Slashdot Mirror
Sasser Worm Disruption Growing
thebra writes "Yet another virus is causing problems with Internet Explorer. "Sasser, unlike a virus which travels through e-mails and attachments, spreads directly from the internet."A removal tool can be found here."
Here at work, none of our employees can connect to the VPN, hence nobody can get work done, hence I'm sitting here with my phone ringing off the goddamn hook.
Capital punishment for worm writers!
Sasser doesn't affect IE.
What does Sasser actually DO?
Usually, viruses have a goal, like collecting your personal information, DDOSing SCO, or SOMETHING...
What does this one actually do?
My theory is that someone wrote it to disable all the spamware-infested computers out there.
They can't be spamming us if they're rebooting constantly, can they?
And if the owner doesn't disinfect them and protect them from future attacks, they'll just start rebooting again...
I don't know the meaning of the word 'don't' - J
Another removal tool made by Network ASSociates can be found at: http://vil.nai.com/vil/stinger/ I've used it on a number of a machines with no problem. It only scans files (no registry). It fits on a floppy and it's free. It'll even run on machines that already have virus protection, good if someone hasn't updated their definitions and can't get on the internet. It's updated anytime a new baddy comes out, but you have to redownload the EXE file since it doesn't check for updates.
I still am of the opinion that it doesn't matter how many patches M$ releases. The fact is, we need an educated user base. So many people continue to use computers without knowing the full risks associated with them.
The Internet is great, broadband is great, computers are great. But as long as people are willing to give up their passwords for chocolate and have no clue what a firewall is or what it does, this problem will continue to plague everyone.
Nothing beats a good educated user.
Proudly supporting the Libertarian Party.
The original poster is not correct when claiming Internet Explorer has a problem. This time it's a hole in the so called "Local Security Authority Subsystem Service" that's causing problems.
See this and this for more details.
What the hell has a worm that attacks through non-HTTP traffic and downloads its body through a built-in FTP client got to do with Internet Explorer?
If you're going to bash Microsoft, at least bash the right frickin' part...
The Slashdot Paradox: "100% Overrated"
What could be more "directly from the Internet" than email?
An exploit connecting directly to port 445 of a host and not requiring any user-intervention to become infected.
You would have to run the LSASS Service under Wine...and I don't know why you would want to do that !
Email gets picked up by your email client. An email virus must then be run from the message either by opening the attachment or (for some Outlook versions) by having Outlook open it for you. Even just receiving a copy of an email virus requires that you run your email client.
In the case of the Sasser worm, it is using an open port to crawl directly into your computer when you connect to the internet. There is no action required on the part of the user and no infected file to load. Windows simple accepts the connection and installs the worm.
That's why worms are "more directly from the internet" than email-based viruses.
Life is short: void the warranty.
I'm not sure why everyone is so hopped up on these removal tools. It seems to me that after being infected with a worm that installs a back door, more people ought to look at reinstallation from known good media.
Biggest Windows vulnerability ever, again. How many times have we said that this year? At work, it's begining to feel a bit like a duck and cover drill.
-Peter
. Penguins Surely Ca
Down the hall are the MCSE's. I can hear them shouting at each other about why this and that system wasn't patched.
Even the network big wigs are in the room with them.
Ahhhh... the joys of *nix....
Back to my wonderful coffee....
This is a test. This is a test of the emergency sig system. This has been only a test.
i'd like to know:
when is someone going to put a genetic algorithm into their virus/worm?
something that mutates the worm's parameters (ports, timing delays, ip-search stratgy, etc.) so that the most virulent parameters are found by "natural selection"?
seems like an ideal application for genetic algorithms.
K.
People have short memories. There was an Apache worm about two years ago (in mod_ssl).
Here is a link
Of course, worms like that are few and far between, especially when compared to the number of Windows worms going about lately, but to claim a system is "worm free by nature"? I think that's more than a little premature.
Also, on a Linux system there is no problem finding out what exactly runs, what it does and one can check the code quality.
In contrast, I have never even heard of the "subsystem" that is being used by this worm.
On a free system no one *has* to fix bugs for you, but you have the freedom to do it yourself (and configure the system anyway you like, so that, if you are not comfortable running sendmail, you use other software like exim or postfix).
On a black box system like Windows the company that makes it is responsible for getting each and every detail right because they do not let anyone else touch the contents.
Google cache of McAfee's page on the worm
One of symantec's pages
A. Guy takes home corporate laptop.
B. Plugs laptop into phone-line / uses internet
C. Gets infected
D. Takes his laptop back to the job
E. Infects the entire LAN *FROM THE INSIDE* while the firewall hapilly keeps the fire "IN" (instead of out).
If you fire anyone, please fire the laptop-owner.
This unique sig is intended to make this user more recognisable.
Correction; You had a zonealarm that was set up wrong.
Blocking port 445 from inbound traffic secures the computer against this worm.
Also the failure to install a critical patch that has been out for two weeks is called 'stupidity'. Using a windows box connected to the net is already something close to extreme sports. Doing so without regular windowsupdate visits is like extreme sports blindfolded without a helmet. You are *bound* to get hurt.
Mine was probably the only PC left infected in the office. Funnily however when i tried to download the patch for Sasser from Microsoft ( I unfortunately have to dual boot), Here is what i got Thank you for your interest in Windows Update Windows Update is the online extension of Windows that helps you get the most out of your computer. You must be running a Microsoft Windows operating system in order to use Windows Update. From what i have heard from my colleagues, this worm attacks when you connect to net, and microsoft forces you to connect with a vulnerable system. But then, windows is a product for dummies from the dummies. PS: Tried fooling the script at windows update site by changing browser identification, but this only prevented the thank you message, didn't allowed to download the patch
The built in WinXP firewall does NOT protect against the Sasser worm. I ghosted an XP box three times to confirm this-- not until after applying MS04-014 and/or using an alternative firewall (zB. ZoneAlarm) did I see protection from Sasser or its variants (if they exist... although I did see LSASS crash a few times without the presence of avserveX.exe on the system).
I don't know about you guys, but the SASSER worm turned an otherwise boring Sunday into wickedly exciting day! Thankyou worm-guy!
-s
Umm...why did you install MS04-014 instead of MS04-011? Maybe you got confused, like /. about what in the world this "poorly written" worm is attacking....
"Life is tough but we're tougher. You only get what you give, so give all that you've got." --Tony LaRussa
And let's face it; if your machine is not properly patched, it's probably already being used as a spam relay, so it's not the spammers who would want this.
In a corporate network environment, such as mine, a few weeks is barely enough time to get a patch onto every desktop. First a few days are spent testing it. Then it has to be pushed out to all of the users. Server patches often have to wait until weekends because they can't be down during the week. Then manual installs have to be done for all the "non-standard" setups.
Then there's the new computer I got yesterday with our standard corporate developer's build. Of course the build doesn't have the latest patches yet, so when I turn on the computer for the first time, immidately after logging in McAffee catches the virus. So then I have to hunt down the right patches from the right people and reboot repeatedly until I can log into the network without getting the virus.
So I lost all of yesterday fixing the problems on my two computers and my office is as up to date as possible with getting patches onto workstations. Machines go for weeks without new patches because it's impossible to distribute them when some break applications, and therefore require much testing.
I wrote a 70 page document explaining why we should switch from Windows to Linux. Management wouldn't even start to read it. This is what they get for their ignorance.
Developers: We can use your help.
If most users would quit being so cheap and buy a firewall appliance like a linksys router, or (for the more savvy) build a Coyote linux box we wouldn't have half of these problems. I run Win2k, Solaris and SuSE linux. The linux box is the only one exposed to the net and hasn't been rooted/hijacked once in the three years it has been exposed. Running stuff like Zone Alarm is like giving a band aid to someone who has a big gaping wound.
"I bow to no man" - Riddick
No, that's inaccurate.
Worms can spread to other machines on their own. Viruses require some external intervention (such as file sharing or e-mail) to spread to other machines. See this entry in the Jargon File for a more verbose answer.
Now, many of the latest e-mail "worms" would be better classified as viruses or trojan horses, as they are incapable of infecting other hosts without direct user intervention (i.e., opening an attachment.) They've been (IMHO) mis-labeled as worms because they display worm-like behavior once they've infected a machine--that is, they mail copies of themselves as trojan-style attachments to other users.
So yes, the Sasser worm is a bona-fide worm. It transmits itself to other systems without any external help.
Obliteracy: Words with explosions
Autoupdates and immediate patching aren't options for large corporate networks. Patches often break existing applications. Even after extensive testing some patches have caused more problems than they fixed. Windows Update sends enough information back to Microsoft for them to determine what's installed on our private network, so we block it from running.
It takes weeks to test a patch and push it out. Servers often can't be rebooted until weekends. Then there are users with special situations that require manual installs. It takes time to do hundreds of installs manually. It also takes time to get the patch onto the standard corporate "build" of Windows, so for a while new computers need the patch pushed out after logging into the network the first time, leaving a gaping hole for this virus to spread.
Developers: We can use your help.
Yes, they released the patch 21 days ago. They also released a hotfix at the same time that breaks a non-trivial # of computers.
/. for being incompetent).
Those of us forced to work and support a Windows environment are caught between a rock and a hard place. We don't dare apply a brand-new patch on production servers, or roll it out across the enterprise, but if we wait too long, an exploit hits what the patch supposedly fixed, and we get smacked (plus raked over the coals on
I try to get new so-called critical patches applied within 7 days -- usually sooner, depending on when I can afford to take servers down, etc. But it won't be long before one of these wide-spread worms hits a vulnerability that's just been patched in the last day or two. Hell, I run several layers of AV protection that checks for updates hourly, and twice I've gotten hit by viruses before the updated signatures were available.
-
OK this sasser worm can install istelf open a few ports, serve files as an FTP daemon, place itself where it pleases, and gobble up your network.
Other virus's do all sorts of nasty things, but they all seem to stop short of REALLY bad things. Search for files they can delete, look for a network drive and have their way, find interesting files and mail to random people, rename this or that to render the machine useless.....
To me this seems very strange. Is ther some kind of virus writers code that has some small bit of ethic? Is there some undergound society that meets the 3rd wednesday to discuss safe virus exploits? Does Microsoft create these things to get people to upgrade? Maybe McAfee and Norton are funding them and they just want a profitable year?
Now I am not asking for this kind of damage, but as my boss points out he has no reason to switch to anything more secure because nothing really bad happens.
I think you've missed the point.
1: There ARE more web servers out there running Apache than anything else. So, why is it that there is an unbalanced proportion of these boxes remaining intact and and with 99% (sic) uptime than the Windows boxes?
2: Apache runs properly with fewer system resources, hardware and preventative maintenance than Windows. Set & forget, to a great extent.
3: One of the main reasons that many corporate/commercial servers are still running IIS is because of the ease of use in integrating MS SQL and specific data export services from what the desktop is running: Windows. If from your average net admin's perspective, they could easliy and definitively state to their bosses that they could run a given database server on Apache for X dollars instead of on MS for XXX dollars, they would do it. It is difficult for the admins on two fronts: a) persuading their employers that a free product could possibly outrun what the so called market leader has provided, and b) if something goes wrong, fewer heads will roll if they're using MS instead of a "free", "open-source" product that, in the eyes of their employers was a gamble to start with.
This will all change VERY soon.
It's all a mind game....
I got a laugh when our security team sent out an update to their vulnerability notice for Sasser (doesn't affect my servers, hehe).
"[We] have learned of issues loading the Windows 2000 patch in MS04-011 when complying with [vulnerability ID].... systems can stop responding, users cannot log on to Windows, or CPU usage for the system process approaches 100 percent after installation of the security update. Additionally, [we] have heard that some systems may require a complete rebuild once the patch causes system to crash."
And the kicker, "Systems Administrators are advised to proceed with caution when patching Windows 2000 systems." Um, how exactly does one do that, with one hand on the power cord, or click the install button very slowly? Does applying the patch warn you "About to hose your system, proceed?"
1) Several groups were relying on SUS in order to get those patched distributed. If you go into SUS, the patches were 'approved' on one screen, not on the other. I wasn't alone in seeing this. Suffice to say, I was also a bit shocked when it started to blow through and none of my machines were protected.
2) When it installs (sasser.d) it writes itself to 'System Volume Information' - allowing it to not get caught by NAI's on demand scanner, and re-infect the box if you don't do a C drive scan manually.
--pete