Doomran uses a backdoor previously installed by the email virus MyDoom to slip between machines. Dabber probes a network for computers infected with Sasser. It then uses a flaw in part of Sasser's code to force access to that machine.

After deleting all trace of Sasser it then installs a backdoor that could be used to upload other programs to an infected machine. This might give a hacker complete control over that system. Dabber then sets about scanning for further Sasser-infected computers to infect.

Password-protected attachments are the latest tactic virus writers are using to trick unsuspecting users into spreading computer worms. Corporate email filters often block ordinary zipped attachments by default but may allow password-protected attachments through their defences. The trick is also designed to foil anti-virus software that can only unzip and check unlocked attachments. Furthermore, users may be more confident that a locked file comes from a trusted source and open it.

The most recent versions of the Bagle worm arrive in a compressed and password-locked .zip or .rar file. The password needed to unlock these attachments is included in the body of the email, and the recipient is urged to unlock the file as soon as possible. Once the attachment has been unlocked and opened, however, the computer is infected and the worm is forwarded on to everyone in the victim's email address book.

Some anti-virus software scanners have been updated in recent weeks to unlock attachments automatically using the included password. They then search for any lurking threat. But, in a further twist, some virus writers have now begun to include passwords not as text but as images of words. This can prevent anti-virus software from reading it. Graham Cluley, a researcher with UK anti-virus company Sophos, says the first of these viruses, specifically Bagle N and Bagle O, has emerged.

"The worm's author is sneakily trying to make it more difficult for anti-virus products to scan inside the password-protected files," Cluley told New Scientist. Cluley says Sophos has devised a way to detect the worms using image-based passwords, but is unwilling to reveal the method used. "We'd rather not say how we do it. If we did then virus writers may start modifying their programs."

<<< Prev

Back to Top

     Home | Councillors | Previous Articles | Plans | Public Opinion | Madness

These articles have been collected from various sources. If you are the copyright owner of any of them contact us for either a credit and link to your site or removal of the article.