Sasser spawns children, headaches

At least two new versions of a malicious computer worm that appeared late Friday were circulating on the Internet Monday, according to computer security experts and antivirus software companies.

New variations of the Sasser Internet worm, named Sasser.B and Sasser.C were identified by antivirus companies, just days after the first version of the new worm appeared. Despite the new versions, antivirus experts said that Sasser outbreak has likely peaked, and expected the rate of new infections to slow on Monday.

Sasser exploits a recently disclosed hole in a component of Microsoft Corp.'s Windows operating system called the Local Security Authority Subsystem Service, or LSASS. Microsoft released a software patch, MS04-011, on April 13.

Sasser is similar to an earlier worm, Blaster, because users do not need to receive an e-mail message or open a file to be infected. Instead, just having a vulnerable Windows machine connected to the Internet with communications port number 445 is enough to catch Sasser.

After appearing Friday, the worm spread quickly around the world, and may have infected a few hundred thousand machines, said Johannes Ullrich, chief technology officer at the SANS Institute's Internet Storm Center, which monitors malicious activity on the Internet.

Given the large number of vulnerable computers that have been infected by Sasser, a Windows machine connected to the Internet could be infected in as little as two minutes, said Graham Cluley, senior technology consultant at antivirus company Sophos PLC.

Early versions of the worm spread slowly, however, especially compared to the rapid proliferation of Blaster, which appeared in August 2003 and peaked just hours after its release, Cluley and Ullrich said.

By comparison, Sasser.A contained features that prevented it from rapidly scanning the Internet for other vulnerable hosts and at first appeared to be a low level threat. However, new versions of the worm that appeared over the weekend, especially Sasser.C, improved on failures in Sasser.A, allowing infected machines to scan for many more infected hosts, Ullrich said.

Sasser's spread was also slowed because it relied on port 445, which has long been a target of malicious threats, such as Agobot, a prolific Trojan program. As a result, many companies blocked access to port 445 long before Sasser appeared, Joe Stewart, senior security researcher at LURHQ, a managed security services provider in Myrtle Beach, South Carolina.

Many of the infected machines are probably home computers connected to the Internet with broadband connections and already infected with other viruses, including a malicious program called "Phatbot" that has been modified to take advantage of the LSASS vulnerability, also, Ullrich said.

However, more Sasser versions appear to be on the way that could use different communications ports to spread, Ullrich said.

On Monday, Sophos identified yet another variant, Sasser.D, Cluley said.

The Internet Storm Center set its Internet alert or "Infocon" level to "yellow" over the weekend, indicating a "significant new threat." The alert level was expected to stay at "yellow" Monday, when more infections were likely as workers returned to their office, possibly with laptop computers infected through home Internet connections, Ullrich said.

However, he expects the alert level to return to green by the end of the day, as users repair infected systems, he said.

Like other viruses, including Blaster, Sasser will linger on the Internet for a long time, Cluley said.

"We're still finding people who are infected with Blaster. Many people won't even know they're infected with Sasser for months, and those infected machines will continue to try to infect other (machines) in the weeks and months ahead," he said.