Sasser (computer worm)

Sasser (computer worm)

Sasser is a computer worm that affects computers running vulnerable versions of the Microsoft operating systems Windows XP and Windows 2000. Sasser spreads by exploiting the system through a vulnerable network port (as do certain other worms). Thus it is particularly virulent in that it can spread without user intervention, but it is also easily stopped by a properly configured firewall or by downloading system updates from Windows Update. The specific hole Sasser exploits is documented by Microsoft in its [http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx MS04-011] bulletin, for which a patch had been released seventeen days earlier.

History and effects

Sasser was first noticed and started spreading on April 30, 2004. This worm was named Sasser because it spreads by exploiting a buffer overflow in the component known as LSASS (Local Security Authority Subsystem Service) on the affected operating systems. The worm scans different ranges of IP addresses and connects to victims' computers primarily through TCP port 445. Microsoft's analysis of the worm indicates that it may also spread through port 139. Several variants called "Sasser.B", "Sasser.C", and "Sasser.D" appeared within days (with the original named Sasser.A). The LSASS vulnerability was patched by Microsoft in the April 2004 installment of its monthly security packages, prior to the release of the worm. Some technology specialists have speculated that the worm writers reverse-engineered the patch to discover the vulnerability, which would open millions of computers whose operating system had not been upgraded with the security update. Fact|date=February 2007

The effects of Sasser include the news agency Agence France-Presse (AFP) having all its satellite communications blocked for hours and the U.S. flight company Delta Air Lines having to cancel several trans-atlantic flights because its computer systems had been swamped by the worm. The Nordic insurance company "If" and their Finnish owners "Sampo Bank" came to a complete halt and had to close their 130 offices in Finland. The British Coastguard had its electronic mapping service disabled for a few hours, and Goldman Sachs, Deutsche Post, and the European Commission also all had issues with the worm. The X-ray department at Lund University Hospital had all their four layer X-ray machines disabled for several hours and had to redirect emergency X-ray patients to a nearby hospital.

Author

Sasser was at first believed to have been authored in Russia by the same person(s) who created another worm usually referred to as Lovsan, MSBlast or Blaster (due to the media), a connection indicated by code similarities between the two, but on May 7, 2004, 18-year old German computer science student Sven Jaschan from Rotenburg, Lower Saxony was arrested for writing the worm. He immediately confessed to having written it when he was 17 years old. He further revealed that not only Sasser, but also Netsky.AC, a variant of the Netsky worm, was his creation. Another variation of Sasser, Sasser.E, was found to be circulating shortly after the arrest. It was the only variation that attempted to remove other worms from the infected computer, much in the way Netsky does.

Jaschan was tried as a minor because the German courts determined that he created the worm before he was 18. (The worm was released on his 18th birthday (April 29, 2004).) Sven Jaschan was found guilty of computer sabotage and illegally altering data. On Friday, July 8, 2005, he received a 21 month suspended sentence.

ide effects

An indication of the worm's infection of a given PC is the existence of the file C:WIN.LOG or C:WIN2.LOG on the PCs hard disk, as well as seemingly random crashes of LSASS.EXE caused by faulty code used in the worm. The most common characteristic of the worm is the shutdown timer that appears due to the worm crashing LSASS.exe.

Mitigation

The shutdown sequence can be aborted by pressing start and using the Run command to enter shutdown -a. This aborts the system shutdown so the user may continue what he or she was doing. The shutdown.exe file is not available by default within Windows 2000, but can be installed from the Windows 2000 resource kit. (It is available in XP.) A second option to stop the worm from shutting down a computer is to change the time and/or date on its clock to earlier; the shutdown time will move as far into the future as the clock was set back.

ee also

* Timeline of notable computer viruses and worms
* Netsky

External links

* [http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx Microsoft Security Bulletin: MS04-011]
* [http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0533 CVE: CAN-2003-0533]
* [http://www.securityfocus.com/bid/10108 Bugtraq ID 10108]
* [http://www.microsoft.com/security/incident/sasser.mspx Read here how you can protect your PC (Microsoft Security page)] - Includes links to the info pages of major anti-virus companies.
* [http://slashdot.org/article.pl?sid=04/05/01/1618224 New Windows Worm on the Loose (Slashdot article)]
* [http://news.bbc.co.uk/1/hi/technology/3682537.stm Report on the effects of the worm from the BBC]
* [http://news.bbc.co.uk/2/hi/technology/4649361.stm German admits creating Sasser (BBC News)]
* [http://news.bbc.co.uk/2/hi/technology/4659329.stm Sasser creator avoids jail term (BBC News)]


Wikimedia Foundation. 2010.

Игры ⚽ Поможем сделать НИР

Look at other dictionaries:

  • Netsky (computer worm) — Netsky is a prolific family of computer worms. The first variant appeared on Monday, February 16, 2004. The B variant was the first family member to find its way into mass distribution. It appeared on Wednesday, February 18, 2004. 18 year old… …   Wikipedia

  • Dabber (computer worm) — Dabber is a computer worm that spreads through a vulnerability found in the Sasser worm.External links* [http://slashdot.org/article.pl?sid=04/05/14/2150220 mode=thread tid=126 tid=172 tid=95 Slashdot article on Dabber] …   Wikipedia

  • Sasser — is: *Sasser Pass (also Saser Pass, Saser la), on the old caravan route between Ladakh and Yarkand *Sasser (computer worm) *Jim Sasser, a Democrat who represented Tennessee in the senate from 1977 to 1995 *Sasser, Georgia *Sasser Cup …   Wikipedia

  • Timeline of computer viruses and worms — Contents 1 1960–1969 1.1 1966 2 1970–1979 2.1 1 …   Wikipedia

  • Timeline of notable computer viruses and worms — This is a timeline of noteworthy computer viruses and worms.1970 1979Early 1970s* Creeper virus was detected on ARPANET infecting the Tenex operating system. Creeper gained access independently through a modem and copied itself to the remote… …   Wikipedia

  • Computers and Information Systems — ▪ 2009 Introduction Smartphone: The New Computer.       The market for the smartphone in reality a handheld computer for Web browsing, e mail, music, and video that was integrated with a cellular telephone continued to grow in 2008. According to… …   Universalium

  • Sven Jaschan — (born April 29 1986) is the self confessed author of the NetSky and Sasser computer worms. History Jaschan lived in the village of Waffensen, Germany and attended a computer science school in nearby Rotenburg.The student admitted writing and… …   Wikipedia

  • Хронология компьютерных вирусов и червей — Здесь приведён хронологический список появления некоторых известных компьютерных вирусов и червей, а также событий, оказавших серьёзное влияние на их развитие. Содержание 1 2012 2 2011 3 2010 4 2009 …   Википедия

  • Dabber — is a computer worm that spreads through a vulnerability found in the Sasser worm. It appeared in 2004. External links Slashdot article on Dabber Categories: Malware stubsExploit based worms …   Wikipedia

  • Spridprogramm — and spridprogram is a German and Swedish term referring to shareware and freeware. In German, this term usually refers to freeware while the Swedish one refers to shareware. In some variants of technology Swedish (Teknologisvenska), spridprogramm …   Wikipedia

Share the article and excerpts

Direct link
Do a right-click on the link above
and select “Copy Link”