Madrid, May 06 2004 - While the Sasser worms continue looking for new
victims to infect, the hunt for their creators has started. By applying
proprietary forensic IT techniques to the code of these worms, PandaLabs
will look for clues that could lead to the arrest of their authors.
"Letting viruses loose is a crime that should be investigated. The authors
of Sasser must also be treated as particularly dangerous criminals, as
evidence suggests that they also created the Netsky worms, and who knows how
many other viruses," says Luis Corrons head of PandaLabs.
The clues to the authors of computers viruses are hidden in the source code,
lines of special characters that to the untrained eye don't make any sense,
but that can disclose a lot of information to the experts at PandaLabs.
"Virus authors usually have delusions of grandeur and therefore don't miss
any opportunity to leave their mark in the viruses they create. However,
this is often their undoing: it can be a date, the name of a city, a
reference to a friend or girlfriend, etc., the slightest clue could be the
key to detaining the author of the virus," explains Corrons.
However, until these delinquents are caught, users should continue to keep
their guard up against the highly probable appearance of new viruses.
Considering how the previous attacks were carried out, it is likely that the
authors of the Sasser and Netsky worms are putting the final touches to an
extremely dangerous malicious code that -as they have done up until now-
they will unleash at the weekend.
More companies and institutions are reporting that they have felt the
effects of Sasser in one way or another. These include Heathrow airport in
London, where one of the terminals was brought to a standstill, some
governmental departments in Hong Kong, as well as the Suntrust Bank and
American Express in the USA.
To mitigate the effects of the Sasser epidemic, Panda Software has made its
PQRemove tools available to users. These applications not only disinfect
computers but also restore system configurations altered by the worm.
One of the PQREMOVE tools is specifically designed for networks, and removes
Sasser and all its variants from any network that could have been affected.
You can download at: http://www.pandasoftware.com/support/
The other PQREMOVE applications can disinfect any computer attacked by any
of the variants of the Sasser worms. You can download at:
User can detect and disinfect the new worm with an up-to-date antivirus, but
it is important to install the Microsoft patch to ensure that Sasser doesn't
re-infect computers. The vulnerability exploited by this worm was reported
by Microsoft recently in bulletin MS04-011
with the patch. Panda Software has made the updates necessary to its
products available to clients.
Handler's Diary: port 135 spikes, Lovegate, Welchia.K, Mailbag, Unix Security
Updated May 5th 2004 23:05 UTC
Port 135 Spikes
Over the last few days, a number of networks detected a sharp, almost vertical, rise in port 135 (tcp) traffic and a subsequent exponential decay. Typically, these traffic burst last for a few hours. From selected packet captures, it looks like these scans attempt to exploit the RPC DCOM vulnerability. Several possible sources where suggested. It is likely that these scans are caused by botnets which are scanning given target networks for new vulnerable hosts.
A virus sample submitted to us on Monday is now identified as LovGate.R. In addition to spreading via e-mail, the virus will use the RPC DCOM vulnerability to spread and it will open file shares on infected systems. This virus is one suspect implicated to cause the rise in port 135 traffic.
A new version of 'welchia' (aka Nachi) has been identified. This worm, which was first identified in the wake of blaster last august, is most noted for the ICMP echo requests it sends. Welchia.K includes exploits for the following vulnerabilities:
* RPC Locator
* WebDAV (you will see URLs that start with 'SEARCH' in your web log)
* RPC DCOM
* MS Workstation
Fixes for all these vulnerabilities have been made available in 2003. Multiple worms and bots are currently scanning for these vulnerabilities.