Re: Will the Sasser worm become the next Blaster?
From: Gadi Evron (ge_at_linuxbox.org)
Date: Sat, 01 May 2004 23:40:49 +0200 To: kers0r <firstname.lastname@example.org>
> The LSASS Sasser worm is spreading through the documented MS04-011 (LSASS) vulnerability. Presently this worm has not gotten to plague proportions but statistically it may well.
> Apart from the Sasser worm problem, there also remains the problem of human hackers exploiting this hole. Warez ftp hackers have already started using an exploit targeting unpatched systems creating "pubstro" warez dumps. The DCOM vulnerability saw numerous script kiddie tools created that allowed trojan hackers to upload and run trojan servers, will we see another wave of tools being created?
As to the FTP component of Sasser and how to scan for it, see below.
We encounter new worms and new exploits on practically a daily bases.
Kiddies port-scan for open Trojan ports and vulnerable systems so much
that you can't even keep track and your logs grow out of proportion.
It was clear that a worm would use this exploit soon, and I am one of
those who support the "historical view" of how long it takes for a worm
to be created after a serious vulnerability is found and a POC becomes
public. However, I do not really find the need for speculation.
The vulnerability has been out for a while now, and it was patched.
Firewall companies with application filtering capabilities, Application
Firewalls, etc. have all added filtering for it, as have all the network
vulnerability scanners (detection rules).
Would that stop any network worm from becoming "huge"? No. Would that
worm become huge? Maybe. Would it help slow down a worm? Definitely.
This is not a 0-day. It won't be another Code Red. Would it be big? It
already is, but how many big worms do we see in a month?
What I suggest is doing what one can. Patching, updating AV solutions,
running snort rules (Martin Overton's snort rules for Sasser.A and
Sasser.B can be found at: http://arachnid.homeip.net/cgi-bin/blah/Blah.pl).
Being prepared is always a good idea, but the media frenzy will be huge
as it is, why add to it?
About your concerns with warez FTP bases, etc., Well... the
vulnerability, POCs and tools have been out for a while. Kiddies always
find new homes and break into systems, I don't really see how one
vulnerability would make a difference, and it haven't thus far.
As to the worm, it IS very interesting, and might be a serious threat
for a while. How big exactly we will only know Monday morning, EU time, imo.
You can find a really good analysis of the worm by Joe Stewart at LURHQ:
On a half related note on scanning for Sasser, as kiddies will soon
start scanning anyway, might as well help admins out -
I was told on the TH-Research (the Trojan Horses Research mailing list -
http://ecompute.org/th-list) online war room that if you simply port
scan for Sasser you get many false positives, as that port (5554) is
also used by Oracle. If you get "200 OK" as a reply though in the first
packet, it's Sasser.
-- Email: email@example.com. Backup: firstname.lastname@example.org. Phone: +972-50-428610 (Cell). PGP key for attachments: http://vapid.reprehensible.net/~ge/Gadi_Evron.asc ID: 0xD9216A06 FP: 5BB0 D3E2 D3C1 19B7 2104 C0D0 A7B3 1CF7 D921 6A06 GPG key for encrypted email: http://vapid.reprehensible.net/~ge/Gadi_Evron_Emails.asc ID: 0x06C7D450 FP: 3B88 845A DF1F 4062 E5BA 569A A87E 8DB7 06C7 D450