Trend Micro Network VirusWall Helps Stop Spread of “Sasser” Network Virus
Cupertino, California – May 17, 2004 – Trend Micro, Inc. (TSE: 4704, NASDAQ: TMIC), a leader in network antivirus and Internet content security software and services, shares the success of Trend Micro Network VirusWallâ„? 1200 outbreak prevention appliance in helping stop the spread of recent “Sasser” network virus variants that have been seen in several countries trying to penetrate Windows-based computer systems through random Internet Protocol (IP) addresses.
Beginning in May, a new family of self-executing worms appeared, referred to as “WORM_SASSER”, that scanned for random IP addresses and exploited the “Local Security Authority Subsystem Service” (LSASS) buffer overrun vulnerability reported on April 13, 2004 by Microsoft for the Windows operating system. “Sasser” posed a risk to any Internet-connected computer that bears this vulnerability.
“Sasser” propagated by generating random IP addresses to search for systems with the LSASS vulnerability; when one was found, it would use a TCP port (445) to transmit data and create a buffer overflow on the vulnerable system, which then gave access control to the vulnerable system through a different TCP port (9996). Finally, the victim machine would be instructed to download the malware file through another TCP port (5554). The cycle would repeat itself, and each new victim would become the next attack machine.
Deployed at network LAN segments, NetworkVirusWall 1200 allows security administrators to coordinate actions to block “Sasser” from completing its infection and propagation cycle. Through deploying outbreak prevention policies, Network VirusWall blocked particular TCP ports utilized by “Sasser”, rendering the worm program ineffective; this can be done for more immediate protection at key segments of the network, in advance of deploying updates to antivirus software to individual systems.
“Network VirusWall did a lot to help us prevent the spread of the Sasser virus, especially through the outbreak prevention policy settings, which allowed us to limit any Sasser damage to a small area,” commented Ping-Chih Liu, project director at Acer, one of the world’s top ten PC makers. “The next day we got into the office, checked the Control Managerâ„? log reports and ran the clean-up tasks.”
Acer CIO Eric Lee added, “Especially for a company like Acer, which runs 24 hours a day, if one area gets infected, it could spread worldwide for us in 5 minutes, so we have to make sure the virus attack impact is kept to a minimum.”
Based on Trend Micro Vulnerability Assessment, customers have advanced notification of vulnerabilities with high potential for risk of exploitation by virus writers, and through Network VirusWall, selectively isolated unpatched systems to protect the rest of the network. In the case of “Sasser”, the Vulnerability Assessment pattern that addressed the LSASS issue was made available on April 17, 2004 so customers could take actions to minimize their risk of outbreak.
Network VirusWall 1200 is the latest product to support Trend Micro’s Enterprise Protection Strategy, which, since 2002, has helped companies increase their security protection through coordinated delivery of products, services, and expertise throughout the entire virus outbreak lifecycle.
In March 2004, Network VirusWall was named VAR Best Product in the hardware division at the System Builder Summit and VARVision event, and won the Best of VARVision Award from VARBusiness magazine for its unique, innovative contribution in the detection, blocking, and cleaning of network viruses and worms at the network level.
About Trend Micro
Trend Micro, Inc. is a leader in network antivirus and Internet content security software and services. The Tokyo-based corporation has business units worldwide. Trend Micro products are sold through corporate and value-added resellers and managed service providers. For additional information and evaluation copies of all Trend Micro products, visit our Web site, www.trendmicro.com