[ISN] Security experts warn of nastier Sasser worm

InfoSec News isn at c4i.org
Fri May 7 09:50:37 EDT 2004


by Bernhard Warner and Spencer Swartz
MAY 06, 2004 

Computer security experts warned yesterday that the Sasser worm could
merge with earlier viruslike programs to wreak more havoc on the
Internet, just as companies and PC users clean up from the last attack
and authorities hunt for those responsible.  Since appearing over the
weekend, the fast-moving Sasser computer worm has hit PC users around
the world who run the ubiquitous Microsoft Windows 2000, NT and XP
operating systems. It is expected to slow down as computer users
download antivirus patches.

But Sasser could mutate by combining with the 2-month-old Netsky worm
and become a launching pad for further Web attacks, putting it on par
with Blaster, the destructive worm that appeared last year and used
infected computers to attack Microsoft Corp.'s Web site.

For now, the more benign Sasser worm does its harm by duplicating
itself and slowing down Internet connections.

"My expectation is that Netsky and Sasser variants will merge and
become what we call one 'abundant threat' that attacks through e-mail
and software vulnerabilities," said Jimmy Kuo, a research fellow at
Network Associates Inc.'s McAfee antivirus unit.

The fast-moving Sasser worm, which has hit home users, corporations
and government agencies throughout Europe, North America and Asia,
doesn't appear to wipe out data on disk drives, but it may damage
software applications, analysts said.

Estimates on how many users have been hit by the virus vary from
150,000 to 1 million, although analysts say the final tally could be
in the millions by the time the four Sasser variants work their way
through the Internet.

Analysts are unsure what economic damage Sasser has caused so far but
said the costs associated with things such as installing new software
on PCs and labor are likely to make it an expensive cleanup process.  
If infected computers aren't patched and protected by firewalls and
antivirus software, they could be used by virus writers to launch
future attacks, experts said.

Microsoft said yesterday that it's working with the Northwest
Cybercrime Task Force, a joint effort by the FBI and U.S. Secret
Service, to hunt down those responsible for the latest worm outbreak.

Microsoft created a page, http://www.microsoft.com/sasser, on its
corporate Web site to deal with the Sasser threat and is offering a
tool to rid infected computers of the worm, said Stephen Toulouse,
security program manager at the company's Security Response Center.

The origin of Internet threats is notoriously difficult to track, but
authorities managed to find teenagers allegedly responsible for
creating a copycat version of the Blaster worm. Minnesota teen Jeffrey
Lee Parson was arrested in August, followed by the arrest of an
unidentified juvenile in Seattle in September.

Reed Stevenson contributed to this report.

More information about the ISN mailing list