How to protect PCs against the Sasser worm

By on

As the Sasser worm rolled across the internet, users scrambled to patch systems and clean up infected machines.

The first chore is to install a firewall if one isn't already present on the network or an individual PC. Like the MSBlast worm of last summer, Sasser infects systems without any human intervention, can spot a vulnerable machine quickly while it's online, and can cause the machine to constantly reboot, making it difficult to retrieve the fix.

The long-term defense against Sasser, said security analysts, is to apply the patch against the LSASS vulnerability on Windows XP, Windows 2000, and Windows Server 2003 systems. (But as noted last week, the patch is itself flawed, and can make some Windows 2000 machines to crash at startup; Microsoft has yet to deploy a patched patch.)

Microsoft first released the patch for the LSASS vulnerability 13 April as part of its monthly round of security alerts. The patch can be retrieved using the Windows Update service, or downloaded directly from the Security Bulletin MS04-011.

Users can also filter traffic targeting UDP ports 135, 137, 138, and 445, as well as TCP ports 135, 139, 445, 593, and any ports above 1024, said Symantec in its analysis and advisory for Sasser. Companies should also monitor incoming traffic for packets targeting TCP port 9996 -- the port an infected machine uses to await a connection from the attacker -- and outgoing traffic destined for TCP port 5554, which is the port used by the FTP server that Sasser installs on compromised systems.

Users of Internet Explorer can also sniff for and remove Sasser.a and Sasser.b -- the first two variants of the worm -- by using the ActiveX control tool found on the Sasser page Microsoft posted on Saturday [US]. An option for non-IE browser users is to download the tool and run it independently of Internet Explorer.

Several anti-virus and security vendors have also posted free-for-the-downloading tools that remove the Sasser worm from infected computers. Among them are Symantec, Sophos, McAfee, and Panda Software.

All anti-virus vendors urged their customers to update their definition files immediately -- and keep them updated -- to protect their PCs against Sasser.

Tags:

Most Read Articles

You must be a registered member of iTnews to post a comment.
| Register

Poll

How should the costs of Australia's piracy scheme be split?
Rights holders should foot the whole bill
50/50
ISPs should foot the whole bill
Government should chip in a bit
Other
Flash is heading towards its grave, and that's...
Great! Good riddance
Sad! Flash had some good qualities
Irrelevant. I don't care
What's Flash?
View poll archive

Whitepapers from our sponsors

What will the stadium of the future look like?
What will the stadium of the future look like?
New technology adoption is pushing enterprise networks to breaking point
New technology adoption is pushing enterprise networks to breaking point
Gartner names IBM a 'Leader' for Disaster Recovery as a Service
Gartner names IBM a 'Leader' for Disaster Recovery as a Service
The next era of business continuity: Are you ready for an always-on world?
The next era of business continuity: Are you ready for an always-on world?

Log In

Username:
Password:
|  Forgot your password?