The Sasser Internet worm that is reported to have spawned at least three variants and affected millions of PCs in under three days could be linked to the Netsky worm, say AV experts.
Sasser, which exploits a known flaw in the Microsoft Windows operating system, arrives without user intervention and can cause PCs to enter a `reboot loop`.
AV software vendors warn that the worm is being followed by a hoax e-mail carrying an attachment purported to be Sasser `fix`. The attachment unleashes a variant of the widespread Netsky worm.
Sophos senior technology consultant Graham Cluley told Reuters the hoax e-mail was spreading a virus called Netsky.AC, which includes a message buried in its code that seems to indicate the two viruses share the same author.
In the message, the virus writers refer to themselves as "Skynet," which may be a reference to the computer system that caused a nuclear war in the "Terminator" movies. Virus experts said Sasser also contains a hole of its own, in the file transfer protocol server that it installs, which could be either a second way into an infected system or author error.
Ken Dunham, director of Malicious Code at iDefense Inc, says it is interesting to note that the authors of NetSky.AC have taken credit for the Sasser worm outbreak. "This could be a major development in the ever-present worm war of 2004," he says.
Dunham says at least four Sasser variants are now in the wild, and it appears the worm is being continually updated and released.
He adds: "The Sasser and Blaster worm outbreaks have many similarities. In many ways, Sasser is the Blaster event of 2004 to date. Leading up to the Sasser worms we saw exploit code updated, Trojaning and hacking of vulnerable computers, and an underground buzz that resembled that of Blaster seen in 2004".
Symantec says the most notable of the variants is Sasser.B, which has been rated as a Level 4 threat. Earlier today, Symantec Security Response was seeing approximately 150 submissions per hour.
"Over the last several weeks Symantec Security Response has monitored a shift in malicious threat propagation," said Alfred Huger, senior director, Symantec Security Response. "During the first several months of the year, most of the threats we tracked spread through e-mail. However, now we are tracking more threats that are exploiting vulnerabilities to spread. Users need to be diligent in patching systems, updating virus definitions and implementing best practice solutions."
Far from harmless
While AV companies say the Sasser worm is essentially harmless, its reboot action is reported to have wreaked havoc in banks and major companies in the US, Europe and Australia yesterday. Finnish Internet security firm F-Secure said up to six million computers had been infected, with some large corporates having to temporarily shut down their services.
The worm was reported to be spreading fairly fast in South Africa too. However, local network services Provider Internet Solutions (IS) says SA is not likely to feel the full force of the attack, largely due to fast action from corporates. IS said it had monitored the worm`s spread over the weekend and warned customers immediately.
Andrew Govender, change manager for IS, says: "Once we saw this was going to be a threat, we issued the advisory to our customers on 16 April, along with a follow up on 3 May in the hope that we could avoid the damage already seen in Europe and the USA."
"The last attack caused considerable damage worldwide, but we are finding that our customers are now a lot more vigilant, and are indeed installing recommended patches to their systems in a timeous manner," he says.
Related stories:
New worm straight from the Net
Share