Sasser epilog

By Ellen Messmer, NetworkWorld.com, 05/10/04

It was the Sasser worm, of course, that made headlines last week, crashing PCs and flooding networks round the world. Anti-virus experts were comparing it to the Blaster worm of last August. But by the time Sasser had appeared to peak-it will be floating about for years to come-some were estimating it had probably only struck half the victim machines that Blaster had.

In an admittedly a rough estimate, Vincent Gullotto, Network Associates' vice president of AVERT Labs, was willing to venture Sasser had hit about 200,000 XP and Windows 2000 machines, a number he said was probably conservative. Alfred Huger, senior director of engineering at security response at Symantec, said Symantec's DeepSight global monitoring system of intrusion-detections systems and other equipment, which faces onto the Internet, had seen evidence of 140,000 infections.

Sasser ended up severely disrupting operations at many businesses and government agencies, including transportation services, such as the rail system in Australia, in a replay of sorts of the effect Blaster had on the CSX rail system on the eastern seaboard of the U.S. last year.

Sasser was successful for no other reason than that all these organizations couldn't apply a software patch to XP and Windows 2000 computers in time, even though the security industry spoke with one voice in predicting a worm like Sasser would follow Microsoft's announcements in mid-April on security vulnerabilities and new patches.

Despite the widespread disruptions caused, the world got off easy with the Sasser worm. It didn't damage files or leave dangerous back doors, as it certainly could have done after completely compromising hundreds of thousands of machines. One wonders why the authors of Sasser were so kind as to not destroy everything in the worm's path.

Mikko Hypponen, head of anti-virus research at Helsinki-based F-Secure, last week said there was evidence left in the Sasser code itself that it is the work of the same virus writers that created the Netsky virus. He said this group, suspected to be in Russia, has more of a reputation as "hobbyists" than as a "professional virus group" intent on inflicting permanent and irreparable damage, or extorting blackmail, among other serious crimes.

Hypponen adds that the Netsky group has previously released worms intended to remove infections left by viruses created by the more "criminal" authors of the MyDoom and Bagel worms of recent memory. An odd obsession, if so, and perhaps one day the Netskyists will explain it all to us.

A fine distinction, too, between "hobbyist" and "criminal" virus writers, but perhaps not one that will matter much as Microsoft works with law enforcement.

Last Saturday, German police in Hanover, Germany said they had arrested an 18-year-old youth, who lives at home with his parents in Waffensen, as the creator of the Sasser worm. The youth, who name has not been made public, has reportedly confessed to creating Sasser. Police are keeping him in custody but have confiscated his computers. He faces a maximum sentence of five years on the charge of computer sabotage, if convicted.

It's not yet known if the arrested German youth is connected with the Netsky group or not. German police said the arrest was made with help from Microsoft, which after receiving anonymous tip-offs about the worm's creator, then contacted the Federal Bureau of Investigation.

Back to Security Notes

Comments

Post a comment

Name:


E-mail address:


URL:


Comments:


Remember info?