The latest worm to hit Internet users, already staggering from the last attack, is the Sasser worm that can cause continuous rebooting of your PC. Unlike previous worms, Sasser does not propagate by e-mail, but is automatically spread by exploiting the latest vulnerability in the Microsoft operating systems.
Users that have not patched their PCs will be affected. Up to six million computers worldwide may have been infected by this worm first detected last week, including those of some large multinational corporations, according to Finnish Internet security firm F-Secure.
Reports are now coming in of suspected damage from as far a field as Australia and the US where a major airline was forced to cancel a number of flights. At this stage it seems as if SA may not bear the brunt of this attack, largely due to fast action from corporates after local ISP Internet Solutions (IS) published a security advisory within hours of the outbreak.
IS has a team of network engineers that constantly monitor international security sites and work in collaboration with other ISPs. They spotted this latest worm on Friday evening, and took immediate action to mitigate any effects it may have on the IS network.
From IS`s perspective, most of its customers have been able to contain the effects of Sasser.
"It was apparent we needed to be proactive and warn our customers," says Andrew Govender, Change Manager for IS. "Once we saw this was going to be a threat, we issued the advisory to our customers on 16 April, along with a follow up on 3 May in the hope that we could avoid the damage already seen in Europe and the US.
"The last attack caused considerable damage worldwide, but we are finding that our customers are now a lot more vigilant, and are indeed installing recommended patches to their systems in a timeous manner. Compared to previous worm attacks, we have received considerably fewer requests from customers requiring assistance in dealing with the worm," Govender concludes.
The following communication was sent to the IS client base:
Dear Customer,
As of the 1st of May 2004, various security companies declared a high alert to control the spread of this malware. Infection reports have been received from Europe, Asia and the US.
This worm exploits the Windows LSASS vulnerability, which is a buffer overrun that allows remote code execution and enables an attacker to gain full control of the affected system.
To propagate, it scans the network for vulnerable systems. When it finds a vulnerable system, this malware sends a specially crafted packet to produce a buffer overflow on LSASS.EXE.
It creates the script file CMD.FTP, which contains instructions for the vulnerable system to download and execute a copy of this malware from a remote infected system using FTP on TCP port 5554.
Since this malware produces a buffer overflow in LSASS.EXE, it causes the said program to crash and will consequently require Windows to reboot.
Action: Users are advised to apply the critical patch related to the Windows LSASS vulnerability, which is available at the following Microsoft page:
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=MS04-011_MICROSOFT_WINDOWS
http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx
Share
Internet Solutions (IS) has transformed its business model and become the only full network service provider in the country.
The business was founded on the principle of developing a robust infrastructure in order for corporates to conduct e-business. Over the past decade IS has established itself as a leader in this space, attracting over 80% of SA`s top businesses as clients.
During its 10 year life span IS has evolved and grown its service offerings. Today, the company is the leading hosting service provider and security service provider in SA, as well as having significant market share in the virtual private network (VPN) and application service provider (ASP) space.
Internet Solutions has earned an impressive collection of accolades, including eight First National Bank "Most Admired" awards, Financial Mail Best Company to Work For and a place in the Top Unlisted Company Awards.
The company partners with major players such as Cisco, Microsoft, Oracle BT and AT&T and in 2002 was certified as a Cisco Managed Security Service Provider (MSSP), the first and only company outside of the US to be awarded this accolade.
For more, visit www.is.co.za.
Editorial contacts