Take an unprotected PC, and connect it to the Internet; within ten minutes it will be infected by the Sasser worm. So says Mikko Hypponen, anti-virus research director at F-Secure. Don’t think that you’re safe because the German police have arrested the culprit. The worm will live on for as long as there are computers to infect.
Sasser is different from other viruses. It doesn’t need to be sent to you via email. It searches for computers that it can infect, those running Windows 2000 and XP. Though other Windows systems could be used to pass it on, they will only be carriers, not fully infected. Once a computer is infected, the code looks for another victim. It is this technique that earns Sasser the title of “worm”. If your computer has been infected, there will be no lasting damage, just the inconvenience of the machine shutting down, and automatically rebooting several times.
The speed at which the virus writers complete their code is incredible. Microsoft was first informed of the vulnerability that Sasser exploits, by security firm eEye Digital Security, on 8 October 2003. The Sasser worm was unleashed on 1 May 2004, just 18 days after Microsoft first announced the availability of a patch. It is unwise to announce that a vulnerability in code exists, before the patch is available, otherwise the virus would be attacking PCs, and there would be no protection available at all.
People that work in IT know that a patch must be applied as soon it is available. That is why it is surprising to hear of so many organisations falling victim to Sasser. From the South African government, to the Hong Kong government. From Westpac in Australia, to Goldman Sachs. From Deutsche Post, to the Taiwan Post Office. From Australia’s Railcorp, to US airline Delta. From British Airways, to the UK Coastguard. Those organisations affected had to resort to pencils and paper. How dangerous could it have been if Sasser had managed to hit air traffic control computers? What if the worm had a method of recording PIN numbers, and accounts, while it was resident in an ATM machine? This time the IT world was lucky, it could have been more devastating.
It may be the large organisations that suffer most, but it is likely that home PCs are going to be the biggest problem in the eradication of this worm. If you are connected to the Internet via broadband, and do not have a firewall, you will almost certainly have a PC that is infected, or a carrier. If you are a dial-up Internet user, it is only a matter of time.
For Windows 2000 and XP users, the first step in protection, or eradication, is to visit the Microsoft information site, and follow the instructions. The second step, is to ensure that you always update your Windows system, and your virus scanner. The third step, is to test the secutity of your firewall by using LeakTest and ShieldsUp!
For those of you with Windows systems other than 2000 and XP, follow the instructions at your virus scanner website (see below). You will also need to ensure that you have a firewall installed, so see the eStuff Protect Your PC article.
- A computer worm that spreads using flaws in the code of the Sasser worm has been identified by computer experts. Called “Dabber”, the new worm is the first to scavenge access to computers using another worm.[New Scientist]
- First detected over the weekend, the worm has already infected, by some estimates, over 1 million PCs. Among its victims are banks, travel-booking systems, European Commission offices and Britain’s 19 coast guard stations.[Wired]
- Politicians are rarely known to speak out about computer worms but South Australian Democrat Ian Gilfillan is not about to let the Sasser worm episode go by without having his say. [The Age]
- Australia’s Open Source Industry Association has used the Sasser worm incident to push its claim that operating systems such as Linux, FreeBSD, Mac OS X and Unix are reliable and secure.[The Age]
- Gartner is advising its customers to budget for extra security spending on Windows desktops in the wake of the raft of problems caused by the Sasser worm this week.[The Register]
- More than a million computers around the world have been infected by the “Sasser” computer worm or one of its variants, according to some estimates.[New Scientist]
- Some viruses like Code Red (debut in 2001), SQL Slammer, (appeared in January 2003) and Nachi (from August 2003) are still out on the web finding and infecting fresh victims. He said that although half of all machines vulnerable to a new loophole are patched within 30 days of an outbreak occurring, 50% of the rest take another 30 days and so on and so on. The result is that there are always some machines on the net that are vulnerable to a particular virus.[BBC]
- One reason why this Sasser virus is spreading fast is because there are many thousands, if not hundreds of thousands of people online with the fake FCK WindowsXP key using pirated software. Microsoft is not allowing these users to update their computers with the latest patches. This is exacerating the problem. Should Microsoft allows any computer with any keys to update, solely to help stop the spreading of this virus?[Broadband Reports]
- Stuart Okin, chief security advisor for Microsoft UK, says “I believe the real problem is that software quality sucks,” he told New Scientist. Schneier suggests that software companies would improve the quality of their code if they were held legally liable for any damage resulting from bugs.[New Scientist]
- An 18-year old man has been arrested in Rotenburg, North Germany, in connection with writing and distributing the infamous Sasser internet worm, which is estimated to have attacked tens of millions of PCs across the world. Sophos’s virus experts believe that the gang responsible for distributing the Sasser worm may also be responsible for the hard-hitting Netsky worms which have infecting computer users for most of the year.[Sophos]
- The arrest in Germany of two men suspected of writing crippling computer worms may be the biggest break yet in taking down the most prolific virus-writing group, security experts said on Saturday.[NZ Herald]
- An 18-year-old German high school student has admitted creating the Sasser internet worm, police say.[BBC]
- An 18-year-old German who confessed to creating the “Sasser” computer worm launched a new version meant to limit the damage just before his arrest last week, investigators said Monday.[CNN]
- Microsoft has credited its virus bounty scheme for the arrest of a German computer programmer who is suspected of unleashing the Sasser computer worm.[New Scientist]
- More serious security problems for Microsoft software could follow in the wake of the Sasser worm.[BBC]
