Update: Sasser.d to start the work week, clean up tools may not be adequate

Published: 2004-05-03
Last Updated: 2004-05-04 00:00:34 UTC
by Jim Clausing (Version: 1)
0 comment(s)
Due to the continuing spread of Sasser and the other malicious code targeting the MS04-011 vulnerabilities, we will remain at Infocon Yellow overnight. We will reevaluate the situation in the morning.


Sasser worm family continues to spread

The Sasser worm outbreak that began early Saturday morning continues. There have been at least 4 distinct variants noted so far. The primary difference between the first 3 was in the name of the file installed and increasing the number of scanning threads from 100 to 1000. The fourth variant, Sasser.d, which started appearing this morning also added a component to use pings (ICMP echo requests) to scan for other hosts to infect. It can generate more than 30 packets/sec with no payload. On a network with many unpatched systems, this could lead to network congestion similar to what was seen when Nachi came out last August. Also, because it will scan multicast addresses, there have been some reports that some routers which route multicast traffic have become unstable as a result of Sasser infections. A reminder, that systems patched against the issues described in MS04-011 are not vulnerable to this worm. If you haven't patched yet, do so immediately.

One of the ISC handlers, Tom Liston, has captured some of the Sasser.d ICMP activity on his research honeynet and is making the captures available at http://isc.sans.org/presentations/sasser_d.cap.zip



Sasser 'fix' hoax e-mail

This afternoon there is a hoax e-mail making the rounds purporting to be from an anti-virus vendor and claiming to have a clean up tool for Sasser attached. This is, in fact, a new NetSky variant. Anti-virus vendors will never send the tools as attachments in e-mail. Always check the vendor's web site for their latest clean up tools.



Automatic cleanup tools

Microsoft and most of the anti-virus vendors are providing tools for the automatic removal of some of the Sasser variants (see yesterday's diary). While we don't want to discourage people from using these tools, we also don't want the public to get too complacent and think that once they use one of these tools everything is fine. We are seeing a great deal of evidence of multiple infections on machines with Sasser. That is, machines infected with Sasser are often also infected with something else, frequently one of the recent agobot/gaobot/phatbot variants that also target the MS04-011 vulnerabilities. Our standard advice remains, if you get infected, your best course of action is a complete rebuild of the system. If you reinstall a system, or configure a new system, you will have to
enable a firewall before connecting the system to a network. Internal
LANs may be infected as well. Windows XP users may follow our guide:
Windows XP, Surviving the First Day
http://www.sans.org/rr/papers/index.php?id=1298

Alternatively, you may want to use a small hardware firewall appliance.




--------------------
Jim Clausing, handler on duty
Keywords:
0 comment(s)

Comments


Diary Archives