Digg this story   Add to del.icio.us  
'Sasser' Worm Tip of the PC Bug Invasion
Brian Krebs, Washington Post 2004-05-12

The Microsoft software tool designed to rid computers of the fast-spreading "Sasser" worm has been downloaded nearly 2 million times since it was made available earlier this month, the company said. But that tool may provide little or no protection against scores of other programs that quietly circulated online for weeks before Sasser garnered widespread attention.

Microsoft first warned users on April 13 about the Windows vulnerability targeted by Sasser -- three weeks before the worm emerged. But during that interim, hackers released an unknown number of sophisticated programs that could enter computers through the same vulnerability and remain undetected until activated later.

Only when the problems caused by the Sasser worm -- slowed computer performance, repeated rebooting by infected PCs and degraded Internet connectivity as the worm consumes bandwidth as it tries to infect other machines -- came to light did millions of users download a Microsoft patch to fix the vulnerability, along with a software tool to remove the worm.

But getting rid of the worm does not mean that other malicious programs that targeted the same Windows flaw were removed as well.

Security experts say many computers infected by the Sasser worm were also hit by a prolific family of programs known variously as "Agobot," "Gaobot" and "Phatbot." They are difficult to detect because some of them shut down or disable antivirus and firewall software running on targeted computers.

"With all the focus on Sasser, many users have this mentality that they're safe if they run the clean-up tools that Microsoft and others have made available for this worm," said Johannes Ullrich, chief technology officer for the SANS Internet Storm Center, which monitors online attack trends. "The problem, of course, is that they're not also scanning for all the other malicious things that are probably on their machine as well."

The various "bot" programs thought to have been released in the days or weeks after the April 13 Microsoft notice are more dangerous than the Sasser worm because hackers can use them to remotely commandeer computers for the purpose of sending spam or stealing sensitive data that people keep in their PCs, such as credit card and Social Security numbers.

The programs can link infected systems into larger networks whose processing power can be used to send large amounts of spam e-mail messages or to attack Web sites with blasts of data in an attempt to throw them offline. The programs also search for stored passwords and other sensitive personal data on infected computers and try to disable antivirus software.

Cybersecurity experts said that it is difficult to track bot infections because most people hit with them do not use firewalls or antivirus software, which can report infection rates to security companies. In addition, new bot variants are released daily, often striking thousands of computers before antivirus companies identify the latest versions.

Alfred Huger, senior director of engineering at Symantec Security Response, said that one bot network included 400,000 PCs. McAfee Security, a unit of Santa Clara, Calif.-based Network Associates, estimated that more than 900 Agobot variants exist, most of them surfacing during the last six months.

Ken Dunham, malicious code manager for Reston, Va.-based iDefense, said Phatbot and Agobot can be some of the toughest bugs to detect and remove from PCs.

"Phatbot and Agobot silently creep along the Internet at a constant and aggressive rate, but tend not to get much attention from the antivirus companies," Dunham said. "In reality, they are among the most prolific and dangerous threats out there."

New versions of Phatbot and Agobot infected hundreds of thousands of computers in March, according to experts at cybersecurity firms F-Secure and LURHQ. The attack prompted the Department of Homeland Security's cybersecurity division to alert the computer security community because of its ability to elude easy identification and removal.

At the University of North Texas in Denton, nearly each of the 50 administrative computers infected with Sasser also harbored the latest version of Agobot, said Rich Anderson, the school's senior information security analyst.

Three days before the Sasser worm surfaced the school quarantined about 400 computers that had been infected with the latest version of Agobot, Anderson said.

Mario Rajan, co-owner of Tek Helper, a computer repair company in Chevy Chase, Md., said that about 15 of the 20 Sasser-infected computers he serviced also contained Phatbot worms. "The thing is that the user doesn't realize they have tons of viruses on their computers until Sasser shuts them down."

Mikko Hypponen, director of antivirus research at F-Secure Corp., in Finland, said that sometimes it is easier to reinstall the entire operating system than try to search around for dozens of bugs that might be hiding in the computer.

In general, security companies recommend that computer users frequently update their antivirus software, run firewall programs and download patches for security holes that software companies discover (see washingtonpost.com's guide to removing the Sasser worm and getting rid of "bot" programs for more information and links).

    Digg this story   Add to del.icio.us  
Comments Mode:
'Sasser' Worm Tip of the PC Bug Invasion 2004-05-12


Privacy Statement
Copyright 2010, SecurityFocus