<<< Date Index >>>     <<< Thread Index >>>

Re: Will the Sasser worm become the next Blaster?



kers0r wrote:

The LSASS Sasser worm is spreading through the documented MS04-011 (LSASS) vulnerability. Presently this worm has not gotten to plague proportions but statistically it may well. Apart from the Sasser worm problem, there also remains the problem of human hackers exploiting this hole. Warez ftp hackers have already started using an exploit targeting unpatched systems creating "pubstro" warez dumps. The DCOM vulnerability saw numerous script kiddie tools created that allowed trojan hackers to upload and run trojan servers, will we see another wave of tools being created?

As to the FTP component of Sasser and how to scan for it, see below.

We encounter new worms and new exploits on practically a daily bases. Kiddies port-scan for open Trojan ports and vulnerable systems so much that you can't even keep track and your logs grow out of proportion.

It was clear that a worm would use this exploit soon, and I am one of those who support the "historical view" of how long it takes for a worm to be created after a serious vulnerability is found and a POC becomes public. However, I do not really find the need for speculation.

The vulnerability has been out for a while now, and it was patched. Firewall companies with application filtering capabilities, Application Firewalls, etc. have all added filtering for it, as have all the network vulnerability scanners (detection rules).

Would that stop any network worm from becoming "huge"? No. Would that worm become huge? Maybe. Would it help slow down a worm? Definitely. This is not a 0-day. It won't be another Code Red. Would it be big? It already is, but how many big worms do we see in a month?

What I suggest is doing what one can. Patching, updating AV solutions, running snort rules (Martin Overton's snort rules for Sasser.A and Sasser.B can be found at: http://arachnid.homeip.net/cgi-bin/blah/Blah.pl).

Being prepared is always a good idea, but the media frenzy will be huge as it is, why add to it?

About your concerns with warez FTP bases, etc., Well... the vulnerability, POCs and tools have been out for a while. Kiddies always find new homes and break into systems, I don't really see how one vulnerability would make a difference, and it haven't thus far.

As to the worm, it IS very interesting, and might be a serious threat for a while. How big exactly we will only know Monday morning, EU time, imo.

You can find a really good analysis of the worm by Joe Stewart at LURHQ:
http://www.lurhq.com/sasser.html

On a half related note on scanning for Sasser, as kiddies will soon start scanning anyway, might as well help admins out - I was told on the TH-Research (the Trojan Horses Research mailing list - http://ecompute.org/th-list) online war room that if you simply port scan for Sasser you get many false positives, as that port (5554) is also used by Oracle. If you get "200 OK" as a reply though in the first packet, it's Sasser.

        Gadi Evron.

--
Email: ge@xxxxxxxxxxxxx Backup: ge@xxxxxxxxxxx
Phone: +972-50-428610 (Cell).

PGP key for attachments: http://vapid.reprehensible.net/~ge/Gadi_Evron.asc
ID: 0xD9216A06 FP: 5BB0 D3E2 D3C1 19B7 2104  C0D0 A7B3 1CF7 D921 6A06
GPG key for encrypted email: http://vapid.reprehensible.net/~ge/Gadi_Evron_Emails.asc
ID: 0x06C7D450 FP: 3B88 845A DF1F 4062 E5BA  569A A87E 8DB7 06C7 D450