Sasser (computer worm)
Encyclopedia
Sasser is a computer worm
that affects computers running vulnerable versions of the Microsoft
operating systems Windows XP
and Windows 2000
. Sasser spreads by exploiting the system through a vulnerable network port
(as do certain other worms). Thus it is particularly virulent in that it can spread without user intervention, but it is also easily stopped by a properly configured firewall or by downloading system updates from Windows Update
. The specific hole Sasser exploits is documented by Microsoft in its MS04-011 bulletin, for which a patch had been released seventeen days earlier.
in the component known as LSASS (Local Security Authority Subsystem Service
) on the affected operating systems. The worm scans different ranges of IP address
es and connects to victims' computers primarily through TCP
port 445. Microsoft's analysis of the worm indicates that it may also spread through port 139. Several variants called Sasser.B, Sasser.C, and Sasser.D appeared within days (with the original named Sasser.A). The LSASS vulnerability was patched by Microsoft in the April 2004 installment of its monthly security packages, prior to the release of the worm. Some technology specialists have speculated that the worm writers reverse-engineered the patch to discover the vulnerability, which would open millions of computers whose operating system had not been upgraded with the security update.
The effects of Sasser include the news agency
Agence France-Presse
(AFP) having all its satellite communications blocked for hours and the U.S.
flight company Delta Air Lines
having to cancel several trans-atlantic flights because its computer systems had been swamped by the worm. The Nordic
insurance company If and their Finnish owners Sampo Bank came to a complete halt and had to close their 130 offices in Finland
. The British
Coastguard
had its electronic mapping service disabled for a few hours, and Goldman Sachs
, Deutsche Post
, and the European Commission
also all had issues with the worm. The X-ray
department at Lund University Hospital had all their four layer X-ray machine
s disabled for several hours and had to redirect emergency X-ray patients to a nearby hospital.
by the same person(s) who created another worm usually referred to as Lovsan, MSBlast, or Blaster
(due to the media), a connection indicated by code similarities between the two, but on 7 May 2004, 18-year old German
computer science
student Sven Jaschan
from Rotenburg
, Lower Saxony
was arrested for writing the worm. German authorities were led to Jaschan partly because of information obtained in response to a bounty offer by Microsoft of US$250,000.
One of Jaschan's friends had informed Microsoft that his friend had created the worm. He further revealed that not only Sasser, but also Netsky.AC, a variant of the Netsky worm, was his creation. Another variation of Sasser, Sasser.E, was found to be circulating shortly after the arrest. It was the only variation that attempted to remove other worms from the infected computer, much in the way Netsky does.
Jaschan was tried as a minor because the German courts determined that he created the worm before he was 18. The worm itself had been released on his 18th birthday (29 April 2004). Sven Jaschan was found guilty of computer sabotage and illegally altering data. On Friday, 8 July 2005, he received a 21 month suspended sentence.
is the existence of the file C:\WIN.LOG or C:\WIN2.LOG on the PC's hard disk, as well as seemingly random crashes of LSASS.EXE caused by faulty code used in the worm. The most characteristic symptom of the worm is the shutdown timer that appears due to the worm crashing LSASS.exe.
A second option to stop the worm from shutting down a computer is to change the time and/or date on its clock to earlier; the shutdown time will move as far into the future as the clock was set back.
Computer worm
A computer worm is a self-replicating malware computer program, which uses a computer network to send copies of itself to other nodes and it may do so without any user intervention. This is due to security shortcomings on the target computer. Unlike a computer virus, it does not need to attach...
that affects computers running vulnerable versions of the Microsoft
Microsoft
Microsoft Corporation is an American public multinational corporation headquartered in Redmond, Washington, USA that develops, manufactures, licenses, and supports a wide range of products and services predominantly related to computing through its various product divisions...
operating systems Windows XP
Windows XP
Windows XP is an operating system produced by Microsoft for use on personal computers, including home and business desktops, laptops and media centers. First released to computer manufacturers on August 24, 2001, it is the second most popular version of Windows, based on installed user base...
and Windows 2000
Windows 2000
Windows 2000 is a line of operating systems produced by Microsoft for use on personal computers, business desktops, laptops, and servers. Windows 2000 was released to manufacturing on 15 December 1999 and launched to retail on 17 February 2000. It is the successor to Windows NT 4.0, and is the...
. Sasser spreads by exploiting the system through a vulnerable network port
TCP and UDP port
In computer networking, a port is an application-specific or process-specific software construct serving as a communications endpoint in a computer's host operating system. A port is associated with an IP address of the host, as well as the type of protocol used for communication...
(as do certain other worms). Thus it is particularly virulent in that it can spread without user intervention, but it is also easily stopped by a properly configured firewall or by downloading system updates from Windows Update
Windows Update
Windows Update is a service provided by Microsoft that provides updates for the Microsoft Windows operating system and its installed components, including Internet Explorer...
. The specific hole Sasser exploits is documented by Microsoft in its MS04-011 bulletin, for which a patch had been released seventeen days earlier.
History and effects
Sasser was first noticed and started spreading on April 30, 2004. This worm was named Sasser because it spreads by exploiting a buffer overflowBuffer overflow
In computer security and programming, a buffer overflow, or buffer overrun, is an anomaly where a program, while writing data to a buffer, overruns the buffer's boundary and overwrites adjacent memory. This is a special case of violation of memory safety....
in the component known as LSASS (Local Security Authority Subsystem Service
Local Security Authority Subsystem Service
Local Security Authority Subsystem Service , is a process in Microsoft Windows operating systems that is responsible for enforcing the security policy on the system. It verifies users logging on to a Windows computer or server, handles password changes, and creates access tokens...
) on the affected operating systems. The worm scans different ranges of IP address
IP address
An Internet Protocol address is a numerical label assigned to each device participating in a computer network that uses the Internet Protocol for communication. An IP address serves two principal functions: host or network interface identification and location addressing...
es and connects to victims' computers primarily through TCP
Transmission Control Protocol
The Transmission Control Protocol is one of the core protocols of the Internet Protocol Suite. TCP is one of the two original components of the suite, complementing the Internet Protocol , and therefore the entire suite is commonly referred to as TCP/IP...
port 445. Microsoft's analysis of the worm indicates that it may also spread through port 139. Several variants called Sasser.B, Sasser.C, and Sasser.D appeared within days (with the original named Sasser.A). The LSASS vulnerability was patched by Microsoft in the April 2004 installment of its monthly security packages, prior to the release of the worm. Some technology specialists have speculated that the worm writers reverse-engineered the patch to discover the vulnerability, which would open millions of computers whose operating system had not been upgraded with the security update.
The effects of Sasser include the news agency
News agency
A news agency is an organization of journalists established to supply news reports to news organizations: newspapers, magazines, and radio and television broadcasters. Such an agency may also be referred to as a wire service, newswire or news service.-History:The oldest news agency is Agence...
Agence France-Presse
Agence France-Presse
Agence France-Presse is a French news agency, the oldest one in the world, and one of the three largest with Associated Press and Reuters. It is also the largest French news agency. Currently, its CEO is Emmanuel Hoog and its news director Philippe Massonnet...
(AFP) having all its satellite communications blocked for hours and the U.S.
United States
The United States of America is a federal constitutional republic comprising fifty states and a federal district...
flight company Delta Air Lines
Delta Air Lines
Delta Air Lines, Inc. is a major airline based in the United States and headquartered in Atlanta, Georgia. The airline operates an extensive domestic and international network serving all continents except Antarctica. Delta and its subsidiaries operate over 4,000 flights every day...
having to cancel several trans-atlantic flights because its computer systems had been swamped by the worm. The Nordic
Nordic countries
The Nordic countries make up a region in Northern Europe and the North Atlantic which consists of Denmark, Finland, Iceland, Norway and Sweden and their associated territories, the Faroe Islands, Greenland and Åland...
insurance company If and their Finnish owners Sampo Bank came to a complete halt and had to close their 130 offices in Finland
Finland
Finland , officially the Republic of Finland, is a Nordic country situated in the Fennoscandian region of Northern Europe. It is bordered by Sweden in the west, Norway in the north and Russia in the east, while Estonia lies to its south across the Gulf of Finland.Around 5.4 million people reside...
. The British
United Kingdom
The United Kingdom of Great Britain and Northern IrelandIn the United Kingdom and Dependencies, other languages have been officially recognised as legitimate autochthonous languages under the European Charter for Regional or Minority Languages...
Coastguard
Her Majesty's Coastguard
Her Majesty's Coastguard is the service of the government of the United Kingdom concerned with co-ordinating air-sea rescue.HM Coastguard is a section of the Maritime and Coastguard Agency responsible for the initiation and co-ordination of all civilian maritime Search and Rescue within the UK...
had its electronic mapping service disabled for a few hours, and Goldman Sachs
Goldman Sachs
The Goldman Sachs Group, Inc. is an American multinational bulge bracket investment banking and securities firm that engages in global investment banking, securities, investment management, and other financial services primarily with institutional clients...
, Deutsche Post
Deutsche Post
Deutsche Post AG, operating under the trade name Deutsche Post DHL, is the world's largest logistics group. With its headquarters in Bonn, the corporation has 467,088 employees in more than 220 countries and territories worldwide and generated revenue of € 51.48 billion in 2010...
, and the European Commission
European Commission
The European Commission is the executive body of the European Union. The body is responsible for proposing legislation, implementing decisions, upholding the Union's treaties and the general day-to-day running of the Union....
also all had issues with the worm. The X-ray
X-ray
X-radiation is a form of electromagnetic radiation. X-rays have a wavelength in the range of 0.01 to 10 nanometers, corresponding to frequencies in the range 30 petahertz to 30 exahertz and energies in the range 120 eV to 120 keV. They are shorter in wavelength than UV rays and longer than gamma...
department at Lund University Hospital had all their four layer X-ray machine
X-ray machine
An X-ray generator is a device used to generate X-rays. These devices are commonly used by radiographers to acquire an x-ray image of the inside of an object but they are also used in sterilization or fluorescence....
s disabled for several hours and had to redirect emergency X-ray patients to a nearby hospital.
Author
Sasser was at first believed to have been authored in RussiaRussia
Russia or , officially known as both Russia and the Russian Federation , is a country in northern Eurasia. It is a federal semi-presidential republic, comprising 83 federal subjects...
by the same person(s) who created another worm usually referred to as Lovsan, MSBlast, or Blaster
Blaster (computer worm)
The Blaster Worm was a computer worm that spread on computers running the Microsoft operating systems: Windows XP and Windows 2000, during August 2003....
(due to the media), a connection indicated by code similarities between the two, but on 7 May 2004, 18-year old German
Germany
Germany , officially the Federal Republic of Germany , is a federal parliamentary republic in Europe. The country consists of 16 states while the capital and largest city is Berlin. Germany covers an area of 357,021 km2 and has a largely temperate seasonal climate...
computer science
Computer science
Computer science or computing science is the study of the theoretical foundations of information and computation and of practical techniques for their implementation and application in computer systems...
student Sven Jaschan
Sven Jaschan
Sven Jaschan is the self-confessed author of the NetSky worms, and Sasser computer worms.- History :Jaschan lived in the village of Waffensen, Germany and attended a computer science school in nearby Rotenburg....
from Rotenburg
Rotenburg
Rotenburg is the name of the following three towns in Germany:*Rotenburg an der Wümme, near Verden in Lower Saxony*Rotenburg an der Fulda, near Kassel in Hesse*Rothenburg ob der Tauber, in the Franconia region of Bavaria...
, Lower Saxony
Lower Saxony
Lower Saxony is a German state situated in north-western Germany and is second in area and fourth in population among the sixteen states of Germany...
was arrested for writing the worm. German authorities were led to Jaschan partly because of information obtained in response to a bounty offer by Microsoft of US$250,000.
One of Jaschan's friends had informed Microsoft that his friend had created the worm. He further revealed that not only Sasser, but also Netsky.AC, a variant of the Netsky worm, was his creation. Another variation of Sasser, Sasser.E, was found to be circulating shortly after the arrest. It was the only variation that attempted to remove other worms from the infected computer, much in the way Netsky does.
Jaschan was tried as a minor because the German courts determined that he created the worm before he was 18. The worm itself had been released on his 18th birthday (29 April 2004). Sven Jaschan was found guilty of computer sabotage and illegally altering data. On Friday, 8 July 2005, he received a 21 month suspended sentence.
Side effects
An indication of the worm's infection of a given PCPersonal computer
A personal computer is any general-purpose computer whose size, capabilities, and original sales price make it useful for individuals, and which is intended to be operated directly by an end-user with no intervening computer operator...
is the existence of the file C:\WIN.LOG or C:\WIN2.LOG on the PC's hard disk, as well as seemingly random crashes of LSASS.EXE caused by faulty code used in the worm. The most characteristic symptom of the worm is the shutdown timer that appears due to the worm crashing LSASS.exe.
Workarounds
The shutdown sequence can be aborted by pressing start and using the Run command to entershutdown -a
. This aborts the system shutdown so the user may continue what he or she was doing. The shutdown.exe file is not available by default within Windows 2000, but can be installed from the Windows 2000 resource kit. It is available in Windows XP.A second option to stop the worm from shutting down a computer is to change the time and/or date on its clock to earlier; the shutdown time will move as far into the future as the clock was set back.
External links
- Microsoft Security Bulletin: MS04-011
- CVE: CAN-2003-0533
- Bugtraq ID 10108
- Read here how you can protect your PC (Microsoft Security page) - Includes links to the info pages of major anti-virus companies.
- New Windows Worm on the Loose (Slashdot article)
- Report on the effects of the worm from the BBC
- German admits creating Sasser (BBC News)
- Sasser creator avoids jail term (BBC News)