Tag Archives: Blaster

The Sasser Worm

Four years after LoveLetter, there’s a new worm out, and it looks bad.

Panda Software says Sasser “has positioned itself as one of the quickest-spreading and virulent ones”. Already two variants of the worm are out, according to F-Secure.

Panda says the worm uses a trick that “means practically all Microsoft systems will be affected, making millions of computers exposed to infection by this worm virus”. This is because the worm — or its variants, it’s not quite clear to me which — use the same computer port as Windows uses to share folders and printers over the Internet. So, “large companies which have remote users that go on line via virtual networks or which work with laptops without corporate firewall protection may go online on Monday and find themselves affected by the virus even though they have the patch installed and the antivirus upgraded”, Panda warns.

Sasser makes use of a vulnerability that is about 26 days old. It can spread and execute without the user doing anything. Panda sees the worm moving faster than Blaster: Blaster affected 2.5% of computers in the first few hours of its attack, while Sasser.B is nearing 3% in just 24 hours.

If infected, the computer will restart every time the user tries to go on line, change the registry and put a file, avserve.exe, in the Windows folder or, in some cases, put a warning in a Windows menu warning of problems with LSA Shell or errors in Isass.exe. It doesn’t seem to actually do any damage to computers, or to prep itself to download something worse. But who knows?

Solution? Install Microsoft updates as soon as possible and upgrade your antivirus protection. If you think you’re infected, use the Microsoft scanning tool to check. Then again, as F-Secure points out helpfully, if you are infected, you might not make it to that page before your machine is rebooted again. If you are infected, use F-Secure’s Free F-Sasser Tool to clean the worm from your machine. You also need to install the Windows patches to prevent you from getting reinfected.

Not everyone is worried about it: F-Secure believe many larger companies have already installed the updates necessary to be protected, and says the situation is still “relatively calm”. That said, eWeek has pointed out that an early version of the Microsoft patch for this vulnerability itself caused some Windows 2000 systems to lock up. Oh, and the Microsoft website about Sasser misspells ‘Bulletin’ making me wonder for a second whether it wasn’t itself a phishing site. Tsk, tsk.

News: Wanted, Dead Or Alive: Virus Writers

 Microsoft is a mite upset, and is offering $500,000 reward to inform on the virus writers responsible for the Blaster and Sobig worms. (In August, if you recall, the Blaster-A worm infected many unprotected home and business computers, attempted to launch a denial of service attack against a critical Microsoft security update website, and, most importantly, mocked Microsoft chairman Bill Gates. The worm exploited a critical security hole in versions of Microsoft Windows. Just days later the Sobig-F worm, which spread on the Windows platform, bombarded email users around the world, clogging up email servers.)
 
Sophos, the anti-virus people, had this to say: “It’s no surprise to hear that they are fed up with this situation and prepared to offer a reward for the capture of these virus writers,” said Graham Cluley, senior technology consultant for Sophos.  “There must be people out there in the computer underground who know who is responsible for the creation of these malicious worms. Offering a total of $500,000 will be a great temptation for someone to break their silence – and do all legitimate users of the Internet a favour.”

Update: Another Blaster Suspect Arrested

 Another Blaster suspect has been arrested. Prosecutors refused to release any information about the suspect, not even the youth’s gender or home state, AP reported. The variant the juvenile allegedly created was known as “RPCSDBOT.”
 
No one yet knows who created the main version. Collectively, different versions of the virus-like worm, alternately called “LovSan” or “Blaster,” hit more than a million computers. It’s interesting the two detainees both appear to be Americans. But it doesn’t mean the author of the original was, nor does it mean their motives were the same.
 

News: Two Young Fellas Nabbed For The TK Worm

 Two young Brits have been charged in connection with the TK Worm (also known as Troj/TKBot-A), which appeared last year and caused an estimated £5.5 million worth of damage. Jordan Bradley, 20, of Bates Avenue, Darlington, and Andrew Harvey, 22, of Scardale Way, Durham, are believed by the National High Tech Crime Unit (NHTCU) to be members of a hacking group known as the “Thr34t-Krew” which launched the Trojan horse designed to break into internet-connected computers.
 
It’s something of a roll for law enforcement folks. Recently, two other young men were named in connection with variants of
the Blaster internet worm.  Jeffrey Lee Parson was arrested by the FBI in late August, and a Romanian man is believed to be assisting police with their enquiries.  Meanwhile Simon Vallor, who served nine months in prison for creating three viruses, was released yesterday.

Update: Blaster Kid

 The high school senior Jeffrey Lee Parson, arrested Friday for allegedly launching a worldwide computer virus, is a loner who drives too fast, AP quotes neighbours as saying. Court papers said FBI and Secret Service agents searched Parson’s Hopkins home on Aug. 19 and seized seven computers, which are still being analyzed.
 
 
In an interview with FBI Special Agent Eric Smithmier, Parson admitted modifying the original “Blaster” infection and creating a version known by a variety of different names, including “Blaster.B.,” court papers said.

Update: Blaster B Suspect Is About To Be Arrested

 There must be at least one frightened teenager out there today. AP reports that U.S. investigators have identified a teenager as one author of a version of the Blaster worm and plan to arrest him early Friday (U.S. time). A witness reportedly saw the teen testing the infection and called authorities, an official said. The worm and its variants infected more than 500,000 computers worldwide.
 
The “Blaster.B” version of the infection, which began spreading Aug. 13, was remarkably similar to the original Blaster worm that first struck two days earlier; experts said the author made few changes, renaming the infecting-file from “msblast” to an anatomical reference. Can’t help feeling sorry for the kid. He is going down.

News: Worms and Blackouts

 Conspiracy theorists reckon the big power blackout in the U.S. Northeast and part of Canada may have been caused by the Blaster worm. Here’s Robert X. Cringely from InfoWorld: “Many plants on the grid run a Windows-based SCADA (Supervisory Control and Data Acquisition) system that receives remote commands through the same RPC (Remote Procedure Call) protocol exploited by MSBlaster. Among other things, SCADA systems control the amount of energy each plant produces.”

Update: Sobig’s 9/11

 Here’s some more evidence that the Sobig worms may be part of something more sinister: Central Command, a provider of PC anti-virus software and services, says its latest incarnation, Sobig.F, “is estimated to have infected millions of systems worldwide and may draw on them to be part of a cyber army focusing a digital assault against major online services”.
 
Here’s how it may work: When particular conditions are met, Worm/Sobig.F will attempt to download additional components of the attackers choice. The pre-configured conditions include performing tests to determine if the current day is Friday or Sunday between the hours of 19:00 (7PM) and 22:00 (10PM) UTC time. When these conditions are met, the worm will attempt to retrieve further instructions that may include the downloading and execution a backdoor hacker program. Backdoors can allow someone with malicious intent to gain full control of the infected computer.
 
“The virus author(s) of Sobig have developed a predictable pattern of releasing new variants soon after the current version de-activates itself,” said Steven Sundermeier, VP Products and Services at Central Command, Inc. “If the past repeats itself we could be looking at a newly constructed creation shortly after September 10th. A potential risk is that the massive army created by Worm/Sobig.F could be used to launch an all out attack on large Internet infrastructures, for example, by means of a Distributed Denial of Service attack (DDoS).”
 
This may not happen, like the LovSan worm’s planned attack on Microsoft. But to make sure you’re safe check you’ve not got the Sobig worm aboard and if you have, remove it.

Update: The Blaster non-Blast

 Blaster turned out to be less of one, at least in terms of the Internet storm it was supposed to whip up. Still, I’ve heard of plenty of infections. IDG reports that the attack on Microsoft Corp.’s main software update Web site did not materialize Saturday, despite infecting half a million PCs, as computers infected with the W32.Blaster worm failed to find their target.
 
Turns out the worm provided the incorrect domain address for the target. So Microsoft merely delisted the windowsupdate.com domain name, and the worm, not knowing where to go, didn’t go anywhere. Doesn’t help those of you infected, but most of you seem to be cleaning yourselves up:
The number of Blaster infections is also down more than 80 percent since the worm’s peak on Monday, indicating that vulnerable computers are being cleaned and patched by their owners, IDG says.

Update: Blaster Graph

 Network Associates say that over 1.2 million systems have been affected from the Lovsan/Blaster threat, also know as W32/Lovsan.worm which is continuing to spread at a steady rate and is infecting over 30,000 systems per hour during peak times. A detailed graph of the worm’s progress can be found in http://www.hackerwatch.org/checkup/graph.asp.