Sasser worm uses new LSASS vulnerability

[Per Hansson]

The vulnerability MS04-011 that eEye reported to Microsoft October 8, 2003. And which Microsoft released a fix for April 13, 2004 took malware writers just 18 days to build a working worm for. It's name is Sasser and it works very similar to the Blaster worm from last year in that it requires no user action to infect a computer. That means that an unpatched Windows 2000 or XP workstation without a firewall has a very high risk of being infected. The Sasser worm scans for it's targets on port 445.

The good news is that this worm causes no damage yet, but it is extremely likely that a variant of it that does will be released very soon, so if you have not patched your systems be sure to update now!

F-Secure has more info on this worm.

UPDATE: Microsoft has posted an ActiveX scanning tool on their Sasser infopage, which you can use to easily check online if you're infected or not. Then again, if you are infected, you might not make it to that page before you're machine is rebooted again. Source: F-Secure

 

[Spike]

Sasser has reached it's fourth variant, Worm_Sasser.D, which has experts around the world claiming that this worm could be the biggest internet menace since last years MSBlast worm.

The thing about worms, which traditionally have been spread via email, is that they have within the last year or two taken the next step in their evolution. Many new worms are coded in such a way that they are released as 'Bots' on the internet. These bots randomly scan IP addresses (your IP address is to your computer roughly similar to your postal address for your house), and once they successfully make a connection with a target computer, they transfer the worm. This process requires no user intervention whatsoever.

Sasser takes advantage of a security flaw (reported to Microsoft back in October 2003, which they did nothing about untill now) in Windows' Local Security Authority Subsystem Service (LSASS) to infect unprotected computers running Windows 2000, Windows XP, or Windows 2003 Server.

The worm then installs an FTP (File Transfer Protocol) server on the infected machine through port 5554, uses port 445 to scan for other computers to infect, downloads and infects new targets, and then creates hundreds of threads on the host machine, bringing it pretty much screaming to a standstill.

So far, it looks like each new Sasser variant has a tweaked and updated code, with the first two variants being quite badly written, limiting it's potential for damage. However, with Sassers newer improved variants, the worm could prove to be far more destructive.

EG, Sasser.C launches 128 threads on an infected computer. Sasser.D launches 1024.

Edit; sorry. Got this from a members only site, that isn't particularly tech related. suppose I could have tidied it up, but I didn't, so there you go

 

[SmAsHeR]

Process File: isass or isass.exe
Process Name: isass
Description: Virus added to the system as a result of variant of the OPTIX PRO TROJAN that opens TCP port 3410 and allows a hacker to control an infected computer.
Company: N/A
System Process: No
Security Risk ( Virus/Trojan/Worm/Adware/Spyware ): Yes
Common Errors: N/A

 

[Spike]

But this is LSASS