Sasser a warning of things to come

Just as they had with the Blaster worm in August and Mydoom in January, Microsoft customers found themselves digging out from the damage caused by another virus targeting Windows machines again in May.

The Sasser Internet worm first appeared April 30 and quickly began spreading worldwide by exploiting a recently disclosed security hole in machines running Windows 2000 and Windows XP. More than a million Windows machines may have been infected by the worm, but lessons learned from previous outbreaks may have spared many enterprises from Sasser's wrath.

Sasser infects machines by taking advantage of a buffer overflow in a Windows component called the Local Security Authority Subsystem Service, or LSASS. Microsoft released a software patch, MS04-011, to fix the LSASS hole and other vulnerabilities on April 13. Like its predecessor, Blaster, Sasser can infect Windows machines without requiring users to first open an e-mail message or visit a Web page.

Within hours of the first Sasser worm appearing, new variants surfaced on the Internet -- three in three days, dubbed Sasser.B, Sasser.C and Sasser.D. The effects of the worms were felt worldwide. In the United States, companies such as American Express said that their internal networks were disrupted by traffic from Sasser-infected machines. In the United Kingdom, the BBC reported that British Airways and 19 regional offices of the U.K. Maritime and Coastguard Agency all fell victim to Sasser.

Combined, the Sasser worms may have struck more than a million Windows computers, said Johannes Ullrich, chief technology officer at the SANS Institute's Internet Storm Center (ISC). ISC detected scanning from around 500,000 infected hosts on Saturday, May 1 and 700,000 on May 2, he said.

More than 1.5 million copies of a free Sasser disinfection tool were downloaded from Microsoft's Web site in the first 48 hours after it was posted on May 2, a company spokeswoman said.

Despite that, there were few reports of widespread Sasser outbreaks on corporate networks, said Vincent Gullotto, vice president of the Anti Virus Emergency Response Team (AVERT) at Network Associates.

Instead, individual computer users seemed to bear the brunt of the attack more than enterprises did, Gullotto said. NAI cleaned up Sasser infections for about 1 percent of its 4 million managed security services customers, most of whom are individual users, he said.

That was the case at Boston College where computers used by school administrators and faculty were mostly spared from Sasser, but more than 200 student machines got infected by the worm, according to David Escalante, director of computer policy and security at the college.

Policies enacted after an outbreak of the Mydoom virus at the college, including more active anti-virus scanning, patching, and incident response procedures, may have helped blunt the effects of Sasser, Escalante said.

Despite the disruptions, the Sasser worm was benign and spared the Internet community a major disaster, said Firas Raouf, chief operating officer at eEye Digital Security.

"If companies are waiting for a worm to come out to do something about remediating [a vulnerability], they're in trouble. We're going to get to a day where a highly malicious and destructive worm comes out, and its not going to be a good thing," Raouf said.