According to global reports, the incredibly fast spreading Sasser worm has infected hundreds of thousands of computers and may still be rising sharply. The situation is bound to grow as many companies and workers return to the job from over the weekend. The Search Engine Journal is issuing this alert to its readers who use the Microsoft Windows operating system.
The Sasser worm targets a security hole in Microsoft Windows and spreads by scanning for random IP addresses and exploiting a buffer overrun vulnerability recently reported by Microsoft for the Windows operating system. Anyone connected to the Internet, including corporate networks and broadband subscribers, may be at risk from this family of worms. While Sasser is not the first worm to take advantage of the Microsoft vulnerability, it uses a method of propagation to spread broadly and at an exponential rate.
Sasser, known as WORM_SASSER exploits the Windows “Local Security Authority Subsystem Service” (LSASS) vulnerability, which is a buffer overrun that allows remote code execution and enables an attacker to gain full control of the affected system. To propagate, “SASSER” variants scan random IP addresses for vulnerable systems. When a vulnerable system is found, the malware sends a specially crafted packet to produce a buffer overrun on LSASS.EXE, which causes the program to crash, and essentially the infected system to crash, and requires Windows to reboot.
By using IP addresses, WORM_SASSER scans the global Internet for vulnerable systems and can search for vulnerable systems within entire network segments. Infections grow exponentially — each infected system can potentially be used to search for other vulnerable systems.
Microsoft has issued a security patch update available via Microsoft’s Website or download instantly if you run Microsoft XP (only for Windows XP) by clicking here.
Luis Corrons, head of PandaLabs Security warns of the Sasser Worm, “Bear in mind that some 300 million computers worldwide are vulnerable to attack by the Sasser worm, which gives an idea of the potential scale of the threat. New variants are also likely to emerge and for this reason, even though we launched a pre-alert at the weekend, we have now declared a red alert.”
According to a Rueters report:
The spread of the virus had been muted so far, Hypponen said, as it emerged on a weekend, and holidays closed offices in places like the United Kingdom and Japan on Monday. But the was spread was expected to worsen as the working week hits its stride.
In Australia, Westpac Bank said it was hit by the worm, and branches had to use pen and paper to allow them to keep trading, The Australian newspaper (http://www.theaustralian.news.com) reported.
The Sasser worms are particularly dangerous for corporate environments as they can spread across networks in a matter of seconds. Both the French Stock Exchange and the France Presse news agency have fallen victim to this new malicious code and their communications were affected on Saturday.
The situation appears to be even more serious as the creators of the worm are coordinating the continuous launch of new variants in order to increase the probability of infection.
The presence of Sasser.D as well as Sasser.C, which can launch up to 1024 process in memory, making it potentially far more virulent than its predecessors has now been detected by security firms.
The appearance of the new Sasser worms is seemingly directly linked to the wave of viruses blighting the Internet over the last few months. PandaLabs has also detected the new Netsky.AC worm, which like its predecessors contains a message hidden inside its code. On this occasion however, there are no insulting messages to the authors of other worms such as Bagle or Mydoom, but instead a message directed at antivirus vendors.