The first automated exploits targeting a critical Microsoft vulnerability announced last month have taken the form of a family of self-executing worms called W32.Sasser. As of Sunday evening Sasser-A, Sasser-B and Sasser-C were all gaining traction, poised to infect systems around the world when business resumes Monday morning. Sasser-B is currently rated as a level four worm by Symantec on a scale of one to five.
"Sasser-A has the potential to become very widespread in a short period of time," said Ken Dunham, director of malicious code at iDefense Inc. in Reston, Va.
Comparing Sasser's potential spread to the Blaster worm, some malicious code experts still see bright spots.
"Sasser has the potential to replay what we experienced with Blaster, but I'm encouraged that every one of these results in better defenses and more robustness in the infrastructures," said David Kennedy, a risk analyst at TruSecure in Herndon, Va. "I'm sure we'll see Sasser infections imported into perimeters, but I very much doubt it will cause the problems and distractions we saw with Blaster."
It was joined hours later on Saturday by Sasser-B and on Sunday by Sasser-C. The worms exploit the Local Security Authority Subsystem Service (lsass.exe) stack-based buffer-overflow vulnerability (discussed in MS04-011) in unpatched Windows XP and 2000 systems.
McAfee's AVERT in Beaverton, Ore., said that it received reports of the Sasser-A worm from several continents, but mostly from Europe. The company said Sasser spreads by scanning random IP addresses for exploitable systems.
Sasser scans for those IP addresses in three ways said Bruce Hughes, director of malicious code research at TruSecure in Herndon, Va. "Sasser-A and Sasser-B spawn 128 threads, Sasser-C 1,024. Some are directed at the local class A subnet, others the class B subnet and completely random subnets. The destination port is TCP 445. The worm will also act as an FTP server on TCP port 5554, and create a remote shell on TCP port 9996."
Experts recommend applying the patch immediately. If that isn't possible, UNIRAS, the British government's CERT, recommends blocking inbound connections to TCP ports 135-139, 445 and all ports greater than 1024. Updating antivirus signatures is also recommended.
UNIRAS is also warning that exploit code is available for the Private Communications Transport (PCT) protocol, which is part of the Microsoft Secure Sockets Layer (SSL) library. "There is some evidence that a worm exists in the wild exploiting this vulnerability," said its advisory. "Microsoft Security Bulletin MS04-11 advises that it is possible to disable PCT support through the registry. This mitigation could be applied if patching were not possible."