Trend Micro Warns of Continued Spread of "Sasser" Worm
Family
Second Exploit of Vulnerability May Severely Slow Network
Traffic as Infected Systems Enable Search of Other Vulnerable
Systems
Cupertino, California - May 03, 2004 Trend Micro, Inc. (TSE: 4704,
NASDAQ: TMIC), a leader in network antivirus and Internet
content security software and
services, today warns of a family of new worms, referred to as
WORM_SASSER that spreads by scanning for random IP addresses and
exploiting a buffer overrun vulnerability recently reported by
Microsoft for the
Windows operating system. Anyone
connected to the Internet, including corporate networks and
broadband subscribers, may be at risk from this family of worms.
Variants of this worm have been seen in several countries
throughout Europe, Asia, Latin America, and in the U.S. since
early Saturday (May 1, 2004.) While SASSER is not the first worm
to take advantage of the Microsoft vulnerability, it uses a
method of propagation to spread broadly and at an exponential
rate.
Laptop Battery WORM_SASSER exploits the Windows Local Security Authority
Subsystem Service (LSASS) vulnerability, which is a buffer overrun
that allows remote code execution and enables an attacker to gain
full control of the affected system. To propagate, SASSER variants
scan random IP addresses for vulnerable systems. When a vulnerable
system is found, the malware sends a specially crafted packet to
produce a buffer overrun on LSASS.EXE, which causes the program to
crash, and essentially the infected system to crash, and requires
Windows to reboot.
According to the indictment, Jones would steal various IBM and Penguin computer servers from Verisign's warehouse in Virginia and sell them to Johnson. Johnson would then sell the servers to several individuals, who would sometimes place them for sale on eBay. As a result of this scheme, the indictment alleges that Jones and Johnson caused Verisign to lose more than $120, 000 worth of computer equipment. In the indictment, Jones and Johnson are charged in three counts with causing the interstate transportation of stolen property, namely IBM 330 and 335 servers, in violation of 18 U.S.C.
Thinkpad By using IP addresses, WORM_SASSER scans the global Internet for
vulnerable systems and can search for vulnerable systems within
entire network segments. Infections grow exponentially each
infected system can potentially be used to search for other
vulnerable systems.
Spam refers to the mass transmission of unsolicited or unrequested email advertisements. Malware refers to any type of injurious software e.g. viruses, worms, trojans, backdoors, spyware or illegal dialers. The sending of spam can lead to a warning being sent to the server operator or to the immediate blocking of the server without prior warning depending upon the gravity of the infringement. The sending of Malware will lead to the immediate blocking of the server without prior warning.
Microsoft More infections can lead to increased network traffic and result
in severe network slowdowns, like an internal denial-of-service,
said Joe Hartmann, senior virus researcher and analyst for Trend
Micro, Inc.
In addition to drives on the local computer, an Autorun worm can also spread to remote computers by infecting shared network drives. Members of the AutoRun family also often contain other functionality in addition to just spreading. In fact this infection method can be used to propagate any malicious payload, such as a backdoor, password stealer, or some other kind of trojan. Secure Corporation
Laptop Computers The LSASS vulnerability was first reported on April 13, 2004,
and was first utilized by a variant of the AGOBOT worm
(WORM_AGOBOT.JF), detected a mere 16 days later. Compared to the
Blaster worm (August 2003) that took 26 days between vulnerability
and outbreak, there is an ever-shortening time gap from
vulnerability to exploitation. The Blaster worm also found victims
through random IP addresses and exploited a known vulnerability.
WORM_ABGOBOT.JF propagated through networks by spreading through
select SMB shares, which may explain why it did not spread
extensively.
A computer worm is a software program designed to reproduce and spread among computers. Most worms are malicious and intended to overwhelm system memory or network bandwidth. Worms can crash an entire network of computers or an individual computer.
Laptop Computer WORM_SASSER variants arrive as a 16KB attachment, and affect
Windows 95, 98, ME, NT, 2000 and XP platforms.
Computer memory is the quickest, cheapest, and easiest way to improve the performance of your system. Find RAM memory upgrades for desktops, laptops, servers, and printers all backed by a lifetime warranty and guaranteed compatible with your computer. Shipping is an everyday low price of $1.99! Computer Memory Outlet sells memory compatible with all leading computer manufacturers like Dell, Apple, Compaq, HP, Sony, IBM, Lenovo, and many more.”
Desktop Computer Trend Micro customers are protected through the latest pattern
file, number 883. Customers of Outbreak Prevention Services should
download OPP 112 to help protect against spread of this threat. For
customers of Damage Cleanup Services, Damage Cleanup template # 334
should be downloaded to help with automated restoration of affected
systems. Users of Trend Micro Network VirusWall 1200 can detect
this worm through pattern #10126 (or later). The associated
vulnerabilities were also described in Vulnerability Assessment
pattern # 010.
Notebooks Customers are recommended to apply the necessary vulnerability
patches available from Microsoft to address the LSASS
vulnerability.
For more information, please visit www.trendmicro.com.
Lenovo About Trend Micro
Trend Micro is a leader in network antivirus and Internet content
security software and services. The Tokyo-based corporation has
business units worldwide. Trend Micro products are sold through
corporate, value-added resellers and managed service providers. For
additional information and evaluation copies of all Trend Micro
products, visit: www.trendmicro.com.
Hard Drive # # #
Trend Micro, the t-ball logo, and VirusWall are trademarks or
registered trademarks of Trend Micro Incorporated. All other
company or product names may be trademarks or registered trademarks
of their owners. Information is accurate time it was written and is
subject to change without notice.
Travelstar For more information please contact:
Gateway North America
Michael Sweeny
Tel: +1 (408) 863-6384
Mobile: +1 (408) 499-2697
email: michael_sweeny@trendmicro.com
Laptop Parts Latin America
Todd Thiemann
Tel: +1 (408) 863-6566
Email: todd_thiemann@trendmicro.com
Software Europe, Middle East,
Africa
Anna Wright
Tel: +44 (0) 1628 400534
Email: anna_wright@trendmicro.co.uk
Hard Drives APAC
Amy Liu
Tel: + 886 22 376 4939
Email: amy_liu@trend.com.tw
Electronics Japan
Naomi Ikenomoto
Tel: +81-3-5334-3658, Ext 8387
Email: ikenomoto_naomi@trendmicro.co.jp
[ Comment, Edit or Article Submission ]
