Yesterday when I read about this Sasser worm, it wasn't thought to be a serious threat because it's code is poorly written. Now the articles I'm reading state that it's threat is increasing. This article is disturbing because it shows how serious a computer worm can be.
http://www.enterpriseitplanet.com/security/news/article.php/3348291 Sasser eyed over train outage
Chris Jenkins
MAY 03, 2004
NSW TRAINS authority RailCorp has sent in software engineers to find the source of the outage that left up to 300,000 commuters stranded yesterday, saying the new Sasser worm, which has already spawned two variants, is being evaluated as a possible cause.
A RailCorp spokesman confirmed that software engineers were investigating the problem, which prevented drivers from talking to signal boxes. A virus attack was one possibility being investigated, he said. RailCorp was unable to confirm when the investigation would be complete.
RailCorp chief executive Vince Graham raised the possibility of a virus attack at a press briefing yesterday. "There is no evidence that hacking is an issue here, the viral infection could have been introduced by one of our own people not taking sufficient care," Sydney's Daily Telegraph reported Mr Graham as saying.
The first incidence of the Sasser virus occurred in the US on Friday. Unlike other recent attacks, Sasser does not require email to propagate, instead "pinging" the internet for computers with the Windows operating system vulnerability it is designed to exploit.
Sasser leaves no obvious sign that it has infected a PC, meaning users may be unaware of its presence.
The Local Security Authority Subsystem Service (LSASS) vulnerability exists in versions of Windows XP, Windows 2000 and Windows Server 2003. Microsoft advised of the problem and issued a patch April 13.
Microsoft has also posted a notice on its website warning Windows users of the dangers and a tool to remove the worm. The patch provided by Microsoft meant it was likely that small businesses and home users, especially those on broadband connections, would be affected by the worm, technical director for internet security firm Symantec Tim Hartman said.
The first "a" version of Sasser to appear was designed to search for new IP addresses to attack via 128 different threads, Mr Hartman said. The more recent "c" variant used 1024 threads, he said. The traffic created by the worm could place "quite a burden on the internet," he said.
This report appears on australianIT.com.au.