Microsoft Responds To Sasser Worm Threat
Four Sasser variants--A, B, C and D--are currently running amok across the Internet in search of an LSASS (Local Security Authority Subsystem Service) buffer overrun vulnerability in Windows 95, 98, ME, NT, 2000 and XP platforms, according to security experts. LSASS provides an interface for managing local security, domain authentication and Active Directory processes.
The vulnerability that Sasser exploits was originally announced on April 13, 2004, in Microsoft Security Bulletin MS04-011, said Debby Fry Wilson, director of Security Response Marketing at Microsoft.
A range of detection and removal tools for Sasser worms can be found at Microsoft's web site.
Sasser doesn't arrive as an e-mail attachment. Instead, the worm actively seeks out vulnerable IP addresses and enters a system through TCP port 445, said Kevin Kean, director of Microsoft's Security Response Center, Redmond, Wash. Sasser moves through other ports, but enters and infects a new client or server solely through port 445, Kean said. Once Sasser enters a client or server, it sends a packet to produce a buffer overrun on LSASS.EXE, which causes the program to crash, the infected system to crash and then requires a Windows reboot.
Up until now, no incident of Sasser delivering a malicious payload has been reported, Kean said.
"Sasser is a classic self-spreading worm. It actually lays code down on a system and causes remote-code execution, and that's in contrast with other virus types that require user intervention," said Kean. "Despite the fact that Sasser takes no specific malicious action, the creation of this worm is still a criminal act."
Kevin Nelson, vice president at Threat Focus, a network security and vulnerability alert service in Tustin, Calif., said Sasser planting malicious code could only be a matter of time.
"Sasser definitely has the potential to be something on the order of a Blaster," said Nelson, comparing Sasser to the very destructive Blaster worm.
"We've pretty well confirmed that the people who wrote Netsky are behind Sasser, and the fourth version of Sasser is spreading 10 times faster than the earlier versions. It feels like [the Sasser authors] are testing and learning how to infect machines very quickly. So while there has been no infected payload yet, there's no reason not to expect it. [Sasser's authors] have the complete ability to install any software they want," Nelson warned.
Microsoft is already working with law enforcement officials, as well as the Department of Homeland Security, in an effort to root out Sasser's author(s), said Microsoft's Wilson.
Already, thousands of clients and servers have been infected by one of the Sasser variants, according to security experts.