1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Sasser Internet Worm

Discussion in 'Computer Security' started by AJ, May 3, 2004.

  1. AJ

    AJ Administrator Administrator

    6,771
    102
    221
    The Sasser worm spreads in a similar way to last year's serious Blaster outbreak, in so much as it travels via the internet exploiting security holes in Microsoft's software and does not use email," said Graham Cluley, senior technology consultant for Sophos. "At the moment it's not travelling as fast as Blaster did, but computers which are not properly protected with anti-virus updates, firewalls and Microsoft's security patch are asking for trouble."

    Read the Sophos data on this worm Sasser
     
    Certifications: MCSE, MCSA (messaging), ITIL Foundation v3
    WIP: Looking at doing ..................
  2. SimonV

    SimonV Petabyte Poster Administrator

    6,616
    149
    228
    Here's a little more info on the virus and its varients:

    http://www.microsoft.com/security/incident/sasser.asp

    There is also a on-line scanner for the virus and if your unlucky enough to have been infected you can remove the virus using McAfee AVERT Stinger
     
    Certifications: MOS Master 2003, CompTIA A+, MCSA:M, MCSE
    WIP: Keeping CF Alive...
  3. tripwire45
    Honorary Member

    tripwire45 Zettabyte Poster

    13,493
    179
    287
    This one serious screwed up my morning. HP was hit pretty hard. Fortunately/unfortunately, they also enabled a process on Saturday that automatically scans any PC on the network...those without the right patches are taken off the network. All my users plus the lab machines comply with the internal security policies so they're automatically protected. Unfortunately, we were given a guest machine that wasn't protected.

    I had to manually download the patches onto a thumb drive and install them on the guest machine (HP pavilion). So far so good. I found a process that was sucking up a lot of CPU cycles. Looked like some sort of adware. I killed the process and the machine runs much faster now. The on board Norton Anti-virus 2004's subscription had expired so I used Trend Micro's site to scan the machine.

    25 files infected with WORM SASSER.C and they're non-cleanable. I'm a little nervous about just deleting them since they don't seem to be doing any observable harm. All of the infected files are in the C:\WINDOWS\System32 folder. I need this machine to be up and running in the lab in four hours. Should I risk it?
     
    Certifications: A+ and Network+
  4. tripwire45
    Honorary Member

    tripwire45 Zettabyte Poster

    13,493
    179
    287
    Update: Stinger.exe by McAfee has been updated to include detection/removal of Sasser. I'm running it now. Any other comments, suggestions, or opinions are of course quite welcome. I'll let you know how stinger turns out.
     
    Certifications: A+ and Network+
  5. tripwire45
    Honorary Member

    tripwire45 Zettabyte Poster

    13,493
    179
    287
    Another update: Stinger finished. Found the 25 infected files and automatically deleted them. I'm running stinger again just to be on the safe side. Looks good thus far.
     
    Certifications: A+ and Network+
  6. Jakamoko
    Honorary Member

    Jakamoko On the move again ...

    9,915
    60
    229
    Cheers for the nod, Guys - will go grab Stinger now. I see AVG has just dome it's near-daily update, so hopefully that will include the patch.

    I expect I'll be in for one or two more calls than usual this week at work, then ? :roll:
     
    Certifications: MCP, A+, Network+
    WIP: Clarity
  7. tripwire45
    Honorary Member

    tripwire45 Zettabyte Poster

    13,493
    179
    287
    The patch(es) you'll need can be found at Windows Update. Sasser takes advantage of some recently discovered holes and MS released the patches for them in the past few weeks. If you're machine is up to date, using stinger should do it.
     
    Certifications: A+ and Network+
  8. Jakamoko
    Honorary Member

    Jakamoko On the move again ...

    9,915
    60
    229
    I have already installed the recent MS cumulative Security Update that we discussed recently - interesting to find out if that includes the patch for the exploit.

    I'll still be running a Stinger check shortly anyway, and will read up on Sophos - I really do think that work is going to be hellish for the next wee while.

    The Guys that were there last year (before I was) recall the when MSBlast kicked in on the scene, it was just like Armageddon :evil:

    Oh well, welcome to Tech Support...... :cry:
     
    Certifications: MCP, A+, Network+
    WIP: Clarity
  9. tripwire45
    Honorary Member

    tripwire45 Zettabyte Poster

    13,493
    179
    287
    I just need to know if you mean the free CD sent out by MS or the most recent significant download of the past couple of weeks. The download would be the correct answer in this case for closing the offending port.
     
    Certifications: A+ and Network+
  10. Jakamoko
    Honorary Member

    Jakamoko On the move again ...

    9,915
    60
    229
    Thanks Trip - I was indeed referring to the free MS CD of late, so I guess the answer is "no" to my question.

    OK - will get onto MS Update now. Just finished bringing down Stinger - gonna run that first.
     
    Certifications: MCP, A+, Network+
    WIP: Clarity
  11. tripwire45
    Honorary Member

    tripwire45 Zettabyte Poster

    13,493
    179
    287
    No worries, Gav. The updates on the disk are several months old. MS creates new releases every Tuesday (not that there are actually new ones each week...that' just the day they've set aside to dole out what they may have). :)
     
    Certifications: A+ and Network+
  12. Phoenix
    Honorary Member

    Phoenix 53656e696f7220 4d6f64

    5,726
    175
    221
    what would happen if you had say, 100 machines infected and not under such a security policy? wouldnt it make more sense to move infected machines off the main network to a segregated network with a SUS server/AV server so that all machines could be updated to meet security policy at greater speed/less administrative overhead?

    well not like you can question HPs policies hehe just an observation hehe :P
     
    Certifications: MCSE, MCITP, VCP
    WIP: > 0
  13. Jakamoko
    Honorary Member

    Jakamoko On the move again ...

    9,915
    60
    229
    I'd just like to add a quick thanks to AJ for bringing this to us promptly and with great info :D :thumbleft

    Action like that, and the subsequent discussion and learning are what I love about this place.

    Cheers Guys.
     
    Certifications: MCP, A+, Network+
    WIP: Clarity
  14. AJ

    AJ Administrator Administrator

    6,771
    102
    221
    THis one does sem to be a nasty one so it's best that we're all aware of it. I now know what my job is in the morning, looking after my servers (bless their hearts).
     
    Certifications: MCSE, MCSA (messaging), ITIL Foundation v3
    WIP: Looking at doing ..................
  15. tripwire45
    Honorary Member

    tripwire45 Zettabyte Poster

    13,493
    179
    287
    Message from the servers: :wub
     
    Certifications: A+ and Network+
  16. Jakamoko
    Honorary Member

    Jakamoko On the move again ...

    9,915
    60
    229
    Been looking around a bit on the net for info on it, but can't actually find details of signs of it's activity.

    Does anyone actually know how it manifests itself ?

    Interestingly, late on my shift on Sat, I had a call from a user saying he was getting disconnected almost immediately after connecting to the Internet (10-60 secs) . So the light bulb comes on - :idea: - Blaster, I tell him.

    He reported aWindows error referencing "lsass.exe". Strange, I thought - Blaster was always RPC. Now it all seems to fall into place. Maybe .....
     
    Certifications: MCP, A+, Network+
    WIP: Clarity
  17. tripwire45
    Honorary Member

    tripwire45 Zettabyte Poster

    13,493
    179
    287
    Nope. All the classic signs of Sasser. Probably easiest to give you the link to the SS thread here. Also, another link here has the relevant screen shots if you'll scroll down.
     
    Certifications: A+ and Network+
  18. nugget
    Honorary Member

    nugget Junior toady

    7,796
    71
    224
    Just want to say (shout) that "I LOVE LINUX" more and more every day. :wub
     
    Certifications: A+ | Network+ | Security+ | MCP (270,271,272,290,620) | MCDST | MCTS:Vista
    WIP: MCSA, 70-622,680,685
  19. tripwire45
    Honorary Member

    tripwire45 Zettabyte Poster

    13,493
    179
    287
    However, I don't support Linux so we make do with what we have <sigh>. :wink:
     
    Certifications: A+ and Network+
  20. Jakamoko
    Honorary Member

    Jakamoko On the move again ...

    9,915
    60
    229
    Thanks once again, Trip- I'm forewarned and forearmed before work tomorrow - oooohh, that's gonna be fun :aaah

    @nugg - fair point, but that aint gonna solve the probs of 99% of workplaces unfortunately, Mate :cry:
     
    Certifications: MCP, A+, Network+
    WIP: Clarity

Share This Page

Loading...