<<< Date Index >>>     <<< Thread Index >>>

RE: Will the Sasser worm become the next Blaster?



>From lurhq.com...

Update: May 3, 2004 
The authors of the Netsky virus have claimed authorship of Sasser in
comments included in the code of Netsky.AC. They provide a snippet of source
code as proof. LURHQ has also independently compared the binary code of both
Sasser and Netsky and found other evidence supporting a common source code
base in the two programs. Therefore the claim of "Team Skynet" appears to be
credible. 

Like Netsky, new variants of Sasser are being released quickly. As of this
writing, four variants have been uncovered: 

Variant Size MD5 Executable Compile Date 
A 15,872 a73c16ccd0b9c4f20bc7842edd90fc20 avserve.exe Fri Apr 30 19:23:16
2004 
B 15,872 1a2c0e6130850f8fd9b9b5309413cd00 avserve2.exe Sat May 1 07:39:48
2004 
C 15,872 831f4ee0a7d2d1113c80033f8d6ac372 avserve2.exe Sat May 1 14:07:32
2004 
D 16,384 03f912899b3d90f9915d72fc9abb91be skynetave.exe Sun May 2 10:53:43
2004 

Differences between variant A and B were changes to the code to implement a
psuedo-forking mechanism when exploiting hosts. Variant C changed the number
of scanning threads to 1024 instead of 128. Variant D changed the number of
scanning threads back to 128 and implemented a ICMPSendEcho API call prior
to connecting to a host via TCP in order to speed up scanning (much in the
same way the Welchia worm does). Due to a bug, the D variant does not appear
to run on Windows 2000, so an E variant may be forthcoming shortly. 


-----Original Message-----
From: kers0r [mailto:root@xxxxxxxxxxxxx] 
Sent: Saturday, May 01, 2004 8:30 PM
To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Will the Sasser worm become the next Blaster?



The LSASS Sasser worm is spreading through the documented MS04-011 (LSASS)
vulnerability. Presently this worm has not gotten to plague proportions but
statistically it may well. 



Apart from the Sasser worm problem, there also remains the problem of human
hackers exploiting this hole. Warez ftp hackers have already started using
an exploit targeting unpatched systems creating "pubstro" warez dumps. The
DCOM vulnerability saw numerous script kiddie tools created that allowed
trojan hackers to upload and run trojan servers, will we see another wave of
tools being created? 



-----------------------------------

Jonathan Read (aka kers0r)

http://www.anti-trojan.org