Information Quotes on Sasser Worm

Information quotes on Sasser worm written by David Endler, Director of Digital Vaccine, TippingPoint.

Sasser is a new self-executing attack worm which takes advantage of a Microsoft vulnerability in the Local Security Authority Subsystem Service (LSASS), announced recently in Microsoft Advisory MS04-011. Upon infecting a host, the worm copies itself to the Windows system directory, opens a backdoor on TCP port 9996, and starts to randomly scan on TCP Port 445 for other infected hosts. Exploitation of the LSASS vulnerability may cause the vulnerable host to crash or reboot.

1. Sasser exploits a buffer overflow vulnerability in the Local Security Authority Subsystem Service (LSASS) that was reported in Microsoft’s April security advisories on April 13th. The vulnerable LSASS.exe process, which handles user logins on Windows systems, runs by default on almost all Windows 2000, XP, and Windows Server 2003 computers. Sasser.A was first discovered in the wild on May 30th, and two other variants surfaced on May 1st and May 2nd respectively. Sasser.A, Sasser.B, and Sasser.C differ only slightly in their payloads.

2. Sasser doesn’t require human interaction to spread. Unlike the Slammer worm which was only memory-resident, Sasser copies itself as a file and runs as a process in the background. Infected home users can easily tell if they’ve been infected simply by looking for the existence of “avserv.exe” or “avserv2.exe.”

3. On April 13th, Microsoft announced the LSASS vulnerability in MS04-011. On April 24th, a limited LSASS exploit was publicly released and later on April 27th it was integrated into the Phatbot/Agobot family of worms which also exploit a wide range of other Microsoft vulnerabilities. On April 29th, a fully functional LSASS exploit was publicly released which allowed an attacker to easily exploit a wider range of vulnerable hosts. The Sasser worm variants are based on this second “unversal” exploit, and were first discovered in the wild on April 30th. This is another example of the increasing trend of automated worm exploitation typically following public exploit release by several days.

4. In the same MS04-011 security advisory, Microsoft announced a vulnerability in its SSL library which could allow an attacker to compromise an IIS web server, or many other applications that also rely on SSL support. A functional exploit against IIS 5.0 was released for this vulnerability a week ago. While this vulnerability does not provide as potentially large a target base for exploitation as the LSASS vulnerability, it is likely that this exploit will similarly be integrated into a new Phatbot/Agobot variant or standalone worm soon.

5. It is likely that the number of Sasser infected computers will start to increase late Sunday as computer users around the world start to turn their computers on as Monday morning approaches.

6. One of the latest Netsky virus variants discovered in the wild on May 2, dubbed Netsky.AC by some AV vendors, contains encrypted strings which suggest the Netsky author(s) claim authorship of the Sasser worm:

“Hey, av firms, do you know that we have programmed the sasser virus?!?. Yeah thats true! Why do you have named it sasser? A Tip: Compare the FTP-Server code with the one from Skynet.V!!! LooL! We are the Skynet…

Here is an part of the sasser sourcecode you named so, lol void
TryLsass(char *pszIP){ char arOS[130];
if(detect(pszIP,arOS)==1)
"

Don't miss