How to protect PCs against the Sasser worm

Powered by SC Magazine

As the Sasser worm rolled across the internet, users scrambled to patch systems and clean up infected machines.

The first chore is to install a firewall if one isn't already present on the network or an individual PC. Like the MSBlast worm of last summer, Sasser infects systems without any human intervention, can spot a vulnerable machine quickly while it's online, and can cause the machine to constantly reboot, making it difficult to retrieve the fix.

The long-term defense against Sasser, said security analysts, is to apply the patch against the LSASS vulnerability on Windows XP, Windows 2000, and Windows Server 2003 systems. (But as noted last week, the patch is itself flawed, and can make some Windows 2000 machines to crash at startup; Microsoft has yet to deploy a patched patch.)

Microsoft first released the patch for the LSASS vulnerability 13 April as part of its monthly round of security alerts. The patch can be retrieved using the Windows Update service, or downloaded directly from the Security Bulletin MS04-011.

Users can also filter traffic targeting UDP ports 135, 137, 138, and 445, as well as TCP ports 135, 139, 445, 593, and any ports above 1024, said Symantec in its analysis and advisory for Sasser. Companies should also monitor incoming traffic for packets targeting TCP port 9996 -- the port an infected machine uses to await a connection from the attacker -- and outgoing traffic destined for TCP port 5554, which is the port used by the FTP server that Sasser installs on compromised systems.

Users of Internet Explorer can also sniff for and remove Sasser.a and Sasser.b -- the first two variants of the worm -- by using the ActiveX control tool found on the Sasser page Microsoft posted on Saturday [US]. An option for non-IE browser users is to download the tool and run it independently of Internet Explorer.

Several anti-virus and security vendors have also posted free-for-the-downloading tools that remove the Sasser worm from infected computers. Among them are Symantec, Sophos, McAfee, and Panda Software.

All anti-virus vendors urged their customers to update their definition files immediately -- and keep them updated -- to protect their PCs against Sasser.

Top Stories
iiNet facing new copyright battle with Hollywood
Fighting to protect customer details.
The CISO’s dilemma: Do you trust your partner’s partner?
[Blog post] How far down the chain do you check?
Microsoft confirms Australian Azure launch
Available from next week.
Sign up to receive iTnews email bulletins
Latest Comments
In which area is your IT shop hiring the most staff?

   |   View results
IT security and risk
Sourcing and strategy
IT infrastructure (servers, storage, networking)
End user computing (desktops, mobiles, apps)
Software development

Would your InfoSec team be prepared to share threat data with the Australian Government?

   |   View results