Slashdot Mirror
Sasser Worm Disruption Growing
thebra writes "Yet another virus is causing problems with Internet Explorer. "Sasser, unlike a virus which travels through e-mails and attachments, spreads directly from the internet."A removal tool can be found here."
Sasser doesn't affect IE.
Oh stupid me for typing the wrong slashes...try here instead. Oh well, a dose of humiliation before your peers is good for the humility gland.
All those moments will be lost in time, like tears in rain.
Another removal tool made by Network ASSociates can be found at: http://vil.nai.com/vil/stinger/ I've used it on a number of a machines with no problem. It only scans files (no registry). It fits on a floppy and it's free. It'll even run on machines that already have virus protection, good if someone hasn't updated their definitions and can't get on the internet. It's updated anytime a new baddy comes out, but you have to redownload the EXE file since it doesn't check for updates.
These are the three secret ingredients to a relatively secure system. Read them. Learn them. Understand them.
Hate me!
The original poster is not correct when claiming Internet Explorer has a problem. This time it's a hole in the so called "Local Security Authority Subsystem Service" that's causing problems.
See this and this for more details.
Everyone with a Windows machine should sign up for MS's monthly security e-mail or religiously check Windows Update on the second Tuesday of each month. I won't go as far as recommending automatic updates, though.
When I am king, you will be first against the wall.
You mean other than scanning random IP addresses on successive TCP ports starting at 1068 and making copies of itself?
Well, it also acts as an FTP server on TCP port 5554, and creates a remote shell on TCP port 9996.
It further makes copies of itself in the %Windows% directory.
Oh and finally, it causes LSASS.EXE to crash, and by default this causes your system to reboot. Repeatedly.
http://efil.blogspot.com/
What could be more "directly from the Internet" than email?
An exploit connecting directly to port 445 of a host and not requiring any user-intervention to become infected.
You would have to run the LSASS Service under Wine...and I don't know why you would want to do that !
It looks like it exploits LSASS.EXE by scanning for a listening port 445. Good job I've got all incoming blocked by default.
Roll on XP SP2 with the firewall on by default for everyone, then hopefully things like this will go away....
Email gets picked up by your email client. An email virus must then be run from the message either by opening the attachment or (for some Outlook versions) by having Outlook open it for you. Even just receiving a copy of an email virus requires that you run your email client.
In the case of the Sasser worm, it is using an open port to crawl directly into your computer when you connect to the internet. There is no action required on the part of the user and no infected file to load. Windows simple accepts the connection and installs the worm.
That's why worms are "more directly from the internet" than email-based viruses.
Life is short: void the warranty.
Well, for one, it bogs down your network to a mush of syrup. All that looking for other hosts to infect really takes up a lot of capacity on the network. And the Sasser.D version is up to 1024 threads pr. CPU, up from 128 in the Sasser.B version...
People have short memories. There was an Apache worm about two years ago (in mod_ssl).
Here is a link
Of course, worms like that are few and far between, especially when compared to the number of Windows worms going about lately, but to claim a system is "worm free by nature"? I think that's more than a little premature.
Nope, this one was on /.
first
A few days ago I saw a message from our firewall asking if I wanted to allow Security Authority Subsystem to be contacted by a remote host.
A simple click on the "No" button stopped this worm in its tracks.
If more admins just installed firewalls and made sure all unnecessary services were blocked there'd be a lot less worm infections. (sure it won't protect people who need to use the Security Authority Subsystem, but I'm willing to bet a lot of the infected machines don't use it at all)
Google cache of McAfee's page on the worm
One of symantec's pages
The patch from MS : http://www.microsoft.com/technet/security/bulletin /MS04-011.mspx
just BSOD'ed my Citrix server.
YMMV
"/Dread"
Umm...why did you install MS04-014 instead of MS04-011? Maybe you got confused, like /. about what in the world this "poorly written" worm is attacking....
"Life is tough but we're tougher. You only get what you give, so give all that you've got." --Tony LaRussa
Just a note regarding 0-day exploits: SysInternals (the people who brought you filemon, regmon, etc) write BGInfo, a low-CPU no-memory way of displaying important system properties. If you do have it installed, you can tell it to display the timestamp of the file C:\Program Files\WindowsUpdate\V4\iuhist.xml, which should be the last time WindowsUpdate was run, helping remind you to run it frequently.
Just like the ASN.1 vulnerability that is patched through one of the recent Microsoft patches. Supposedly Win98/ME PC's aren't affected by the issue. But looking at my company's Win98 PC's I saw the msasn1.dll file present. And researching things a little bit I saw that the standard implementation of the ASN.1 command parser is affected on any and all platforms. From a Nortel H.323 gateway to a Cisco router to a Windows 2003 Server to a Windows 98 PC.
This was months ago that I read this. I called into the Microsoft PCSAFETY toll free number and a tech indeed acknowledged that Windows 98 and ME PC's were vulnerable. And they e-mailed me a link to download the patch (not one of the hoax e-mails either, so no jokes!!). Since then I deployed it to all of my Windows 98 PC's and know that they are at the same standard as the Windows 2000 and XP machines.
What kind of company releases patches and leaves out some client versions that are still safe from the EOL cycle? That's what Microsoft did with the ASN.1 patch.
And what kind of company releases patches that obviously weren't tested on clients that were running USB storage, DLT storage, and IPSec agents? Look at the KB835732 patch. It broke all of these driver loads, leaving patched PC's running at 99% CPU utilitization after rebooting.
Nice, really nice. Risk stability and compatibility issues versus being exposed to an Internet-borne worm. I'm not blaming Microsoft for having vulnerabilities. All OS'es do to one degree or another. But I am blaming them for leaving our client versions and not thoroughly testing code they should've been working on for 5 months.
this is going to be a long day.
No, that's inaccurate.
Worms can spread to other machines on their own. Viruses require some external intervention (such as file sharing or e-mail) to spread to other machines. See this entry in the Jargon File for a more verbose answer.
Now, many of the latest e-mail "worms" would be better classified as viruses or trojan horses, as they are incapable of infecting other hosts without direct user intervention (i.e., opening an attachment.) They've been (IMHO) mis-labeled as worms because they display worm-like behavior once they've infected a machine--that is, they mail copies of themselves as trojan-style attachments to other users.
So yes, the Sasser worm is a bona-fide worm. It transmits itself to other systems without any external help.
Obliteracy: Words with explosions
Autoupdates and immediate patching aren't options for large corporate networks. Patches often break existing applications. Even after extensive testing some patches have caused more problems than they fixed. Windows Update sends enough information back to Microsoft for them to determine what's installed on our private network, so we block it from running.
It takes weeks to test a patch and push it out. Servers often can't be rebooted until weekends. Then there are users with special situations that require manual installs. It takes time to do hundreds of installs manually. It also takes time to get the patch onto the standard corporate "build" of Windows, so for a while new computers need the patch pushed out after logging into the network the first time, leaving a gaping hole for this virus to spread.
Developers: We can use your help.
PS: Tried fooling the script at windows update site by changing browser identification, but this only prevented the thank you message, didn't allowed to download the patch
That's because windows update installs via an ActiveX object. Only IE can run that. You probably downloaded the ActiveX object, but since it can't run without IE, it didn't download the update. If you need to download the update separately, check out the adminstrator section of windows update. MS provides all updates as a separate download that you can burn to a disk and install that way.
No matter how many of my rights are taken away, somehow I still don't feel safe. -Frigid Monkey
No, but if the cops can't run a plate or license number check during a routine traffic stop, you won't know if there's a warrent out on the guy for a series of violent crimes.
Just an example. The ability for the police to do thier job in any capacity relies on the ability to get and share information. It's pretty rare that the cop actually witnesses the mugging, but a witness description, cross referenced with other reports from the head office, might lead to the ID of a suspect.
=Smidge=
It's bullshit and you know it. One of the April 13th patches funged IE, and within a week there was a follow-up patch, that still leaves you two more weeks to patch.
What else did it break? Nothing?
Anyway, by DEFINITION a genetic algorithm uses a population, and also by DEFINITION it uses sexual reproduction (see Thomas Bäck's excellent book comparing several evolutionary techniques, "Evolutionary Algorithms in Theory and Practice", 1996).
If you use pure mutation on a single solution, the term to use would be "Evolution Strategy".
If you want to exclude sexual reproduction, or use any evolutionary technique without bothering about definitions, use the term "evolutionary algorithm", which is an umbrella-name covering all evolutionary techniques.
I know that people are often a bit loose about what terms to use, but since this is one of my particular subjects of research, I am a bit anal about it.
Finally, AFAIK, there are already virusses and worms that mutate themselves. I don't have any definite examples, though.
1) Several groups were relying on SUS in order to get those patched distributed. If you go into SUS, the patches were 'approved' on one screen, not on the other. I wasn't alone in seeing this. Suffice to say, I was also a bit shocked when it started to blow through and none of my machines were protected.
2) When it installs (sasser.d) it writes itself to 'System Volume Information' - allowing it to not get caught by NAI's on demand scanner, and re-infect the box if you don't do a C drive scan manually.
--pete
spread fast for the first few hours or days, until it saturated the vulnerable population, then cut way back on network traffic and hide.
not crash machines or trash all their files - instead, it would slowly and subtly modify user data files (see here for a few suggestions).
Imagine what would happen to modern business if they discovered that they couldn't trust any document that had ever touched a Windows machine... the world's economy would grind to a halt. Not even Microsoft has enough money to pay damages for an event like that, though the combined law firms of the world would try to get it from them.
To a Lisp hacker, XML is S-expressions in drag.