Re: Will the Sasser worm become the next Blaster?

From: Gadi Evron (ge_at_linuxbox.org)
Date: 05/01/04

  • Next message: Matt Zimmerman: "[SECURITY] [DSA 500-1] New flim packages fix insecure temporary file creation"
    Date: Sat, 01 May 2004 23:40:49 +0200
    To: kers0r <root@asylum-nz.com>
    
    

    kers0r wrote:
    >
    > The LSASS Sasser worm is spreading through the documented MS04-011 (LSASS) vulnerability. Presently this worm has not gotten to plague proportions but statistically it may well.
    >
    > Apart from the Sasser worm problem, there also remains the problem of human hackers exploiting this hole. Warez ftp hackers have already started using an exploit targeting unpatched systems creating "pubstro" warez dumps. The DCOM vulnerability saw numerous script kiddie tools created that allowed trojan hackers to upload and run trojan servers, will we see another wave of tools being created?

    As to the FTP component of Sasser and how to scan for it, see below.

    We encounter new worms and new exploits on practically a daily bases.
    Kiddies port-scan for open Trojan ports and vulnerable systems so much
    that you can't even keep track and your logs grow out of proportion.

    It was clear that a worm would use this exploit soon, and I am one of
    those who support the "historical view" of how long it takes for a worm
    to be created after a serious vulnerability is found and a POC becomes
    public. However, I do not really find the need for speculation.

    The vulnerability has been out for a while now, and it was patched.
    Firewall companies with application filtering capabilities, Application
    Firewalls, etc. have all added filtering for it, as have all the network
    vulnerability scanners (detection rules).

    Would that stop any network worm from becoming "huge"? No. Would that
    worm become huge? Maybe. Would it help slow down a worm? Definitely.
    This is not a 0-day. It won't be another Code Red. Would it be big? It
    already is, but how many big worms do we see in a month?

    What I suggest is doing what one can. Patching, updating AV solutions,
    running snort rules (Martin Overton's snort rules for Sasser.A and
    Sasser.B can be found at: http://arachnid.homeip.net/cgi-bin/blah/Blah.pl).

    Being prepared is always a good idea, but the media frenzy will be huge
    as it is, why add to it?

    About your concerns with warez FTP bases, etc., Well... the
    vulnerability, POCs and tools have been out for a while. Kiddies always
    find new homes and break into systems, I don't really see how one
    vulnerability would make a difference, and it haven't thus far.

    As to the worm, it IS very interesting, and might be a serious threat
    for a while. How big exactly we will only know Monday morning, EU time, imo.

    You can find a really good analysis of the worm by Joe Stewart at LURHQ:
    http://www.lurhq.com/sasser.html

    On a half related note on scanning for Sasser, as kiddies will soon
    start scanning anyway, might as well help admins out -
    I was told on the TH-Research (the Trojan Horses Research mailing list -
    http://ecompute.org/th-list) online war room that if you simply port
    scan for Sasser you get many false positives, as that port (5554) is
    also used by Oracle. If you get "200 OK" as a reply though in the first
    packet, it's Sasser.

            Gadi Evron.

    -- 
    Email: ge@linuxbox.org. Backup: ge@warp.mx.dk.
    Phone: +972-50-428610 (Cell).
    PGP key for attachments: http://vapid.reprehensible.net/~ge/Gadi_Evron.asc
    ID: 0xD9216A06 FP: 5BB0 D3E2 D3C1 19B7 2104  C0D0 A7B3 1CF7 D921 6A06
    GPG key for encrypted email: 
    http://vapid.reprehensible.net/~ge/Gadi_Evron_Emails.asc
    ID: 0x06C7D450 FP: 3B88 845A DF1F 4062 E5BA  569A A87E 8DB7 06C7 D450
    

  • Next message: Matt Zimmerman: "[SECURITY] [DSA 500-1] New flim packages fix insecure temporary file creation"