Topic: Sasser is fastest written Windows worm

[Clive]

11:09 05 May 04
NewScientist.com news service
 
The "Sasser" computer worm now plaguing computers around the world was based on a critical software flaw revealed by Microsoft just 17 days before the worm's release.

Microsoft revealed a total of 20 software bugs in a bulletin issued on 13 April and the first version of Sasser appeared on 30 April. Over the next few days this and three variants - tweaked to improve the speed of infection - succeeded in infecting many hundreds of thousands of computers worldwide.

Previously, the Blaster worm held the record for the fastest written Windows worm. It was unleashed on 11 August 2003, using a vulnerability revealed 25 days before it started to spread itself.

Yet, despite the shrinking gap between the disclosure of a bug and the appearance of a worm or virus, experts say trying keeping flaws secret would be more dangerous. A worm could cause far more damage if it were based on a vulnerability that was not widely known about, they say, as very few people would have a patch in place.

"There's a false notion that secrecy equals security," says computer security expert Bruce Schneier. "What you end up with is very fragile security - as soon as you lose your secrecy you're insecure."

Many computer worms, viruses and hacking tools exploit bugs that are openly disclosed by software companies.

Stuart Okin, chief security advisor for Microsoft UK, says flaws are often discovered by researchers outside of Microsoft. "We always work on the assumption that, if it is externally found, it will become public," he told New Scientist.

Microsoft says customers should apply software patches quickly and use firewall and anti-virus software to keep their systems secure.

But Schneier believes this may disguise the main issue. "I believe the real problem is that software quality sucks," he told New Scientist. Schneier suggests that software companies would improve the quality of their code if they were held legally liable for any damage resulting from bugs.

Okin points out that Microsoft that is working to improve the security of its code through a programme that began three years ago.
 
The main impact of Sasser and its variants is to cause infected machines to restart when a user attempts to access the internet. The worms infect computers across a network by exploiting a bug in a component of Microsoft's Windows XP and Windows 2000 operating systems.

An infected computer scans local network connections and randomly generated IP (internet protocol) addresses to find fresh systems to infect. Once a vulnerable computer is discovered, the worm breaks in and then installs an FTP (file transfer protocol) server. This allows it to transport a copy of itself to the new machine.

As Microsoft's products dominate the global market for computer operating systems, worms targeting Windows spread further and cause more damage.
 
 
http://www.newscientist.com/news/news.jsp?id=ns99994955

[Clive]

Sasser net worm set for long life
 
The Sasser Windows worm that struck earlier this week is on the wane.

Since its first appearance on 1 May the virus has disrupted work in many organisations and infected hundreds of thousands of Windows PCs.

But as firms patch vulnerable PCs and get back to working normally security experts warn that the worm will be around for a long time to come.

Some fear that future versions of the worm will be much harder to defend against.


Lingering threat

The Sasser worm appeared on 1 May and since then has infected perhaps a million Windows machines all around the world.

Hospitals, banks, airlines, government agencies and many home users have been infected by the worm which makes PCs unusable by making them crash repeatedly.

The virus can infect PCs running Windows 2000 and XP.

Microsoft reported that more than 1.5m people visited the web page detailing ways to get rid of Sasser and close the loophole that it exploits.

Although the worst of the Sasser outbreak is over, anti-virus experts say that it will never entirely disappear.

Richard Archdeacon, technical services director from security firm Symantec, said that many malicious programs follow a cyclical pattern of outbreak and clean-up for a long time after they first appear.

"That's the other argument for patching your machines," he said, "these viruses come back."

Gerhard Eschelbeck, chief technology officer at security firm Qualys, has studied the lifecycle of worms and viruses and found that many enjoy a long productive existence.

Future threats

Some viruses like Code Red (debut in 2001), SQL Slammer, (appeared in January 2003) and Nachi (from August 2003) are still out on the web finding and infecting fresh victims.

He said that although half of all machines vulnerable to a new loophole are patched within 30 days of an outbreak occurring, 50% of the rest take another 30 days and so on and so on.

The result is that there are always some machines on the net that are vulnerable to a particular virus.

The Sans Institute, which monitors net security problems, said that the Sasser worm was an "indicator exploit" used to expose those machines suffering a particular vulnerability.

The Institute thought it likely that future worms and viruses will try to capitalise on the large crop of at risk machines it exposed.

Jimmy Kuo, from security firm Network Associates, said Sasser could mutate and merge with the Netsky virus to become even more of a problem.

"My expectation is that Netsky and Sasser variants will merge and become what we can one 'abundant threat' that attacks through e-mail and software vulnerabilities," he said.

 
http://news.bbc.co.uk/1/hi/technology/3689561.stm