Warnings of more worm attacks
10th May 2004 (Computimes)
By FERINA MANECKSHA

LOCAL computer security experts have issued fresh warnings that the Sasser worm may hit more computer systems in the coming days as Internet activities resume after the long extended break.

Although there had been only a few reports of infections last week, and local Internet service providers (ISPs) reporting normal Internet traffic, experts believe that the situation could become more critical than it looks.

The National Information and Communications Technology Security Emergency Response Centre (Niser), as of 12 noon last Friday, had received a total of six reports of infection - two from home users and four from corporate organisations.

MyCERT's manager Solahuddin Shamsuddin said the attacks involved mostly computers that run on Windows XP. He said the worm propagation had been classified as at medium to high level, and Niser would continue to monitor the situation closely over the next few days.

Variants of the Sasser worm have been seen in several countries throughout Europe, Asia, Latin America and in the United States since May 1.

The worm spreads by scanning for random Internet protocol (IP) addresses and exploiting a buffer overrun vulnerability recently reported by Microsoft for the Windows operating system.

Security software and services provider Trend Micro Inc ranks the seriousness of the Sasser.B variant as the highest in terms of severity, thus warranting a red alert. Its country sales manager Wong Joon Hoong said the trend over the last few years has seen changes in virus attacks, especially in terms of its behaviour, speed of spreading and the way it spreads.

"Sasser is a network virus, which is different from an application virus that infects e-mails. Anyone connected to the Internet, including corporate networks and broadband subscribers, may be at risk from this family of worms. While Sasser is not the first worm to take advantage of the Microsoft vulnerability, it uses a method of propagation to spread broadly and at an exponential rate," he said.

Wong said the Sasser worm exploits the Windows Local Security Authority Subsystem Service's (LSASS) vulnerability, which is a buffer overrun that allows remote code execution and enables an attacker to gain full control of the affected system.

"To propagate, Sasser variants scan random IP addresses for vulnerable systems. When a vulnerable system is found, the malware sends a specially crafted packet to produce a buffer overrun on LSASS. exe, which causes the program to crash, and essentially the infected system to crash, and requires Windows to reboot," he said.

"By using IP addresses, Sasser scans the global Internet for vulnerable systems and can search for vulnerable systems within entire network segments. Infections grow exponentially - each infected system can potentially be used to search for other vulnerable systems."

The Sasser worm already has four variants - A, B, C and D - which are 16KB in size and affect Windows 2000, ME, XP, 95 and 98 platforms, he said.

Computer Associates Asia South security brand director Anthony Lim said of all the variants of Sasser, Sasser.C opens up 1,024 threads and can scan more than 200 IP addresses per second while the first two variants only created 128 threads.

He added that previously, information and communications technology managers often waited a couple of weeks before installing Microsoft service packs, as these packs can sometimes cause problems which needed to be fixed. However with the speed of virus writers acting on published vulnerabilities, any delay is no longer an option, he said.