Sasser Worms Strike Recent Windows Weakness

Unlike worms that appear from the Internet cloud in the contents of an e-mail, the Sasser family--most notably W32.Sasser.B.worm--exploits a recently announced buffer overrun vulnerability in popular Microsoft operating systems including Windows NT 2000 and Windows XP, according to security experts.

That vulnerability, Microsoft Windows LSASS Buffer Overrun Vulnerability, was originally announced on April 13 in Microsoft Security Bulletin MS04-011. LSASS (Local Security Authority Subsystem Service) provides an interface for managing local security, domain authentication and Active Directory processes.

Instead of waiting for unwary e-mail recipients to install it, Sasser actively seeks out vulnerable IP addresses and then sends a packet to produce a buffer overrun on LSASS.EXE, which causes the program to crash, the infected system to crash, and then requires a Windows reboot.

Sasser infections grow exponentially, and each infected system can be taken over and used to search for other vulnerable systems. Anyone connected to the Internet, including corporate networks and broadband subscribers, may be at risk from this family of worms, according to security experts.

Sponsored post

Sasser variants arrive as a 16-Kbyte attachment and affect Windows 95, 98, ME, NT, 2000 and XP operating system versions.

As of Monday, security firm Symantec, Cupertino, Calif., was reporting approximately 150 instances of Sasser per hour, driving a paradigm change in the way worms have been arriving in 2004, said Alfred Huger, senior director of Symantec Security Response.

For more information on the worm and fixes, see the Symantec Web site.

"Over the last several weeks Symantec Security Response has monitored a shift in malicious threat propagation. During the first several months of the year, most of the threats we tracked spread through e-mail. However, now we are tracking more threats that are exploiting vulnerabilities to spread. Users need to be diligent in patching systems, updating virus definitions and implementing best practice solutions," Huger said in a statement.