Sasser Worm Impacted Businesses Around the World

The Sasser worm attacks of last weekend and early this week sent IT staffs around the world scurrying to patch vulnerable Windows systems, dealing with network slow-downs, and switching to

May 8, 2004

5 Min Read
Network Computing logo

The Sasser worm attacks of last weekend and early this week sent IT staffs around the world scurrying to patch vulnerable Windows systems, dealing with network slow-downs, and switching to old-fashioned paper to handle business.

Although by Friday the Sasser worms had dramatically tailed off -- security firm Panda Software reported that Sasser accounted for just 13 percent of all tracked malware Friday, compared with a high of 40 percent on Sunday -- the attacks took their toll in the U.S. and overseas. Delta Airlines, American Express, Associated Press, two major universities, and a leading hospital were among Sasser's victims.

Delta Airlines, for instance, experienced computer difficulties Saturday that forced the cancellation and delay of some flights. The problems began at 2:50 p.m. local time and were fixed by 9:30 Saturday evening, said Katie Connell, a Delta spokeswoman.

Although Connell would not comment on the specific cause of the outage -- "Delta doesn't discuss detailed information about its IT environment," she said -- the airline does use the Windows operating system on some of its servers and desktops. The Sasser worm originally broke onto the Internet late Friday, and by Saturday was wreaking havoc.

American Express was one of the largest U.S.-based firms to report trouble with Sasser. The credit card giant acknowledges Sasser infections on internal desktops starting Sunday, said spokeswoman Judy Tenzer, but the attack didn't have any effect on the company's customer services.Tenzer declined to go into detail about the extent of the Sasser infection, how the worm penetrated American Express' network, and what steps were taken to stop the attacks.

The University of Texas M.D. Anderson Cancer Center was also hit by Sasser this week, according to Don Lyons, the hospital's deputy chief information officer. More than a third of the facility's Windows machines were infected.

"As of yesterday, we had about 6,000 infected systems," said Lyons, "but as of Friday morning, we've whittled that down to about 700 or so."

M.D. Anderson's IT department manages approximately 17,000 Windows systems -- both desktops and servers -- for the nearly 2,000 physicians and researchers, and the 8,000 other workers in the hospital.

"I'd put our effort [on Sasser] right on par with MSBlast," said Lyons, referring to last summer's network worm outbreak. "We were much better organized this time around, and deployed 12 teams and 50 people to clean up infected systems and patch others."Although the Sasser attack forced M.D. Anderson to print out patient records from uninfected PCs, it didn't impact patient care or interrupt any scheduled treatment, said Lyons.

Still, his teams worked around the clock to put the pieces back together. "This was a pretty significant diversion of IT resources," he said.

While he hadn't had the chance to pin down the source of infection, Lyons said he suspected it came from a laptop brought into the hospital and connected to its network. Unlike most worms, Sasser doesn't require any human intervention -- such as opening an e-mail attachment -- but scans for vulnerable systems and surreptitiously plants its payload.

Elsewhere in the U.S., the Associated Press sent an e-mail advisory to all its staff Monday that the Sasser worm had hit its New York-based network, and that Internet access would be sluggish as it cleaned infected systems and scanned for new infections on incoming PCs.

"We are anticipating some continued Sasser issues in the next few days, as computers are booted up for the first time as people come back from days off, etc.," the e-mail warned.And that wasn't anywhere near the end of it. Reports from around the world indicate that Sasser struck viciously at some locations, mildly at others.

Westpac, a major Australian bank, was hit by Sasser starting Tuesday, according to reports in several of the country's newspapers. In some cases, branches had to abandon their PCs and revert to pen and paper to complete transactions, and later in the week, the infection spread to branches in neighboring New Zealand. By Thursday, Westpac had cleaned up the mess and its branches were back to electronics.

Elsewhere in the Pacific Rim, Taiwan and Hong Kong, and even technologically-backward Vietnam, were struck by the worm. In Taiwan, one of the countries hit hardest early in the worm's rampage, some 1,600 computers in its postal service were infected, forcing about a third of the branches to move to paper. In Hong Kong, Sasser sneaked into government networks. Problems in both Taiwan and Hong Kong had been cleared up by Tuesday.

Other Asian countries, such as Japan and India, reported few problems. But the Chosen Ilbo news service in Korea -- which often bears the brunt of any wide-ranging worm because it boasts the world's highest per-capita use of DSL-based broadband connections to the Internet -- reported that one of the country's largest hospitals experienced delays dealing with patients because the computer system had to be ditched for paper on Monday.

China, however, largely escaped the Sasser worm -- for now -- because of a seven-day national holiday that ends Saturday. According to the Xinhau news service, Sasser is expected to impact Chinese businesses and government agencies because patches weren't deployed during the time off.The National Computer Network Emergency Response Coordination Center -- China's version of the U.S.-based CERT -- had detected 1.3 million instances of the Sasser worm within in China as of early Thursday morning. The worry is that when workers return Saturday, they'll find their systems infected.

In the West, Finnish news reports said that the Sampo Bank shuttered all 130 branches on Monday morning, with most closed for several hours because of Sasser-related problems.

Other affected organizations in Europe included the Brussels headquarters of the European Commission, the European Union's executive arm, where some offices struggled Monday with the worm. In France, the French Stock Exchange was hit, and in the U.K., networks running at the nation's Maritime and Coastguard Agency were disrupted.

And this week's trials and tribulations aren't the end of Sasser, say security analysts. Even if another variant doesn't appear -- unlikely, what with hackers habitually releasing worms late on Fridays and on weekends -- Sasser will remain part of the malicious code back chatter.

"Sasser will be with us for a long time to come," said Alfred Huger, senior director of engineering with Symantec's response team this week.0

Stay informed! Sign up to get expert advice and insight delivered direct to your inbox

You May Also Like

More Insights