TCS - Attack of the Sasser Worm Portend of More to Come

Attack of the Sasser Worm
Portend of More to Come

by Ira Wilsker
Golden Triangle PC Club
From the June 2004 issue of the I/O Port Newsletter

The recent attack of the Sasser worm, which by some accounts infected millions of computers, has again taught us that we must be vigilant in terms of our cyber security. As had happened with last years Blaster worm, Sasser, and its several variants, took advantage of well documented holes in recent versions of Windows. What is especially painful to many of those infested by Sasser is that it was totally preventable. Prior to the appearance of Sasser, Microsoft had publicized and distributed free patches for Windows 2000 and XP which closed the vulnerability utilized by Sasser to infect millions of computers. Unpatched computers with a firewall installed also had substantial immunity to Sasser.

Unlike many of the other viruses and worms which have been plaguing us for years, Sasser was not spread by email or by visiting illicit websites. Instead, randomly picked, unprotected computers connected to the internet became targeted. Infected computers randomly pinged, or sent small packets of data, to other computers looking for a vulnerable machine. If a vulnerable machine was located in this manner, Sasser was then loaded onto the victim computer. Sasser, like its older cousin Blaster, caused Windows 2000 and XP computers to frequently shutdown and reboot. Once this vicious cycle started, it would continue until Sasser was eliminated from the machine. Sadly, many users successfully deleted Sasser from their computers, only to have them re-infected minutes later as the victim had not installed the Microsoft patch, a firewall, or implemented other appropriate security procedures. At its peak, security and antivirus vendor Panda (www.pandasoftware.com) determined that 40% of all newly infected computers worldwide were infected by Sasser, or one of its variants. Another security company reported that at its peak infection, each computer connected to the internet was pinged by a Sasser infected computer about once every 10 minutes. The log on the firewall (Outpost) on my home computer indicated that on Sunday evening, May 2, my computer was probed by over a dozen Sasser infected computers every hour. Since my computer was both patched and protected by a decent firewall, all of the Sasser attacks were successfully repulsed. For those looking for information on preventing or removing a Sasser infection, Microsoft has created a central site with comprehensive information at www.microsoft.com/sasser.

According to media reports, Sasser may have been the cause of substantial financial damage, in addition to a gross inconvenience to millions of computer users. Among the better known victims of Sasser were American Express, Associated Press, The University of Texas M.D. Anderson Cancer Center, Westpac Bank, the French Stock Exchange, the British Coast Guard, and many others. While unconfirmed, there is some credible information that the recent shutdown of Delta Airlines in Atlanta was caused by Sasser.

While the sudden appearance and rapid dissemination of the Sasser worm took many users by surprise, many cyber security experts were actually expecting something similar to Sasser to appear when it did. In the continuous battle between Microsoft, users of Microsoft operating systems, and hackers, it was believed inevitable that someone would release a worm or virus to take advantage of the newly discovered vulnerabilities. It was another example of some legitimate security researcher discovering a vulnerability, reporting it within supposedly secured channels to Microsoft and other security organizations who verified the vulnerability, and Microsoft creating and releasing a patch to close the vulnerability. As is often the case, the hacker underground also becomes aware of the same vulnerabilities, and discusses theoretical ways to capitalize on the problem. Sadly, there will always be people ready to take advantage of those victims who have not installed the latest updates, and who lack other forms of protection on their computers.

As it has done in the past, Microsoft posted a $250,000 reward for information leading to the arrest and conviction of the miscreants who create viruses and worms that lead to significant infections and damage. Lawyers for Microsoft confirmed that it was tipsters who led to the recent arrest, and subsequent alleged confession of a teenage hacker in Rotenburg, Germany, who has been charged with creating and releasing the Sasser worm. Subsequent forensic investigation of his computer found the source code of other worms and viruses, including some versions of the nefarious Netsky virus. There were also some indications that he may not have acted alone in the creation of these viruses and worms, and may have been a part of a larger network of virus creators. The investigation is continuing, and Microsoft has acknowledged that the full reward will be paid to the tipsters upon the conviction of the suspect.

Once again the vulnerability of our critical cyber infrastructure has been demonstrated. If some bright teenager in Lower Saxony, either working alone or with other individuals could create a worm which infected millions of computers in a matter of hours, and hinder the operations of banks, airlines, and universities, imagine the damage that could be done by someone who really wants to do us harm. This is not idle speculation; no less of a controversial person than Richard Clark, the former cyber security czar for President Bush, has warned that a devastating cyberattack is inevitable, and most security experts agree. Many of us that work in the field may tell you that the attack has already begun, and that the first battles have already been fought. More such battles, with fiercer computer worms and viruses, are on the horizon, and will likely occur sooner rather than later.



For more information on the Tulsa Computer Society click here



Tulsa Computer Society 6/01/2004
Don Singleton, President