A Worm's Worm

← Back to Stories (view on slashdot.org)

Posted by michael on Friday May 14, 2004 @11:59AM from the meta dept.

Carnildo writes "There's a new worm out, according to the Register, but one with a twist. This one, called 'Dabber', infects computers by exploiting a security hole in the Sasser worm."

6 of 345 comments (clear)

Min score:

Reason:

Sort:

Re:Is not the first time it happens by grunthos · 2004-05-14 12:09 · Score: 5, Informative

No, they both exploited the same holes in IIS.
Perhaps you are thinking of Welchia which exploited IIS but also removed Blaster.

--

My son's 5th grade teacher actually assigned them "write a limerick about a planet". I'm not kidding.
This is doubly ironic! by Cyno01 · 2004-05-14 12:13 · Score: 4, Informative

Sasser was intended to be a helpful virus and remove mydoom and bagel infestations...

--
"Sic Semper Tyrannosaurus Rex."
Exploit available on packetstorm by Anonymous Coward · 2004-05-14 12:30 · Score: 5, Informative

The mentioned code, which is used in Dabber, can be found at http://packetstormsecurity.nl/0405-exploits/sasser ftpd.c
Re:It's ok... SP1 is coming soon by int2str · 2004-05-14 12:37 · Score: 4, Informative

Nope, the Sasser author is going to Jail (http://www.heise.de/newsticker/meldung/47205 - sorry, in german).
SP1 will be a while ;)
Add it to nmap! by JThundley · 2004-05-14 12:49 · Score: 5, Informative

Add the sasser FTP server to your nmap-services file. I run Gentoo, mines in /usr/share/nmap.

Add this line:
sasser 5554/tcp # Sasser worm FTP server

This way when you do a port scan of a host, you can tell if they've been infected with sasser :)
Re:Ugh... by httptech · 2004-05-14 12:51 · Score: 4, Informative

This is already happening. Agobot is a GPLed malware project. Although it's not quite a worm, it can spread unattended once given the command to do so. Plenty of people are contributing to it (although some of them have been arrested in the past few days) and the feature list is quickly growing.