Joeychgo
May 4th, 2004, 12:50 AM
'Sasser' Worm Crashes PCs
By Brian Krebs
Special to The Washington Post
Tuesday, May 4, 2004; Page E01
A new Internet worm that infected hundreds of thousands of computers over the weekend picked up speed as people returned to work on Monday and turned on their infected PCs, security experts said.
The worm dubbed "Sasser" began spreading early Saturday morning, infecting or crashing computers that run on the Windows 2000 and XP operating systems. The worm attacks systems that were not updated with software fixes Microsoft released less than three weeks ago to address security holes in Windows.
PCs infected with Sasser will either crash and restart repeatedly or start scanning the Web for other vulnerable computers to infect. The worm can infect unprotected Windows XP computers less than 10 minutes after they are connected to the Internet, said Mikko Hypponen, director of antivirus research at F-Secure Corp. in Finland.
Hypponen said most of the infected computers appear to be in Europe and Asia, where the workweek began earlier than in the United States. He estimated that "hundreds of thousands" of computers are infected worldwide. Atlanta-based Internet Security Systems estimated that the worm has infected between 500,000 and 1 million computers so far.
Unlike e-mail worms that are launched only when the recipient opens an e-mail attachment containing a virus, Sasser spreads to vulnerable computers without any action by the victim. Sasser wriggles into computers through a software hole in the Windows security program that decides who can gain access to a computer.
Network worms are an annoyance for home users, but they do their biggest damage inside corporate networks. Once activated, Sasser generates so much Internet traffic that it can overwhelm corporate networks with a flood of data as it tries to spread.
Antivirus companies initially considered Sasser a low threat because it was spreading slowly. But by Saturday evening, experts had identified a third version of Sasser capable of spreading 10 times faster than the original, said Joe Stewart, a senior security researcher for LURHQ, a security services company based in Chicago.
"It looks like the worm's author decided it wasn't spreading fast enough, tweaked it a little and re-released it," Stewart said.
Stewart said certain portions of Sasser's internal code closely resemble sections of the latest NetSky worm, a prolific family of viruses that spawned no fewer than 26 variants in the past two months. A message in the most recent NetSky worm reads: "Hey, av firms, do you know that we have programmed the sasser virus?!?."
Several large corporations around the world reported problems resulting from the worm. The worm infected at least 400 computers and laptops in Montgomery County government offices. Michael Knuppel, the county's chief technology officer, said workers were in the final stages of patching the desktop PCs when the worm struck. The infections did not interfere with the availability of any county services, he said.
Many organizations rely on firewalls to keep hackers and Internet viruses at bay, but such measures are less effective when someone plugs an infected computer into a network.
"We're pretty confident the worm came in from a laptop that someone had from home and brought into the office," Knuppel said.
Brian Krebs is a staff writer for washingtonpost.com.
© 2004 The Washington Post Company
By Brian Krebs
Special to The Washington Post
Tuesday, May 4, 2004; Page E01
A new Internet worm that infected hundreds of thousands of computers over the weekend picked up speed as people returned to work on Monday and turned on their infected PCs, security experts said.
The worm dubbed "Sasser" began spreading early Saturday morning, infecting or crashing computers that run on the Windows 2000 and XP operating systems. The worm attacks systems that were not updated with software fixes Microsoft released less than three weeks ago to address security holes in Windows.
PCs infected with Sasser will either crash and restart repeatedly or start scanning the Web for other vulnerable computers to infect. The worm can infect unprotected Windows XP computers less than 10 minutes after they are connected to the Internet, said Mikko Hypponen, director of antivirus research at F-Secure Corp. in Finland.
Hypponen said most of the infected computers appear to be in Europe and Asia, where the workweek began earlier than in the United States. He estimated that "hundreds of thousands" of computers are infected worldwide. Atlanta-based Internet Security Systems estimated that the worm has infected between 500,000 and 1 million computers so far.
Unlike e-mail worms that are launched only when the recipient opens an e-mail attachment containing a virus, Sasser spreads to vulnerable computers without any action by the victim. Sasser wriggles into computers through a software hole in the Windows security program that decides who can gain access to a computer.
Network worms are an annoyance for home users, but they do their biggest damage inside corporate networks. Once activated, Sasser generates so much Internet traffic that it can overwhelm corporate networks with a flood of data as it tries to spread.
Antivirus companies initially considered Sasser a low threat because it was spreading slowly. But by Saturday evening, experts had identified a third version of Sasser capable of spreading 10 times faster than the original, said Joe Stewart, a senior security researcher for LURHQ, a security services company based in Chicago.
"It looks like the worm's author decided it wasn't spreading fast enough, tweaked it a little and re-released it," Stewart said.
Stewart said certain portions of Sasser's internal code closely resemble sections of the latest NetSky worm, a prolific family of viruses that spawned no fewer than 26 variants in the past two months. A message in the most recent NetSky worm reads: "Hey, av firms, do you know that we have programmed the sasser virus?!?."
Several large corporations around the world reported problems resulting from the worm. The worm infected at least 400 computers and laptops in Montgomery County government offices. Michael Knuppel, the county's chief technology officer, said workers were in the final stages of patching the desktop PCs when the worm struck. The infections did not interfere with the availability of any county services, he said.
Many organizations rely on firewalls to keep hackers and Internet viruses at bay, but such measures are less effective when someone plugs an infected computer into a network.
"We're pretty confident the worm came in from a laptop that someone had from home and brought into the office," Knuppel said.
Brian Krebs is a staff writer for washingtonpost.com.
© 2004 The Washington Post Company