Latest news
Symantec Response to Sasser Worm - New information
Posted on 04.05.2004
Name: W32.Sasser.B@Worm
Description: W32.Sasser.B.Worm is a variant of W32.Sasser.Worm that is network aware worm that exploits the LSASS Microsoft vulnerability (MS04-011). It spreads by scanning randomly chosen IP addresses on MS systems that have not been patched. MS04-011 was announced on April 13, 2004.
Characteristics: Blended threat exploiting MS vulnerability
New information
- Indications show that the author might be same person that wrote the Netsky virus.
- Consumers and enterprise are vulnerable
- there is an email being distributed advising people on how to solve the Sasser virus, but this is a hoax email that also contains the Sasser virus. This could exasperate the problem
- there are already B,C and D variants to the original Sasser worm, which means the worm is improving significantly
- Symantec had counted at least 10,000 confirmed infections, and acknowledged that hundreds of thousands of computers have likely been infected.
Symantec advises:
Symantec recommends users update their virus definitions to protect against W32.Sasser.Worm and its variant. Symantec Security Response has developed removal tools to clean infections of W32.Sasser.Worm and W32.Sasser.B.Worm. Additionally Symantec recommends blocking TCP ports 5554, 9996 and 445 at the perimeter firewall and install the appropriate Microsoft patch (MS04-011) to prevent remote exploitation of the vulnerability.
Background about the Sasser.B worm
W32.Sasser.B.Worm attempts to exploit the LSASS vulnerability found in computers running Windows 2000 and XP. It has been impacting systems worldwide. It spreads by scanning randomly chosen IP addresses on Microsoft systems that have not been patched. W32.Sasser.B.Worm, rated by Symantec as a Level 4 threat, spreads by scanning randomly chosen IP addresses for vulnerable systems. Currently Symantec Security Response is seeing approximately 150 submissions per hour.
"Over the last several weeks Symantec Security Response has monitored a shift in malicious threat propagation," said Alfred Huger, senior director, Symantec Security Response. "During the first several months of the year, most of the threats we tracked spread through e-mail. However, now we are tracking more threats that are exploiting vulnerabilities to spread. Users need to be diligent in patching systems, updating virus definitions and implementing best practice solutions."
The Microsoft Windows LSASS Buffer Overrun Vulnerability was originally announced on April 13, 2004 in Microsoft Security Bulletin MS04-011. A buffer overflow vulnerability exists in the LSASS service that could allow remote code execution on an affected system. LSASS provides an interface for managing local security, domain authentication, and Active Directory processes. If the system was compromised, an attacker could gain complete control of the machine and perform actions on the affected machine similar to a user or administrator, such as erase files, steal information, etc. Exploitation may occur over TCP ports 135, 139, 445, 593 and ports greater than 1024, as well as UDP ports 135, 137, 138 and 445. More information about the LSASS vulnerability can be found at this page.
Symantec recommends users update their virus definitions to protect against W32.Sasser.Worm and its variant. Symantec Security Response has developed removal tools to clean infections of W32.Sasser.Worm and W32.Sasser.B.Worm. Additionally Symantec recommends blocking TCP ports 5554, 9996 and 445 at the perimeter firewall and install the appropriate Microsoft patch (MS04-011) to prevent remote exploitation of the vulnerability.
Description: W32.Sasser.B.Worm is a variant of W32.Sasser.Worm that is network aware worm that exploits the LSASS Microsoft vulnerability (MS04-011). It spreads by scanning randomly chosen IP addresses on MS systems that have not been patched. MS04-011 was announced on April 13, 2004.
Characteristics: Blended threat exploiting MS vulnerability
New information
- Indications show that the author might be same person that wrote the Netsky virus.
- Consumers and enterprise are vulnerable
- there is an email being distributed advising people on how to solve the Sasser virus, but this is a hoax email that also contains the Sasser virus. This could exasperate the problem
- there are already B,C and D variants to the original Sasser worm, which means the worm is improving significantly
- Symantec had counted at least 10,000 confirmed infections, and acknowledged that hundreds of thousands of computers have likely been infected.
Symantec advises:
Symantec recommends users update their virus definitions to protect against W32.Sasser.Worm and its variant. Symantec Security Response has developed removal tools to clean infections of W32.Sasser.Worm and W32.Sasser.B.Worm. Additionally Symantec recommends blocking TCP ports 5554, 9996 and 445 at the perimeter firewall and install the appropriate Microsoft patch (MS04-011) to prevent remote exploitation of the vulnerability.
Background about the Sasser.B worm
W32.Sasser.B.Worm attempts to exploit the LSASS vulnerability found in computers running Windows 2000 and XP. It has been impacting systems worldwide. It spreads by scanning randomly chosen IP addresses on Microsoft systems that have not been patched. W32.Sasser.B.Worm, rated by Symantec as a Level 4 threat, spreads by scanning randomly chosen IP addresses for vulnerable systems. Currently Symantec Security Response is seeing approximately 150 submissions per hour.
"Over the last several weeks Symantec Security Response has monitored a shift in malicious threat propagation," said Alfred Huger, senior director, Symantec Security Response. "During the first several months of the year, most of the threats we tracked spread through e-mail. However, now we are tracking more threats that are exploiting vulnerabilities to spread. Users need to be diligent in patching systems, updating virus definitions and implementing best practice solutions."
The Microsoft Windows LSASS Buffer Overrun Vulnerability was originally announced on April 13, 2004 in Microsoft Security Bulletin MS04-011. A buffer overflow vulnerability exists in the LSASS service that could allow remote code execution on an affected system. LSASS provides an interface for managing local security, domain authentication, and Active Directory processes. If the system was compromised, an attacker could gain complete control of the machine and perform actions on the affected machine similar to a user or administrator, such as erase files, steal information, etc. Exploitation may occur over TCP ports 135, 139, 445, 593 and ports greater than 1024, as well as UDP ports 135, 137, 138 and 445. More information about the LSASS vulnerability can be found at this page.
Symantec recommends users update their virus definitions to protect against W32.Sasser.Worm and its variant. Symantec Security Response has developed removal tools to clean infections of W32.Sasser.Worm and W32.Sasser.B.Worm. Additionally Symantec recommends blocking TCP ports 5554, 9996 and 445 at the perimeter firewall and install the appropriate Microsoft patch (MS04-011) to prevent remote exploitation of the vulnerability.
Spotlight
The security of WordPress plugins
Posted on 18 June 2013. | Checkmarx’s research lab identified that more than 20% of the 50 most popular WordPress plugins are vulnerable to common Web attacks, such as SQL Injection.
Information security executives need to be strategic thinkers
Posted on 17 June 2013. | George Baker, the Director of Information Security at Exostar, talks about the challenges in working in a dynamic threat landscape, offers tips for aspiring infosec leaders, and more.
Large orgs in denial about own security breaches?
Posted on 14 June 2013. | Over two thirds (66%) of large organizations said they either had not experienced a security incident in the last 12-18 months or were unsure if they had.
Vulnerability scanning with PureCloud
Posted on 12 June 2013. | nCircle PureCloud is a cloud-based network security scanning product built upon the companies' vulnerability and risk management system IP360.
Reactions from the security community to the NSA spying scandal
Posted on 11 June 2013. | Read on for comments on this scandal that Help Net Security received from a variety of security professionals and analysts.
Daily digest
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
Weekly newsletter
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.
 |
