A fast-spreading worm family that some are comparing to MSBlast is exploiting a vulnerability in Microsoft Windows and has infected as many as a million machines worldwide.
"Sasser is the MSBlast event of 2004," said Ken Dunham, the director of malicious code research for iDefense. "There are lots of parallels between MSBlast and Sasser. Leading up to Sasser, we saw exploit code updated, trojaning and hacking of vulnerable computers, and an underground buzz that resembled that of Blast seen in 2003."
The Sasser worm -- the fourth variant, tagged as Sasser.d, appeared Monday [US], and followed the original, Sasser.a, and two copycats, dubbed Sasser.b and Sasser.c -- can infect Windows 2000, Windows XP, and Windows Server 2003 machines without resorting to email, and the associated file attachments that users must open to spread the malicious code.
Instead, Sasser, like MSBlast of last year, exploits a recent vulnerability in a component of Microsoft Windows by scanning for vulnerable systems. Sasser then creates a remote connection, installs a file transfer protocol (FTP) server, and downloads itself to the new target.
Sasser exploits a vulnerability in the Windows Local Security Authority Subsystem Service, or LSASS, component. Since the LSASS vulnerability's disclosure on 13 April, exploit code has been circulating, and last week, numerous bot-based attacks used the vulnerability to compromise systems.
Estimates by Internet Security Systems' X-Force threat team place the Sasser infections at half a million to a million machines so far. Microsoft has reported more than that 150 million patches for the vulnerability have been downloaded from its website.
"Whatever the numbers, this is the most significant threat of 2004," said Dunham.
Sasser can cause systems to repeatedly reboot, another shared characteristic with MSBlast, which may make it relatively easy to spot an infected machine. All four variants are similar, although Sasser.c spawns 1,024 infection threads, eight times more than the other three variations. Some security firms, such as F-Secure, noted that because of this, Sasser.c may spread faster than its brethren.
The Sasser attack began with Sasser.a last week, continued over the weekend with Sasser.b and Sasser.c, and rolled into this week with Sasser.d.
"We're seeing a lot more attacks on Friday [US] nights and Saturdays [US]," said Dunham, a time when corporate IT staffs are at their lowest and many home users are logged on to the internet. "It's a good time for worms to strike."
Dunham and others said that the Sasser worm may be the work of the same group that crafted a recent Netsky worm. According to analysis done by the Finnish anti-virus firm F-Secure, the most recent Netsky worm, dubbed Netsky.ac includes text embedded in its code that reads:
"Hey, av firms, do you know that we have programmed the sasser virus?!?. Yeah thats true! Why do you have named it sasser? A Tip: Compare the FTP-Server code with the one from Skynet.V!!! LooL! We are the Skynet..."
If true, said Dunham, expect more variants of Sasser to appear, and appear quickly. One of the Netsky worm family's distinguishing traits is its numerous variations, with new copies released weekly, and in some cases, daily. "The worm is highly successful and attackers are updating its code as we speak, so you can expect to see a lot more in the coming days.
"This could be a major development in the worm war."
Currently, security firms have tagged Sasser.b as the most prevalent and dangerous. Symantec, for example, has labeled Sasser.b as a "4" in its 1 through 5 scale. (Symantec has never marked a worm or virus as a "5.") Sasser.a, however, is marked as a "3", while Sasser.c and Sasser.d are now at "2." Rival McAfee, however, used "Medium" to describe Sasser.a's and Sasser.b's threat, and called Sasser.c and Sasser.d a "Low" danger.
To defend against Sasser, users should immediately patch all vulnerable PCs. The fix for the LSASS vulnerability can be downloaded from the Microsoft website.