[ISN] Sasser infections hit Amex, others

InfoSec News isn at c4i.org
Thu May 6 06:09:59 EDT 2004


By Paul Roberts
IDG News Service

Security experts are continuing to issue warnings about the Sasser
Internet worm as organizations struggled to clean up the damage caused
by infected hosts.

American Express joined a number of U.S. universities in reporting
infections from the Sasser worm on Monday and the SANS Institute's
Internet Storm Center (ISC) maintained a yellow warning Tuesday
despite expectations earlier in the day that the Sasser outbreak would
wind down Monday, according to interviews.

Sasser exploits a recently disclosed hole in a component of
Microsoft's Windows operating system called the Local Security
Authority Subsystem Service, or LSASS. Microsoft released a software
patch, MS04-011, on April 13.

The SANS Institute's Internet Storm Center said on Monday that it was
maintaining its yellow alert, indicating a "significant new threat" on
the Internet due to "the continuing spread of Sasser and other
malicious code targeting the MS04-011 vulnerabilities," according to
the ISC.

Among other things, modifications in new Sasser variants Sasser.C and
Sasser.D, which appeared on Monday, prompted the ISC to maintain the
yellow alert on Tuesday. Internet Storm Center chief technology
officer Johannes Ullrich said he expected Sasser to die down Monday,
prompting a return to the "green" status by the end of the day.

American Express experienced Sasser infections on employee desktops
beginning Sunday that disrupted the company's internal networks, but
did not have an impact on customer services according to Judy Tenzer,
a company spokeswoman.

American Express refused to reveal how many computers were affected,
or how the worm penetrated the company's network, but the infections
were limited to employee desktops and did not affect critical servers
at the company, she said.

Reports surfaced Monday of unexplained computer problems at other
companies, as well.

Delta Airlines experienced technical difficulties on Saturday that
forced the cancellations of some flights. The computer problems began
at 2:50 P.M. local time on Saturday and were fixed by 9:30 Saturday
evening, said Katie Connell, a Delta spokeswoman.

Connell would not common on the cause of the problems, or which
systems were affected, citing a continuing investigation. Delta does
use Microsoft products and the Windows operating system, she said.

In Boston, colleges and universities felt the effects of the worm,
according to David Escalante, director of computer policy and security
information technology at Boston College (BC), in Chestnut Hill, Mass.

Around 200 machines on BC's campus network were infected with Sasser,
most of them laptop and desktop computers owned by students, he said.

BC blocked traffic on port 445, which is used by the Sasser worm to
spread, before the outbreak. IT staff are analyzing the infections,
which may have come from students who brought infected laptops back
onto campus from home, Escalante said.

Staff are also struggling with complications caused by Sasser, which
causes many Windows XP and Windows 2000 machines to crash repeatedly,
preventing students from logging onto the desktop and installing the
appropriate software patch.

Making matters worse, BC students are approaching final exam period.  
The Sasser outbreak prompted a run on the student computer center
Saturday, with panicked students worried about the welfare of term
projects and other materials on Sasser-infected machines, he said.

Other schools also faced large-scale outbreaks, including more than
1,000 machines at Boston University, according to a source.

Among leading financial services companies, the impact of Sasser was
generally light. Companies including Citibank and Lehman Brothers
Holdings had around a dozen Sasser infections, rather than hundreds or
thousands of systems infections, according to a source.

Microsoft's recent decision to move from weekly to monthly software
patches has raised the stakes for companies that ignore the security
bulletins and updates, said Firas Raouf, COO of eEye Digital Security,
which discovered the LSASS vulnerability.

"Now you have a handful of vulnerabilities that are addressed by a
single patch, so if you don't deploy a patch, you're opened four or
five doors to your network," he said.

Large companies are often reluctant to press software patches into
service out of fear they will break critical applications used by
employees or customers. However, waiting too long to apply a software
patch exposes companies to infection by a worm or virus that takes
advantage of the software hole fixed by the patch, Raouf said.

The most important thing is for organizations to have a process in
place to handle new vulnerabilities when they are revealed so that
they can act quickly to scan for vulnerable machines, test patches,
deploy patches or apply workarounds as needed, he said.

More information about the ISN mailing list