Mutated-Sasser fears

Johannesburg, 06 May 2004

Speculation that Netsky`s authors are behind the new Sasser worm is fuelling fears that a hybrid Sasser-Netsky worm could emerge soon.

Global media reports quote security experts as warning that the Sasser worm, which emerged last weekend, could merge with the damaging Netsky virus to wreak havoc on computers worldwide.

There have been links between the fast-spreading Sasser and Netsky, including a message within a recent Netsky virus claiming that the authors also unleashed Sasser.

Brett Myroff, CEO of local Sophos distributor Netxactics, says the message within Netsky-AC reads: "

However, Myroff says neither Sophos nor Netxactics would speculate on the possibility of a hybrid virus emerging. "We have not had any report of a mutated Sasser combined with Netsky," he says.

Reuters quotes Network Associates research fellow Jimmy Kuo as saying: "My expectation is that Netsky and Sasser variants will merge and become what we call one `abundant threat` that attacks through e-mail and software vulnerabilities."

Possibly millions of users were affected by Sasser, which temporarily downed 25 government departments yesterday, according to a report in The Pretoria News.

Gartner: "More coming"

Meanwhile, Gartner says the Sasser worm attacks confirm the analyst firm`s prediction that mass worm attacks against the multiple vulnerabilities disclosed by Microsoft on 13 April were likely.

"In fact, the appearance of this worm makes the shortest time ever - just 18 days - between the appearance of a vulnerability and the beginning of an attack," Gartner says.

The company notes that many of the vulnerabilities that continue to be identified in Windows 2000, XP and Server 2003 are easily exploitable, saying attackers will continue to develop worms that will cause damage equal to, or more severe than, the system shutdowns and network congestion caused by the Slammer worm.

Enterprises that are dependent on Windows systems must invest both in means to patch faster and in host-based intrusion prevention software for all Windows PCs and servers, it says.

Gartner believes that - even though the market for host-based intrusion prevention software will not be mature until the end of 2005 - enterprises must budget for, and procure, these products now to secure their critical Windows-based systems. The cost and availability of such protection should be included in all total cost of ownership calculations when alternatives to Windows servers and PCs are being evaluated, the company says.