Security experts are continuing to issue warnings about the Sasser Internet worm as organizations struggled to clean up the
damage caused by infected hosts.
American Express Co. joined a number of U.S. universities in reporting infections from the Sasser worm on Monday and the SANS
Institute's Internet Storm Center (ISC) maintained a yellow warning Tuesday despite expectations earlier in the day that the
Sasser outbreak would wind down Monday, according to interviews.
Sasser exploits a recently disclosed hole in a component of Microsoft Corp.'s Windows operating system called the Local Security
Authority Subsystem Service, or LSASS. Microsoft released a software patch, MS04-011, on April 13.
The SANS Institute's Internet Storm Center said on Monday that it was maintaining its yellow alert, indicating a "significant
new threat" on the Internet due to "the continuing spread of Sasser and other malicious code targeting the MS04-011 vulnerabilities,"
according to the ISC.
Among other things, modifications in new Sasser variants Sasser.C and Sasser.D, which appeared on Monday, prompted the ISC
to maintain the yellow alert on Tuesday. Internet Storm Center chief technology officer Johannes Ullrich said he expected
Sasser to die down Monday, prompting a return to the "green" status by the end of the day.
American Express experienced Sasser infections on employee desktops beginning Sunday that disrupted the company's internal
networks, but did not have an impact on customer services according to Judy Tenzer, a company spokeswoman.
American Express refused to reveal how many computers were affected, or how the worm penetrated the company's network, but
the infections were limited to employee desktops and did not affect critical servers at the company, she said.
Reports surfaced Monday of unexplained computer problems at other companies, as well.
Delta Airlines Inc. experienced technical difficulties on Saturday that forced the cancellations of some flights. The computer
problems began at 2:50 P.M. local time on Saturday and were fixed by 9:30 Saturday evening, said Katie Connell, a Delta spokeswoman.
Connell would not common on the cause of the problems, or which systems were affected, citing a continuing investigation.
Delta does use Microsoft products and the Windows operating system, she said.
In Boston, colleges and universities felt the effects of the worm, according to David Escalante, director of computer policy
and security information technology at Boston College (BC), in Chestnut Hill, Massachusetts.
Around 200 machines on BC's campus network were infected with Sasser, most of them laptop and desktop computers owned by students,
he said.
BC blocked traffic on port 445, which is used by the Sasser worm to spread, before the outbreak. Information technology (IT)
staff are analyzing the infections, which may have come from students who brought infected laptops back onto campus from home,
Escalante said.
Staff are also struggling with complications caused by Sasser, which causes many Windows XP and Windows 2000 machines to crash
repeatedly, preventing students from logging onto the desktop and installing the appropriate software patch.
Making matters worse, BC students are approaching final exam period. The Sasser outbreak prompted a run on the student computer
center Saturday, with panicked students worried about the welfare of term projects and other materials on Sasser-infected
machines, he said.
Other schools also faced large-scale outbreaks, including more than 1,000 machines at Boston University, according to a source.
Among leading financial services companies, the impact of Sasser was generally light. Companies including Citibank Inc. and
Lehman Brothers Holdings Inc. had around a dozen Sasser infections, rather than hundreds or thousands of systems infections,
according to a source.
Microsoft's recent decision to move from weekly to monthly software patches has raised the stakes for companies that ignore
the security bulletins and updates, said Firas Raouf, chief operating officer of eEye Digital Security Inc., which discovered
the LSASS vulnerability.
"Now you have a handful of vulnerabilities that are addressed by a single patch, so if you don't deploy a patch, you're opened
four or five doors to your network," he said.
Large companies are often reluctant to press software patches into service out of fear they will break critical applications
used by employees or customers. However, waiting too long to apply a software patch exposes companies to infection by a worm
or virus that takes advantage of the software hole fixed by the patch, Raouf said.
The most important thing is for organizations to have a process in place to handle new vulnerabilities when they are revealed
so that they can act quickly to scan for vulnerable machines, test patches, deploy patches or apply workarounds as needed,
he said.
E-mail
Printer Friendly
Reprints
(InfoWorld) - In the litigious world we live in, deploying a unified communications platform in your enterprise could...
