Sasser worm exposes patching failures

Organizations that evaded last week's Sasser worm infestation credited vigilant patching processes and preventative measures such as installing server-based behavior-blocking software and worm filtering gateways.

Anti-virus software, on the other hand, was of limited use in stopping the four known variants of Sasser because the worm could re-infect machines even with the most up-to-date virus signatures, says Vincent Gullotto, vice president at Network Associates' Avert Labs. "If you don't have the [Windows] patch in place, this can happen," he says.

According to Mikko Hypponen, head of anti-virus research at F-Secure in Helsinki, Finland, the Sasser worm variants don't delete files or leave Trojans. This makes it a fairly benign worm and a lot like the Blaster worm of last August. Like Blaster, damage stems from Sasser's intense network scanning, which can paralyze networks.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

Organizations that evaded last week's Sasser worm infestation credited vigilant patching processes and preventative measures such as installing server-based behavior-blocking software and worm filtering gateways.

Anti-virus software, on the other hand, was of limited use in stopping the four known variants of Sasser because the worm could re-infect machines even with the most up-to-date virus signatures, says Vincent Gullotto, vice president at Network Associates' Avert Labs. "If you don't have the [Windows] patch in place, this can happen," he says.

According to Mikko Hypponen, head of anti-virus research at F-Secure in Helsinki, Finland, the Sasser worm variants don't delete files or leave Trojans. This makes it a fairly benign worm and a lot like the Blaster worm of last August. Like Blaster, damage stems from Sasser's intense network scanning, which can paralyze networks.

Among those experiencing Sasser's sting last week were American Express, Goldman Sachs, Air Canada, British Airways, Germany's Deutsche Post, the European Commission and several schools, including the University of California, Irvine and University of Massachusetts at Amherst.

"It affected some of our support systems and caused a degree of disruption internally," says Lucas Banpraag, a Goldman Sachs spokesman. "It delayed processing of some orders."

The Sasser worm infested the financial firm's network a week after hitting its offices in Asia. Goldman Sachs is reviewing how it prioritizes patch management and wants better guidance from Microsoft, the spokesman says.

Microsoft had made the patch available more than two weeks ago for the so-called Local Security Authority Subsystem Service (LSASS) vulnerability that Sasser exploits, giving it a critical rating.

But the sheer size of some organizations makes it hard for them to patch all systems, says Alfred Huger, senior director of engineering for security response at Symantec.

Wolters Kluwer, an 18,500-employee firm in Amsterdam that provides legal information services, got hit with Sasser.

"It was only half a dozen PCs out of hundreds," says Mike Antico, CTO for the firm's North American divisions. "How did these people escape being patched? We think it's because they bring in portable computers."

Click to see:

Many corporations test patches before applying them to machines, particularly critical servers, so the larger the organization, the harder it is to go through this process before a worm appears to take advantage of a newly identified hole.

Companies say they are turning to other defensive measures above and beyond simply patching. One of these is behavior-based software that blocks worms and other types of attacks by recognizing suspicious activity.

"Our Windows environment was patched within three days of the released [LSASS] patch, except for one server where a critical system needed to be regression-tested longer," says Eben Barry, manager of IT operations at Network Health, a Medicaid insurance provider in Cambridge, Mass. Luckily, this time the delay did not result in an infection.