Sasser impact questions

Discussion in 'Anti-Virus' started by Owen Marshall, May 3, 2004.

  1. So, I am a technical support grunt (hurrah!) working at the local ISP.
    And Sasser has hit. Oh crap.

    We take several calls, and note one statistical anomoly -- we are
    getting an increased number of "Page Cannot be Displayed" errors on
    WinXP/2K machines. I am suspecting this is related. I didn't do any
    digging, because we didn't have much time. Is this a possibility?

    The next problem I noted was that the Internet Connection Firewall (XP)
    that allowed users to keep from being hit with Blaster, does nothing.

    I noted few users reporting being rebooted immediately upon internet
    connections. This is directly opposite from what Blaster did, in my
    experiences -- it rebooted almost instantly, this one... doesnt.

    Very strange. Can anyone help me be better prepared for the next couple
    of days and confirm my findings?

    Thanks from the trenches ;)

    Owen Marshall
    Bardstown Internet Grunt/Systems Administrator (Hey, we are small, we
    get to wear two hats :))
     
    Owen Marshall, May 3, 2004
    #1
    1. Advertisements

  2. Owen Marshall

    Ian Kenefick Guest

    Hi Owen,

    http://www.microsoft.com/security/incident/sasser.asp adequately answers
    most questions on sasser and the realivly easy recovery from it.#

    Regards, Ian.
     
    Ian Kenefick, May 4, 2004
    #2
    1. Advertisements

  3. Owen Marshall

    Uzi Guest

    I havn't received any reports confirming this, but a neighbour of mine contacted me on early saturday, her computer had the
    relevant symptom of the Sasser, at that time most antivirus programs were still not updated (on US time it was still Friday).
    After cleaning the virus, and updating the security updates, there was still a problem with some functions. It came out that the
    temporary folder had more than 65,000 em[ty files - the maximu, number of files in a folder. All of them were from that date. I
    didn't see any report of such a symptom, but once the temporary folder was emptied, the problems disappeared. Those problems came
    as a result (direct or indirect) from the virus.

    Uzi

    Uzi
    For e-mail contact and other, see:
    http://www.uzipaz.com
     
    Uzi, May 4, 2004
    #3
  4. On that special day, Owen Marshall, ()
    said...
    If this is caused by altered hosts files, this isn't specific to sasser.
    Until now, I haven't heard of a Sasser variant that does this (there is
    now Sasser D, too according to
    http://securityresponse.symantec.com/avcenter/venc/data/w32.sasser.d.htm
    l
    in the wild)

    Other worms do change the entries in the hosts files, mainly mail worms,
    and I suppose some homepage hijackers do it, too.
    It should. But there are ISPs that offer access GUIs of their own kind
    (i.e. proprietary) which are designed to keep the XP firewall off, in
    order to avoid interferings (sp?) or conflicts. A major ISP in Germany
    (in fact the largest, the former state monopolist) offers a T-Online
    internet suite that installs and runs *without* the Xp firewall. The
    only workaround is to set up your own internet connection with the
    access code in the user and password field, and connecting over pure
    TCP/IP without the TOL GUI, to enter the net with an activated firewall.

    Checking Symantecs Search feature with the word "localhost" results in a
    major collection of worms that do affect the hosts file. As the newest
    Gaobots/Agobots have jumped on the "lsass" bandwagon, they might be the
    cause of the combined lsass crashes and changed hosts files. Which
    means, you are perhaps not only facing sasser, but an even worse enemy,
    the RAT agobot.

    http://www.symantec.com/avcenter/venc/data/w32.gaobot.afc.html
    The lsass attack has become even more aggressive. The chance to be hit
    is higher, if a worm sends up to 30 per second to find new victims, and
    the hits will come sooner. See Symantec's description of Sasser.D
    Get a lot of pizzas and cola cans, and don your heat absorbing
    underwear. You'll be staying in the office for several days.


    Gabriele Neukam

     
    Gabriele Neukam, May 4, 2004
    #4
  5. Owen Marshall? Did you write Harlequin Rex? That's one of my fave
    novels of all time... but I completely bounced off A Many Coated Man.

    Seeing that at a client's site today - XP, walled, patched, clean. I
    put it down to a DDoS effect, but at home my own Win98SE PC's fine.

    Interesting you say that. I saw an XP client with three Lovesan (or
    was it Welchia?) variants active, and the built-in firewall still on
    as I'd set it when I built and delivered the PC early in 2003. They
    were newbs on DUN don't think they toggled the firewall.

    I think the infosphere load with the RPC attackers was heavier, for
    one thing, and trhe reasons for the rebooting may be different.

    The "front door" at MS is a good starting point - quite a change from
    what you might expect based on prior experience ;-)
    Running Windows-based av to kill active malware is like striking
    a match to see if what you are standing in is water or petrol.
     
    cquirke (MVP Win9x), May 4, 2004
    #5
  6. Owen Marshall

    Darren Guest

    I can confirm (since I was hit) that there is a variant of Sasser
    floating around that is bundled with another known virus. I have not
    seen any mention of this online or elsewhere.

    The executable I got was of different size (>130 KB) than the Sassers
    I have cleaned off colleague's computers (~15 KB). I had no 'avserve*'
    executables. Mine had the same registry behavior, but the name
    'wmiprvsi.exe'. I have found nothing in searches for this string; I
    think the variant is using a dynamic renaming program.

    The 'bundled' virus (I forget the name, McAfee's free stinger program
    took care of it) alters the 'hosts' file so that attempts to browse to
    symantec or use Norton liveupdate fail.

    I recommend using the McAfee stinger program EVEN AFTER a successful
    cleaning of Sasser.
     
    Darren, May 4, 2004
    #6
  7. Interesting - could it be an infected infector, e.g. something like a
    CIH, Magistr, Elkern etc. infection of a stand-alone malware .EXE?

    Shades of the bacteriophages, if so. Then again, fiddling with HOSTS
    sounds out of character for a low-level intrafile infector.


    The most accurate diagnostic instrument
    in medicine is the Retrospectoscope
     
    cquirke (MVP Win9x), May 5, 2004
    #7
  8. On that special day, Uzi, () said...
    Erm, Uzi, could you please change your line length to something readable
    like 72 characters per line, and remove the quoted-printable format from
    your posting? Thanks.

    As to the revamped Sasser: The heise news ticker claims that this is a
    phatbotized version of Sasser. Phatbot is said to be the next generation
    of trojan/worm, the heir of Agobot/Gaobot.

    http://www.lurhq.com/phatbot.html


    " Findet Phatbot einen solchen Schädling, wird er normalerweise gelöscht
    und die Hintertür geschlossen, sodass darüber keine weiteren Viren den
    Rechner infizieren können. Anders geht Phatbot beim Sasser-Wurm vor:
    Anstatt den Schädling zu entfernen und durch Phatbot zu ersetzen,
    modifiziert Phatbot den aktiven Sasser-Schädling für seine eigenen
    Zwecke."

    Normally, phatbot takes advantage of backdoors opened by Mydoom or
    bagle, closes them, removes the older worm, and installs itself on the
    hard disk. But Phatbot acts differently when meeting Sasser. Instead of
    removing the malware, it will be modified for phatbots own ends.

    "Bei Neuinfektion eines Rechners durchsucht Phatbot das System zunächst
    nach dem Sasser-Wurm. Findet er einen, so modifiziert Phatbot den
    Sasser-Prozess und protokolliert alle IP-Adressen, an die sich der
    Sasser-Wurm weiterverschickt. Die Phatbot-Instanz folgt diesen
    Verbindungen dann einfach und installiert sich auf den neu befallenen
    Rechnern."

    When infecting, phatbot first searches the system for sasser. If there
    is one to be found, phatbot modifies the worm and makes a protocol of
    all IP addresses to which the sasser has transferred itself. The phatbot
    instance follows suit and installs itself on these machines.

    "Eine solche Infektion lässt sich daran erkennen, dass die Datei
    "wormride.dll" im Windows-Systemverzeichnis existiert. Sie ist offenbar
    dafür zuständig, die über die Sasser-Verbreitung neu infizierten Hosts
    mit Phatbot-Instanzen zu versorgen. Wer eine solche Datei auf seinem
    Rechner findet, kann davon ausgehen, dass er sowohl mit Sasser als auch
    Phatbot infiziert ist."

    Such an infection can be identified by the existence of the file
    "wormride.dll" in the windows system directory. It is obviously there to
    "provide" the sasser infected hosts with phatbot instances. If anybody
    finds such a file on his/her machine, it is probably that the computer
    is infected with sasser *and* phatbot.


    I don't know if the incidents you mentioned are such cases, and heise
    doesn't offer an international, non-heise URL yet. I had to google up
    some links

    http://www.incidents.org/diary.php?date=2004-04-27&isc=
    2ff140bf851a84ad5c48e1eda10b57f5 (one line) is what is coming closest to
    the claims of the heise newsticker.


    Gabriele Neukam

     
    Gabriele Neukam, May 5, 2004
    #8
  9. Owen Marshall

    Uzi Guest

    Thanks for notifying me about the line length. I've now fixed it to 72.

    As for the quoted printable encoding, it doesn't seem to be on my side.
    The Usenet message as it came to the news server that I use has the
    following MIME settings:
    * Content-Type: text/plain; charset=us-ascii
    * Content-Transfer-Encoding: 7bit
    and no other content encoding found in it.
    Interesting, but is not the case here. Thanks for the info, though.

    After cleaning the Sasser copies and the temp folder the computer now
    seems to be fine again. No traces of any virus-like behaviour. The
    startup items are all known, no suspicious traffic. No server ports
    other than the standard ones (I've now set ICF for her, as I side
    comment). No viruses found by updated Antidote, and F-Prot for DOS and
    by her Avast. All three were updated (at the time I checked her computer
    for viruses).

    Uzi
    For e-mail contact and other, see:
    http://www.uzipaz.com
     
    Uzi, May 6, 2004
    #9
  10. On that special day, Uzi, () said...
    Good. I hope it is now fixed. Gawd am I glad that I don't have to endure
    that hassle, with my olde machine still running under WinME.

    Didn't Microsoft once introduce Windows XP as the "safest Windows ever"?
    What has become of it, that a ME user can patiently sit and wait for the
    internet storms to pass by, while the XP users are all going crazy from
    fixing the many loopholes they have to close again and again?


    Gabriele Neukam

     
    Gabriele Neukam, May 7, 2004
    #10
  11. Owen Marshall

    null Guest

    I have to admit that there's a nasty part of me that's laughing his
    ass off at that situation :)


    Art
    http://www.epix.net/~artnpeg
     
    null, May 7, 2004
    #11
  12. Owen Marshall

    Shane Guest

    Me too, and I use XP!


    Shane
     
    Shane, May 7, 2004
    #12
  13. Owen Marshall

    Uzi Guest

    Yep, I must agree with you. I still use Win98 (in fact, it's the first
    edition). It works smoothly, Its main patches were fixed years ago, and
    no servers of any kind are running, so even without a firewall, there
    are no open ports. (NBT can be closed, RPC is not running by default).
    Luckily, Microsoft still offer critical security patches for Win98
    (mainly I'm speaking about cummulative patches to Internet Explorer).
    I use Pegasus mail, and even Forte Agent now seems to be more secured
    than it's 1.* versions.

    I know almost every inch in this OS, and with the XP and zillion of
    security holes found and yet to be found.

    As for claiming that XP is much more secured. I recall they said a
    similar thing on Win95. I couldn't find the link to it anymore, but I
    think it was in their knowledgebase, they explained why they decided not
    to include "Microsoft antivirus" in Win95, and they said that the reason
    is that Win95 is much less vulnerable to viruses. (and in a sense they
    were right if you limit your thinking only to DOS viruses!).

    This shows that security features is not equivalent to security (XP has
    much more powerful security features than 98 or ME).

    Uzi
    For e-mail contact and other, see:
    http://www.uzipaz.com
     
    Uzi, May 7, 2004
    #13
  14. Owen Marshall

    Heather Guest

    Just caught up with this thread...and have to say the same. Having a rather
    dumb argument with someone who claims to be a 'techie and a geek' on another
    ng (not an MS one). He just showed his 'techie' ignorance by

    a) saying that I was using an "obsolete O/S (WinME) ......which is "no
    longer supported by MS". Duh, idiot. 98, 98SE and ME are supported until
    June 30th, 2006...and

    b) He told me that in his vast experience and superior knowledge (notice it
    is a cocky male....grin) that I should not use a wussy XP Home, but to use
    XP Pro. The one for networks and heavy duty gamers.....lol.

    I am very happy, and have a very smug smile on my face, due to my 'olde
    WinME' not being vulnerable to this latest virus. I think my copy of XP
    Home can stay right in the box for another few months....LOL.

    Heather
     
    Heather, May 8, 2004
    #14
  15. Another "Me too" here, and I usually connect with a terminal emulator and
    browse with lynx running on my ISP's system. In fact, it took a long time
    to persuade me into accepting a PPP account at all.[1]

    Related Humour:

    Get the best features of Windows NT, Windows ME, and Windows CE,
    all in one new package...
    http://www.chebucto.ns.ca/~af380/msntmece.gif

    :)

    [1] That still didn't stop hundreds of clueless systems from accusing
    me of having sent them a virus because they believed the "From:" or
    envelope sender addresses forged by the various worms.
     
    Norman L. DeForest, May 8, 2004
    #15
  16. Yep... may have been, for the first 5 days or so... but it doesn't do
    to poke a stick at Murphy, who will pretzel it without even waking up.

    Yep. Esp. for the poor devils running Win2000 off the original CD
    release - they need 100M+ SP before they can apply patches, and they
    have no built-in firewall... "beg someone you know who runs a patched
    NT, or Win9x / Mac / Linux, do pull them for you and make a CDR"
    Ah. What may help here is to use aliases for hi-risk email (i.e.
    where you know the recipient is clueless about address hygiene). It
    can help contextualize the bounces sent "back" to you :)


    Running Windows-based av to kill active malware is like striking
    a match to see if what you are standing in is water or petrol.
     
    cquirke (MVP Win9x), May 8, 2004
    #16
  17. On that special day, Norman L. DeForest, () said...
    YMMD

    It seems I hit a soft spot of you with my rant. Well, when XP came out,
    I was already not convinced that it would be "safe and secure" (except
    for the security of the fact that it would bite you if you won't
    register with MS), because I had heard about former vulnerability
    problems, that had occurred. It was only a question of time that XP
    would have its own share of loopholes to be fixed.

    But I would never have dreamt of what would come to happen when the
    vulnerabilities were published.


    Gabriele Neukam

     
    Gabriele Neukam, May 8, 2004
    #17
  18. The infected users are usually ones that have read my newspostings or
    visited my web site and the worms got my address from their browser or
    newsreader cache.

    Some bounces I have received lately are to a mailing list I am the owner
    of and the Sober worm has an alias for that mailing list in its list of
    role usernames it selects from to forge the "From:" address. I have
    received several bounces for that reason alone. Two such bounced worms
    were directed my way from disney.com when the true origin of the worms was
    at interbusiness.it on another continent. Another such bounce came from a
    UK government environment agency's system.
     
    Norman L. DeForest, May 10, 2004
    #18
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.