Fast-Spreading Worm Has Infected As Many As 1 Million PCs

A fast-spreading worm line that some are comparing to Blaster is exploiting a vulnerability in Windows and has infected as many as 1 million machines worldwide.

"Sasser is the MSBlast event of 2004," said Ken Dunham, director of malicious code research at iDefense. "There are lots of parallels between MSBlast and Sasser. Leading up to Sasser, we saw exploit code updated, Trojaning, and hacking of vulnerable computers, and an underground buzz that resembled that of Blast seen in 2003."

The Sasser worm--the fourth variant, tagged as Sasser.d, appeared Monday, and followed the original, Sasser.a, and two copycats, dubbed Sasser.b and Sasser.c--can infect Windows 2000, Windows XP, and Windows Server 2003 machines without resorting to E-mail and the associated file attachments that users must open to spread the malicious code.

Instead, Sasser, like last year's Blaster, exploits a recent vulnerability in a component of Windows by scanning for vulnerable systems. Sasser then creates a remote connection, installs an FTP server, and downloads itself to the new target.

Sasser exploits a vulnerability in the Windows Local Security Authority Subsystem Service (LSASS) component. Since the vulnerability's disclosure on April 13, exploit code has been circulating, and last week, numerous bot-based attacks used the vulnerability to compromise systems.Estimates by Internet Security Systems' X-Force threat team place the Sasser infections at 500,000 to 1 million machines so far. Microsoft has reported that 9.5 million patches for the vulnerability have been downloaded from its Web site.

"Whatever the numbers, this is the most significant threat of 2004," Dunham said.

The first two variants of Sasser caused systems to repeatedly reboot, another shared characteristic with Blaster. But the newer variations solved that problem. "The worms' author fixed the problem so [systems] don't reboot," said Dunham, which makes Sasser all that much more dangerous, since the rebooting "is a very obvious sign of infection."

The Sasser attack began with Sasser.a on Friday night, continued Saturday and Sunday with Sasser.b and Sasser.c, and rolled into Monday with Sasser.d.

"We're seeing a lot more attacks on Friday nights and Saturdays," said Dunham, a time when corporate IT staffs are at their lowest and many home users are logged on to the Internet. "It's a good time for worms to strike."Dunham and others said that the Sasser worm may be the work of the same group that crafted a recent Netsky worm. According to analysis done by the Finnish anti-virus firm F-Secure, the most recent Netsky worm, dubbed Netsky.ac--which went wild Sunday--includes text embedded in its code that reads:

"Hey, av firms, do you know that we have programmed the sasser virus?!?. Yeah that's true! Why do you have named it sasser? A Tip: Compare the FTP-Server code with the one from Skynet.V!!! LooL! We are the Skynet..."

If true, said Dunham, expect more variants of Sasser to appear, and appear quickly. One of the Netsky worm line's distinguishing traits is its numerous variations, with new copies released weekly, and in some cases, daily. "The worm is highly successful and attackers are updating its code as we speak, so you can expect to see a lot more in the coming days. This could be a major development in the worm war."

Currently, security firms have tagged Sasser.b as the most prevalent and dangerous. Symantec Corp. has labeled Sasser.b as a 4 in its 1-through-5 scale--it has never ranked a worm or virus as a 5. Sasser.a, however, is rated as a 3, while Sasser.c and Sasser.d are now at 2. Rival McAfee, used describe Sasser.a's and Sasser.b's threat as Medium, and called Sasser.c and Sasser.d a Low danger.

To defend against Sasser, users should immediately patch all vulnerable PCs.0