Sasser Worm Infects Thousands of Computers Worldwide

Bloomberg ^ | May 3, 2004

[FourPeas]

May 3 (Bloomberg) -- A computer worm called Sasser may have infected hundreds of thousands of computers through the Internet and is still spreading, possibly disrupting business today, a security software expert said.

The worm, which is different than a virus because it doesn't need to be attached to an e-mail to spread, causes a computer to shut down and then reboot several times, apparently without causing any permanent damage, said Mikko Hyppoenen, director of virus research with Helsinki-based F-Secure Oyj. The worm was detected Saturday at 4 a.m. Finnish time, he said.

[N3WBI3]

But there is no proven relationship between the use of an OS and the number of worms. UNIX has had a larger share than MACOS for years and yet it is less likely to have a virus.

Sometimes a better architecture can handle any extra publicity..

[sully777]

Anyone want an Apple while their system is down?

[FourPeas]

I'm really more of a cherry fan.

[sully777]

Save your energy. Mac users are zealots. They are insecure that they are out of step with the rest of the world, so they cover it with that elitist attitude. Not surprising that Mac users tend to be liberal! :)

---

I woke up and the sun shown in my face. I made coffee and logged onto my e-mail. I've surfed a few CONSERVATIVE sites. Yes, life's good being an insecure elitist--a Goldwater Conservative Apple-user insecure elitist, thank you very much.

It's like that old saying: Wealth doesn't buy happiness but at least it buys something.

[ConservativeMan55]

bttt

[blackie]

Apple isn't immune:

http://www.cnn.com/2004/TECH/internet/04/09/apple.trojan/

[pctech]

My daughter's system got it as well. She called me the other day from her mom's and said her system was possessed! After visiting Macfee, Symantec and Microsoft I got everything I needed to detect it, clear it out, and patch Windows.

[varina davis]

Also, everytime she tries to get her patch, the computer shuts down. If I startup in safe mode, can I get online and download the patch that way? Or, should I remove the bugger from the registry, first, and then try to patch?

Hi there IamHD, maybe this will help. I went to system repair and backed up the settings to before the worm was announced. That let me get on line to find the Sasser fix on Norton, which I used yesterday (following instructions very carefully), and so far, no more problems -- but am knocking hard on wood ;^p

[NJ_gent]

Out of curiosity, have you seen anything coming through the VPN connections? We maintain a number of VPN connections with several clients for support purposes. We're pretty good about preventative security, but I'd like to know whether this bug is poking at that particular weak point.

[brownsfan]

I said: Mac users TEND to be liberal. Not: all Mac users are liberal. :)

Needling aside, I see the strengths of the Mac, and the strengths of the PC. Both are simply tools. It just seems you get the Mac users who pipe up at any opportunity pontificating about their choice of tool. As if anyone who didn't share their view was not very bright. If you can't objectively examine the tools available to you, you are doomed to use the wrong one eventually.

[D-fendr]

These Routers will have a easy to use Web Interface and a manual for setup. The Firewall functions can usually be set to default High Level Security to block all uninitiated inbound TCP ports.

I believe this is likely talking about NAT. Helpful, but not the same as a firewall - though manufacturers sometimes don't like to point out the distinction.

[D-fendr]

Depends on how you filter the tunnels.

If it's not filtered at all, a VPN IPsec tunnel sends all traffic through a properly established tunnel. It encrypts it and verifies both ends, but it will send a virus, trojan, worm, just as easily as it will good data. (It's sometimes described as a hard shell and soft inside security.)

You can filter the tunnel, (direct traffic to only addess x and port x), assuming you have the equipment and knowledge to do so.

But don't assume your VPN does this.

[Arthalion]

Yes we have. One of our VPN clients apparently became infected with Sasser.D about an hour ago, and then jumped through our VPN to infect a couple of other VPN clients before our operations guys were able to secure and shut down those users (they apparently have Ciscoworks set to alert them of any internal 445 activity). The good news is that the new VLAN and intermediate firewalls apparently worked like a charm and kept the virus out of our main network. The bad news is that it apparently jumped despite the fact that our Cisco concentrators should be filtering 445 completely (we're not yet sure what the problem is). Since our VPN clients sit in their own VLAN, however, all they can do right now is infect each other.

[Buggman]

I'm just going to bump this so I can find it again when I get home. I'm pretty sure the computers at my night job are infected. Thanks.

[savedbygrace]

XoftSpy

http://www.paretologic.com/xoftspy/lp/1/?w=1

Buy it, because the freebie won't allow removal of the bots. $39.95 download.

[CyberCowboy777]

NAT is better than a straight Cable Modem access and many Cable/DSL Routers do block inbound TCP ports.

Now days you can buy a middle class router with Stateful Packet Inspection and other true Firewall features for $150.00 or less.

http://www.amazon.com/exec/obidos/tg/detail/-/B00006B9HR/102-6475380-6426540?v=glance

http://www.amazon.com/exec/obidos/ASIN/B00006G2OJ/qid%3D1083621266/sr%3D11-1/ref%3Dsr%5F11%5F1/102-6475380-6426540

http://www.homenethelp.com/web/review/dlink-di-714.asp

Higher end units like the uBr series from Cisco have used Stateful Packet Inspection for awhile.

This is a pretty good solution for $50.00 to $150.00 for a small business or home user.

[NJ_gent]

Damn thing sounds like Skynet. :-)

Thanks for the info, I'm going to have to do some more work to make sure this thing isn't able to hop on over from any of our VPN-connected clients.

[NJ_gent]

"If it's not filtered at all..."

Not quite that bad off. Our main network here is walled off from the tunnels. My main concern is clients infecting one another. I'm going to have to take another look at what's in place to prevent that (as opposed to playing on here more today) before I go home. Luckily, none of our VPN-connected clients have a large sales force that brings laptops in and out of their respective networks. The fact that I'm paranoid makes me not so worried about that happening (paranoia makes for good preparation), but it does make me re-check everything every time a new threat emerges.

[general_re]

...they apparently have Ciscoworks set to alert them of any internal 445 activity...

Are you blocking 445 internally as well as externally?

[sigSEGV]

Not if they want anything Windows networking related to work.