New worm's got sass, but not much else

The latest worm could spread widely, but security experts believe that computer users got lucky because the program is poorly coded.

Robert Lemos Staff Writer, CNET News.com
Robert Lemos
covers viruses, worms and other security threats.
Robert Lemos
3 min read
The security researchers at eEye Digital Security are not impressed with the Sasser worm.

The company, which found the flaws that were exploited by both the MSBlast worm and the Witty worm, on Saturday started analyzing the latest piece of attack code that takes advantage of a Microsoft Windows vulnerability discovered by its researchers. So far, eEye's analysts are surprised that the worm has spread so far.

"It's so poorly written," said Marc Maiffret, chief hacking officer for the Aliso Viejo, Calif.-based company. "This could still have a lot of impact, but it's written by someone that could barely get the code working."

Alfred Huger, senior director of security firm Symantec's response center, agreed. "If this virus was better written, you would have seen more impact," he said.

Still, some companies were beginning to report problems from the worm Monday morning. Finnish financial group Sampo said Monday it had temporarily closed all of its branch offices, some 130 in all, as a precaution against Sasser. And in Australia, the worm forced Westpac Banking to turn customers from its branches.

Get Up to Speed on...
Enterprise security
Get the latest headlines and
company-specific news in our
expanded GUTS section.

The Sasser worm started spreading late Friday. As of Saturday afternoon, it had not racked up the crowd of compromised computers that its predecessors have been able to claim. If it weren't for the worm's poor programming, such a limited spread could have indicated that computer users are becoming more diligent about heeding warnings and patching their systems.

The Sasser worm spreads from infected computer to vulnerable computer with no user interaction required. The worm exploits a recent vulnerability in a component of Microsoft Windows known as Local Security Authority Subsystem Service, (LSASS). After scanning for vulnerable Windows XP and Windows 2000 systems, the worm creates a remote connection to the system, installs a file transfer protocol (FTP) server and then downloads itself to the new host.

Early on, the worm was spreading at a moderate to slow pace, antivirus experts said.

By Saturday afternoon, Symantec had received about 100 reports, but only 20 from companies. Network Associates had alerts of the worm from 25 to 50 companies, with some of them reporting hundreds of infections. Still, that's small compared wtih the nearly 10 million computers infected by the MSBlast, or Blaster, worm.

Huger said he was concerned that the number of infections might jump on Monday when people take compromised laptops to work.

"It still remains to be seen whether--when people take this to work--we will see a faster spread," he said.

Over the weekend, infection rates seemed to be climbing steadily, said Johannes Ullrich, chief technology officer for the Internet Storm Center, which monitors network attacks.

"It spreads like most of the other worms," he said. "It prefers local networks and it has the usual semi-random spread."

CNET Reviews
Prevention and cure
How the Sasser worms work, and
how to avoid and remove them.

Code in the worm will cause it to spread randomly half the time; to the same A-class network as the infected host a quarter of the time; and to the same B-class network the remaining time. There are about 65,000 address in a B-class network and about 16.8 million addresses in an A-class network.

Ullrich added that the worm is not able to infect 100 percent of the time, perhaps indicating that Sasser itself has a bug.

That's par for the course for worms, eEye's Maiffret said.

"It just goes to show that the people who are smart enough to create a good worm are either too responsible to do it, or they are the bad guys and they know that worms highlight vulnerabilities and make it more likely that people patch holes," he said.

For the "bad guys," a worm only draws attention to flaws that they want to exploit, he said.

Abby Dinham and Andrew Colley of ZDNet Australia contributed to this report. Reuters also contributed to this report.