Sasser (computer worm)

Last updated

thumb|alt=aws

Sasser Worm
Technical name
  • Win32/Sasser (Microsoft)
  • Worm:Win32/Sasser.[Letter] (Microsoft)
  • Net-Worm:W32/Sasser (F-Secure)
  • Net-Worm:W32/Sasser.[Letter] (F-secure)
  • W32.Sasser.Worm (Symantec)
  • W32.Sasser.[Letter] (Symantec)
  • W32.Sasser.[Letter].Worm (Symantec)
  • W32/Sasser-[Letter] (Sophos)
  • Worm.Win32.Sasser.[letter] (Sophos)
  • W32.Sasser.Worm (Sophos)
  • W32/Sasser.worm.[letter] (Sophos)
  • WORM_SASSER (Trend Micro)
  • WORM_SASSER.[Letter] (Trend Micro)
  • BAT_SASSER.[Letter] (Trend Micro)
Type Worm
Author(s) Sven Jaschan
Operating system(s) affected Windows 2000, Windows XP

Sasser is a computer worm that affects computers running vulnerable versions of the Microsoft operating systems Windows XP and Windows 2000. Sasser spreads by exploiting the system through a vulnerable port. Thus it is particularly virulent in that it can spread without user intervention, but it is also easily stopped by a properly configured firewall or by downloading system updates from Windows Update. The specific hole Sasser exploits is documented by Microsoft in its MS04-011 bulletin, for which a patch had been released seventeen days earlier. [1] The most characteristic experience of the worm is the shutdown timer that appears due to the worm crashing LSASS.

Contents

History and effects

Sasser was created on April 30, 2004. [2] This worm was named Sasser because it spreads by exploiting a buffer overflow in the component known as LSASS (Local Security Authority Subsystem Service) on the affected operating systems. According to a report by eEye Digital Security published on April 13, 2004, this buffer overflow relies on an apparently deprecated API call to Microsoft Active Directory, which both allows for unchecked remote queries and crashes LSASS.exe if given a long string. [3] Once on a machine, the worm scans different ranges of IP addresses and connects to victims' computers primarily through TCP port 445. If a vulnerable installation of XP or 2000 is found, the worm utilizes its own FTP server hosted on previously infected machines to download itself onto the newly compromised host. Microsoft's analysis of the worm indicates that it may also spread through port 139. Several variants called Sasser.B, Sasser.C, and Sasser.D appeared within days (with the original named Sasser.A). The LSASS vulnerability was patched by Microsoft in the April 2004 installment of its monthly security packages, prior to the release of the worm. Some technology specialists have speculated that the worm writer reverse-engineered the patch to discover the vulnerability, which would open millions of computers whose operating system had not been upgraded with the security update. [4]

The effects of Sasser included the news agency Agence France-Presse (AFP) having all its satellite communications blocked for hours and the U.S. flight company Delta Air Lines having to cancel several trans-atlantic flights because its computer systems had been swamped by the worm. The Nordic insurance company If and their Finnish owners Sampo Bank came to a complete halt and had to close their 130 offices in Finland. The British Coastguard had its electronic mapping service disabled for a few hours, and Goldman Sachs, Deutsche Post, and the European Commission also had issues with the worm. The X-ray department at Lund University Hospital had all their four layer X-ray machines disabled for several hours and had to redirect emergency X-ray patients to a nearby hospital.

Author

On 7 May 2004, an 18-year-old German named Sven Jaschan from Rotenburg, Lower Saxony, then student at a technical college, was arrested for writing the worm. German authorities were led to Jaschan partly because of information obtained in response to a bounty offer by Microsoft of US$250,000.

One of Jaschan's friends had informed Microsoft that his friend had created the worm. He further revealed that not only Sasser, but also Netsky.AC, a variant of the Netsky worm, was his creation. Another variation of Sasser, Sasser.E, was found to be circulating shortly after the arrest. It was the only variation that attempted to remove other worms from the infected computer, much in the way Netsky does. hacking

Jaschan was tried as a minor because the German courts determined that he created the worm before he was 18. The worm itself had been released on his 18th birthday (29 April 2004). Sven Jaschan was found guilty of computer sabotage and illegally altering data. On Friday, 8 July 2005, he received a 21-month suspended sentence.

Side effects

An indication of the worm's infection of a given PC is the existence of the files C:\win.log, C:\win2.log or C:\WINDOWS\avserve2.exe on the PC's hard disk, the ftp.exe running randomly and 100% CPU usage, as well as seemingly random crashes with LSA Shell (Export Version) caused by faulty code used in the worm. The most characteristic symptom of the worm is the shutdown timer that appears due to the worm crashing LSASS.exe.

Workarounds

The shutdown sequence can be aborted by pressing start and using the Run command to enter shutdown /a. This aborts the system shutdown so the user may continue what they were doing. The shutdown.exe file is not available by default within Windows 2000, but can be installed from the Windows 2000 resource kit. It is available in Windows XP. A second option to stop the worm from shutting down a computer is to change the time and/or date on its clock to earlier; the shutdown time will move as far into the future as the clock was set back.

See also

Related Research Articles

<span class="mw-page-title-main">Buffer overflow</span> Anomaly in computer security and programming

In programming and information security, a buffer overflow or buffer overrun is an anomaly whereby a program writes data to a buffer beyond the buffer's allocated memory, overwriting adjacent memory locations.

Klez is a computer worm that propagates via e-mail. It first appeared in October 2001 and originated in China. A number of variants of the worm exist. The virus (Klez) itself is a Windows PE EXE file of about 65KB, and it operates on WIN32 platforms. Klez infects Microsoft Windows systems, exploiting a vulnerability in Internet Explorer's Trident layout engine, used by both Microsoft Outlook and Outlook Express to render HTML mail.

<span class="mw-page-title-main">Timeline of computer viruses and worms</span> Computer malware timeline

This timeline of computer viruses and worms presents a chronological timeline of noteworthy computer viruses, computer worms, Trojan horses, similar malware, related research and events.

<span class="mw-page-title-main">Blaster (computer worm)</span> 2003 Windows computer worm

Blaster was a computer worm that spread on computers running operating systems Windows XP and Windows 2000 during August 2003.

Local Security Authority Subsystem Service (LSASS) is a process in Microsoft Windows operating systems that is responsible for enforcing the security policy on the system. It verifies users logging on to a Windows computer or server, handles password changes, and creates access tokens. It also writes to the Windows Security Log.

Sven Jaschan is a former black-hat hacker turned white-hat and a security expert/consultant and creator of the NetSky worms, and Sasser computer worms.

Netsky is a prolific family of computer worms which affect Microsoft Windows operating systems. The first variant appeared on Monday, February 16, 2004. The "B" variant was the first family member to find its way into mass distribution. It appeared on Wednesday, February 18, 2004. 18-year-old Sven Jaschan of Germany confessed to having written these, and other worms, such as Sasser.

In computing, Download.ject is a malware program for Microsoft Windows servers. When installed on an insecure website running on Microsoft Internet Information Services (IIS), it appends malicious JavaScript to all pages served by the site.

Agobot, also frequently known as Gaobot, is a family of computer worms. Axel "Ago" Gembe, a German programmer also known for leaking Half-Life 2 a year before release, was responsible for writing the first version. The Agobot source code describes it as: “a modular IRC bot for Win32 / Linux”. Agobot was released under version 2 of the GNU General Public License. Agobot is a multi-threaded and mostly object oriented program written in C++ as well as a small amount of assembly. Agobot is an example of a Botnet that requires little or no programming knowledge to use.

Bolgimo is a Win32 computer worm, a self-replicating computer program similar to a computer virus, which propagates by attempting to exploit unpatched Windows computers vulnerable to the DCOM RPC Interface Buffer Overrun Vulnerability using TCP port 445 on a network. The worm was discovered on November 10, 2003, and targets Windows NT, 2000 and XP Operating Systems.

Welchia, also known as the "Nachi worm", is a computer worm that exploits a vulnerability in the Microsoft remote procedure call (RPC) service similar to the Blaster worm. However, unlike Blaster, it first searches for and deletes Blaster if it exists, then tries to download and install security patches from Microsoft that would prevent further infection by Blaster, so it is classified as a helpful worm. Welchia was successful in deleting Blaster, but Microsoft claimed that it was not always successful in applying their security patch.

Patch Tuesday is an unofficial term used to refer to when Microsoft, Adobe, Oracle and others regularly release software patches for their software products. It is widely referred to in this way by the industry. Microsoft formalized Patch Tuesday in October 2003. Patch Tuesday is known within Microsoft also as the "B" release, to distinguish it from the "C" and "D" releases that occur in the third and fourth weeks of the month, respectively.

The Windows Metafile vulnerability—also called the Metafile Image Code Execution and abbreviated MICE—is a security vulnerability in the way some versions of the Microsoft Windows operating system handled images in the Windows Metafile format. It permits arbitrary code to be executed on affected computers without the permission of their users. It was discovered on December 27, 2005, and the first reports of affected computers were announced within 24 hours. Microsoft released a high-priority update to eliminate this vulnerability via Windows Update on January 5, 2006. Attacks using this vulnerability are known as WMF exploits.

In computer security, executable-space protection marks memory regions as non-executable, such that an attempt to execute machine code in these regions will cause an exception. It makes use of hardware features such as the NX bit, or in some cases software emulation of those features. However, technologies that emulate or supply an NX bit will usually impose a measurable overhead while using a hardware-supplied NX bit imposes no measurable overhead.

Criticism of Windows XP deals with issues with security, performance and the presence of product activation errors that are specific to the Microsoft operating system Windows XP.

The Vundo Trojan is either a Trojan horse or a computer worm that is known to cause popups and advertising for rogue antispyware programs, and sporadically other misbehavior including performance degradation and denial of service with some websites including Google and Facebook. It also is used to deliver other malware to its host computers. Later versions include rootkits and ransomware.

<span class="mw-page-title-main">Storm Worm</span> Backdoor Trojan horse found in Windows

The Storm Worm is a phishing backdoor Trojan horse that affects computers using Microsoft operating systems, discovered on January 17, 2007. The worm is also known as:

<span class="mw-page-title-main">Conficker</span> Computer worm

Conficker, also known as Downup, Downadup and Kido, is a computer worm targeting the Microsoft Windows operating system that was first detected in November 2008. It uses flaws in Windows OS software and dictionary attacks on administrator passwords to propagate while forming a botnet, and has been unusually difficult to counter because of its combined use of many advanced malware techniques. The Conficker worm infected millions of computers including government, business and home computers in over 190 countries, making it the largest known computer worm infection since the 2003 SQL Slammer worm.

EternalBlue is computer exploit software developed by the U.S. National Security Agency (NSA). It is based on a vulnerability in Microsoft Windows that, at the time, allowed users to gain access to any number of computers connected to a network. The NSA had known about this vulnerability for several years but had not disclosed it to Microsoft yet, since they planned to use it as a defense mechanism against cyber attacks. In 2017, the NSA discovered that the software was stolen by a group of hackers known as the Shadow Brokers. Microsoft was informed of this and released security updates in March 2017 patching the vulnerability. While this was happening, the hacker group attempted to auction off the software, but did not succeed in finding a buyer. EternalBlue was then publicly released on April 14, 2017.

<span class="mw-page-title-main">BlueKeep</span> Windows security hole

BlueKeep is a security vulnerability that was discovered in Microsoft's Remote Desktop Protocol (RDP) implementation, which allows for the possibility of remote code execution.

References

  1. "Win32/Sasser". Microsoft Security Intelligence. Nov 11, 2004. Archived from the original on 31 October 2022. Retrieved 6 Feb 2023.
  2. Macrae, Duncan (2014-04-11). "Everything you need to know about the Sasser worm". Tech Monitor. Retrieved 2023-02-06.
  3. "Network Security, Vulnerability Assessment, Intrusion Prevention". 2006-01-09. Archived from the original on 2006-01-09. Retrieved 2023-02-06.
  4. Net-Worm.Win32.Sasser On a Physical PC Network , retrieved 2023-02-06
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.