Sasser variants pose greater danger

Three new versions of the Sasser worm boosted the infectiousness of the original, spreading to about 500,000 computers by Monday, security researchers said.

Like the original worm, the three new programs--Sasser.B, Sasser.C and Sasser.D--take advantage of a vulnerability in unpatched versions of Windows XP and Windows 2000 systems. The worms infect vulnerable systems by establishing a remote connection to the targeted computer, installing a File Transfer Protocol (FTP) server and then downloading themselves to the new host.

The original version of the Sasser worm spread slowly, but Saturday, online vandals released Sasser.B, which infected computers much faster. By Monday, two new variants had appeared, and the worm had spread to hundreds of thousands of systems.

"The worm has improved significantly," said Alfred Huger, senior director of Symantec's security response center. Early Monday, Symantec had counted at least 10,000 confirmed infections, and acknowledged that hundreds of thousands of computers have likely been infected.

The University of Massachusetts at Amherst discovered just that, when students connected their already infected computers to the campus networks on Monday. The ensuing outbreak resulted in 1,100 computers compromised with Sasser, said Scott Conti, network operations manager for the university.

"All the machines that have gotten the virus haven't been patched," he said, adding that university security lists have been active, with other network administrators reporting the same. "I think everybody has got it pretty bad."

		CNET Reviews Prevention and cure How the Sasser worms work, and how to avoid and remove them.

While many other universities battled with the worm over the weekend, others--like University of Massachusetts--weren't infected until someone connected to the network with an infected computer.

Sasser is proving to be an ordeal for the university, which has to deal with about 5,000 compromises by worms, viruses and bot software every semester, Conti said.

"It is unfortunate that dealing with these outbreaks now has to be part of our whole business plan," he said.

Delta Air Lines encountered problems in Atlanta with its computers for more than six hours, resulting in delays. However, the cause of the problems was still unknown, spokeswoman Catherine Stengel said.

"We won't know until at least tomorrow what caused the issues," she told CNET News.com.

Airline Air Canada canceled flights in August due to its network being infected with a variant of the MSBlast worm. The MSBlast.B worm, also called Welchia and Nachi, spread so aggressively that it inundated many companies' networks with data. Air Canada said its network couldn't deal with the amount of traffic generated by MSBlast.B.

This time around, telephone company SBC Communications tried to minimize the problem for its Internet customers. The company warned them by e-mail this weekend about the worm and urged them to patch their systems.

"It is extremely important you (patch your systems) now, because it's likely you will not be able to take these measures, if your computer becomes infected," the company told customers.

The original worm did not spread very quickly on Friday and Saturday, according to security experts. Some Windows XP users asked for help on a support list when, as a side effect of infection, their computers displayed an error message and restarted.

"The number of home users seeking help on cleaning the Sasser worm in the MS Windows XP Technical Support newsgroup is far less than last year, when the MSBlast worm was released," said Yan Kei "Kenrick" Fu, a Hong Kong college student and a frequent adviser on Microsoft's support lists.

By Monday morning, Symantec was able to confirm--by scanning for open FTP servers on computers, from which the company's sensor detected potential attacks--that 10,000 computers had been infected by the Sasser worm.

		Get Up to Speed on... Enterprise security Get the latest headlines and company-specific news in our expanded GUTS section.

The Sasser variants can spread rapidly from an infected computer to one that is vulnerable without any user interaction. The worm spreads by scanning different ranges of Internet addresses using a specific application data channel, or port, numbered 445.

Microsoft has analyzed the worm and believes that it also spreads through port 139. Both are data channels used by the Windows file-sharing protocol and, in many cases, are blocked by Internet service providers. Once a vulnerable system is found, Sasser installs FTP server software and then transfers itself to the new host.

Symantec's Huger said the amount of data that addresses port 445 makes it difficult to differentiate worm traffic from other, legitimate traffic. Moreover, recent modifications to attack bot software cause other malicious programs to use the same port.

"Port 445 is the busiest port in existence," Huger said.

Symantec raised Sasser.B to a seriousness level of 4 from level 3 on its five-point scale Sunday afternoon. The security software company had only 200 reports of the original Sasser worm from its customers.

Huger warned customers that many compromised systems may not be visible to external security surveys and detection, meaning that the actual number of infected systems could be higher. While Symantec and others that monitor Internet security believed that previous worm MSBlast had spread to perhaps 500,000 computers, Microsoft later discovered that almost 10 million computers have been infected to date.

Internal networks belonging to companies that didn't patch their systems in time could be teaming with infected systems, Huger said. "The majority of the damage that we are going to see is going to be on the internal network," he said.

Rival antivirus company Panda Software raised Sasser.A and Sasser.B to a red alert status from amber on Sunday.

"This worm could definitely hit as many computers as MSBlast," said Patrick Hinojosa, Panda's U.S. chief technology officer. MSBlast, also known as Blaster, launched last summer and exploited a vulnerability as widespread as the flaw that Sasser uses to infiltrate systems.

Panda had also detected Sasser.C and Sasser.D variants, Hinojosa said. These two variants can look for 1,024 separate IP addresses simultaneously--as a means to spread itself--making it more virulent than the original, he added.

The Sasser worm does not carry a destructive payload, but it can result in system degradation, antivirus experts say.

"It can cause machines to reboot when connecting to the Internet. So, if you're a company, your edge servers will be continually rebooting," Hinojosa said.

Although Sasser.B does not feature a back door to allow spammers and others to enter a user's system, Symantec's Huger said he would not be surprised if that feature is added to later versions of Sasser.