Experts Split On Whether There's Life Left In Sasser Worm

Four Sasser variants,A, B, C and D,continued to run amok across the Internet last week in search of an LSASS (Local Security Authority Subsystem Service) buffer overrun vulnerability in Windows 2000 and XP platforms. The vulnerability was first announced on April 13 in Microsoft Security Bulletin MS04-011, said Debby Fry Wilson, director of Security Response Marketing at Microsoft, Redmond, Wash.

Sasser doesn't arrive as an e-mail attachment but enters a system through TCP port 445, said Kevin Kean, director of Microsoft's Security Response Center.

Anatomy Of A Troublemaker

\

W32.Sasser.B.Worm differs from W32.Sasser.Worm

\

>> Uses a different mutex.

\

>> Uses a different file name. Has a different MD5.
>> Creates a different value in the registry.

Last week's assault infected nearly 1 million computers, with variant B perhaps the most effective, said Patrick Hinojosa, CTO of security and antivirus firm Panda Software, Glendale, Calif. Hinojosa said last Thursday that if Sasser doesn't attack over the weekend, it very likely could be done for. "If we don't see anything by this weekend, it should be dead," he said.

David Perry, global director of education for security firm Trend Micro, Cupertino, Calif., agrees that Sasser may have had its day in the sun. "Sasser is a very successful sort of a ploy for a virus writer, but the limiting factor is that once you patch it, or block the entrance port, it gets knocked out completely," he said.

But Kevin Nelson, vice president of Threat Focus, a network security service in Tustin, Calif., said that after studying the worm author's motives, he expects a second wave of variants to strike, and possibly begin delivering malicious payloads. "There were some issues with the D version. [Sasser's author] backed some components out from the C version, and that tells me he was trying to do something, made a mistake, and will now come out with a new version," he said.