• silicon.com
• Technology
• Security

By silicon.com, 4 May 2004 09:40

NEWS Three new versions of the Sasser worm boosted the infectiousness of the original, spreading to about 500,000 computers by Monday, according to security researchers.

Like the original worm, the three new programs - Sasser.B, Sasser.C and Sasser.D - take advantage of a vulnerability in unpatched versions of Windows XP and Windows 2000 systems. The worms infect vulnerable systems by establishing a remote connection to the targeted computer, installing a File Transfer Protocol (FTP) server and then downloading themselves to the new host.

The original version of the Sasser worm spread slowly but on Saturday online vandals released Sasser.B, which infected computers much faster. By Monday, two new variants had appeared, and the worm had spread to hundreds of thousands of systems.

"The worm has improved significantly," said Alfred Huger, senior director of Symantec's security response center. Early Monday, Symantec had counted at least 10,000 confirmed infections, and acknowledged that hundreds of thousands of computers have likely been infected.

The University of Massachusetts at Amherst discovered just that, when students connected their already infected computers to the campus networks on Monday. The ensuing outbreak resulted in 1,100 computers compromised with Sasser, said Scott Conti, network operations manager for the university.

"All the machines that have gotten the virus haven't been patched," he said, adding that university security lists have been active, with other network administrators reporting the same. "I think everybody has got it pretty bad."

Delta Air Lines encountered problems in Atlanta with its computers for more than 6 hours, resulting in delays. However, the cause of the problems was still unknown, spokeswoman Catherine Stengel said.

"We won't know until at least tomorrow what caused the issues," she told silicon.com's sister site CNET News.com.

Airline Air Canada canceled flights in August due to its network being infected with a variant of the MSBlast worm. The MSBlast.B worm, also called Welchia and Nachi, spread so aggressively that it inundated many companies' networks with data. Air Canada said its network couldn't deal with the amount of traffic generated by MSBlast.B.

This time around, telecommunications provider SBC tried to minimise the problem for its internet customers. The company warned them by email this weekend about the worm and urged them to patch their systems.

"It is extremely important you [patch your systems] now, because it's likely you will not be able to take these measures, if your computer becomes infected," the company told customers.

The original worm did not spread very quickly on Friday and Saturday, according to security experts. Some Windows XP users asked for help on a support list when, as a side effect of infection, their computers displayed an error message and restarted.

"The number of home users seeking help on cleaning the Sasser worm in the MS Windows XP Technical Support newsgroup is far less than last year, when the MSBlast worm was released," said Yan Kei "Kenrick" Fu, a Hong Kong college student and a frequent adviser on Microsoft's support lists.

By Monday morning, Symantec was able to confirm - by scanning for open FTP servers on computers, from which the company's sensor detected potential attacks - that 10,000 computers had been infected by the Sasser worm.

The Sasser variants can spread rapidly from an infected computer to one that is vulnerable without any user interaction. The worm spreads by scanning different ranges of internet addresses using a specific application data channel, or port, numbered 445.

Microsoft has analysed the worm and believes that it also spreads through port 139. Both are data channels used by the Windows file-sharing protocol and, in many cases, are blocked by internet service providers. Once a vulnerable system is found, Sasser installs FTP server software and then transfers itself to the new host.

Symantec's Huger said the amount of data that addresses port 445 makes it difficult to differentiate worm traffic from other, legitimate traffic. Moreover, recent modifications to attack bot software cause other malicious programs to use the same port.

Robert Lemos and Dawn Kawamoto write for CNET News.com