New worm's got sass, but not much else
The latest worm could spread widely, but security experts believe that computer users got lucky because the program is poorly coded.
The company, which found the flaws that were exploited by both the MSBlast worm and the Witty worm, on Saturday started analyzing the latest piece of attack code that takes advantage of a Microsoft Windows vulnerability discovered by its researchers. So far, eEye's analysts are surprised that the worm has spread so far.
"It's so poorly written," said Marc Maiffret, chief hacking officer for the Aliso Viejo, Calif.-based company. "This could still have a lot of impact, but it's written by someone that could barely get the code working."
Alfred Huger, senior director of security firm Symantec's response center, agreed. "If this virus was better written, you would have seen more impact," he said.
Still, some companies were beginning to report problems from the worm Monday morning. Finnish financial group Sampo said Monday it had temporarily closed all of its branch offices, some 130 in all, as a precaution against Sasser. And in Australia, the worm forced Westpac Banking to turn customers from its branches.
 | ||||
| | | ||
| Get Up to Speed on... Enterprise security  Get the latest headlines and company-specific news in our expanded GUTS section. | | ||
| ||||
| ||||
The Sasser worm spreads from infected computer to vulnerable computer with no user interaction required. The worm exploits a recent vulnerability in a component of Microsoft Windows known as Local Security Authority Subsystem Service, (LSASS). After scanning for vulnerable Windows XP and Windows 2000 systems, the worm creates a remote connection to the system, installs a file transfer protocol (FTP) server and then downloads itself to the new host.
Early on, the worm was spreading at a moderate to slow pace, antivirus experts said.
By Saturday afternoon, Symantec had received about 100 reports, but only 20 from companies. Network Associates had alerts of the worm from 25 to 50 companies, with some of them reporting hundreds of infections. Still, that's small compared wtih the nearly 10 million computers infected by the MSBlast, or Blaster, worm.
Huger said he was concerned that the number of infections might jump on Monday when people take compromised laptops to work.
"It still remains to be seen whether--when people take this to work--we will see a faster spread," he said.
Over the weekend, infection rates seemed to be climbing steadily, said Johannes Ullrich, chief technology officer for the Internet Storm Center, which monitors network attacks.
"It spreads like most of the other worms," he said. "It prefers local networks and it has the usual semi-random spread."
| ||||
| | | ||
| CNET Reviews Prevention and cure How the Sasser worms work, and how to avoid and remove them. | | ||
| ||||
| ||||
Ullrich added that the worm is not able to infect 100 percent of the time, perhaps indicating that Sasser itself has a bug.
That's par for the course for worms, eEye's Maiffret said.
"It just goes to show that the people who are smart enough to create a good worm are either too responsible to do it, or they are the bad guys and they know that worms highlight vulnerabilities and make it more likely that people patch holes," he said.
For the "bad guys," a worm only draws attention to flaws that they want to exploit, he said.
Abby Dinham and Andrew Colley of ZDNet Australia contributed to this report. Reuters also contributed to this report.