Alert: W32/Sasser spreading widely

• Previous message: Ondøej Holas: "Re: MS04-11, SSL, and ISA Server"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date:         Sat, 1 May 2004 16:00:12 -0400
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

TruSecure Corporation believes there will be a significant number of
systems (primarily home systems) infected with W32/Sasser come Monday
morning. We have watched the rapid increase in infected systems
throughout the day today and have no reason to believe this will cap
itself any time soon.

W32/Sasser is a worm which exploits the LSASS vulnerability patched by
MS04-011. It uses Blaster infection vectors, attacking 445/tcp where, if
successful, it drops adserver.exe, invokes it, and starts 128 threads to
attack anew. It also establishes an FTP server on 5554/tcp, and a
command shell on 9996/tcp. Anyone blocking Blaster network traffic will
be secure, but since so many seem to focus only on patching as opposed
to sensible security, anyone who hasn't applied MS04-011 and does not
have effective filtering (including policy based prevention of unchecked
laptops starting up on your network) may become infected.

Check your AV vendor for updated definitions, but remember, AV products
are not likely going to prevent infection, merely cleansing of infected
systems.

I'd appreciate hearing of any known infections and the conditions under
which it occurred (roving laptop, partner network, vpn user, no
perimeter defense.)

Cheers,
Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor

-----
Earn up to 10 credit course hours toward the TruSecure ICSA Practitioner (TICSA) Credential and receive a TICSA exam coupon by attending the Infosecurity Canada 2004 conference. Featured speaker, Marcus J. Ranum, TruSecure inventor of the proxy firewall will present on June 3 at 11:30 AM. Visit <https://ticsa.trusecure.com> for certification details and <http://www.infosecuritycanada.com> for conference information. Become TICSA certified and see what happens!
-----

• Previous message: Ondøej Holas: "Re: MS04-11, SSL, and ISA Server"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages RE: A question for the list... ... response, ... I had to take my computers and one server off the WAN ... crisis situation on a neighboring network and shutdown malware. ... virulent proliferation to extract the costs of infection cleanup? ... (Incidents) Re: A question for the list... ... The problems started when attackers would launch an common attack (whom ... > incident response, ... > crisis situation on a neighboring network and shutdown malware. ... > virulent proliferation to extract the costs of infection cleanup? ... (Incidents) CERT Advisory CA-2003-04 MS-SQL Server Worm ... code that most likely exploits two vulnerabilities in the Resolution ... traffic generated between hosts infected with the worm targeting SQL ... Activity of this worm is readily identifiable on a network by the ... protection whatsoever against the initial infection of systems. ... (Cert) Re: [Full-disclosure] Responsibility ... customer but someone connects an infected machine and somehow it gets in, ... Where the critical assets protected from the rest of the network? ... When designing a "public" network you must always assume that these are the worst possible machines that are accessing the network. ... how soon after infection was it discovered? ... (Full-Disclosure) Re: keep getting DCOM intrusions ... the XP machines, you should have the ICF firewall enabled on the ICS ... connection which would block this infection from the Internet side. ... It won't, however, prevent your bringing the infection into the network ... (microsoft.public.security.virus)