Sasser, discovered on April 30, 2004, is a computer worm that affects computers that run on vulnerable versions of the Microsoft Windows XP and Windows 2000. The worm spreads by exploiting the operating system through a vulnerable network port. It is, therefore, particularly virulent in that it can spread without user intervention, but it is also easily stopped by a properly configured firewall or by downloading system updates from Windows Update.
The specific hole Sasser exploits is documented by Microsoft in its MS04-011 bulletin, for which a patch had been released seventeen days earlier.
How does it work?
The worm was called Sasser because it spreads by exploiting a buffer overflow in the component known as LSASS (Local Security Authority Subsystem Service) on the infected operating systems. The worm scans different ranges of IP addresses and connects to victims’ computers mainly through TCP port 445.
Analysis of the worm by Microsoft suggested that it might also spread through port 139. Several variants called Sasser.B, Sasser.C, and Sasser.D appeared within days (with the original named Sasser.A). The LSASS vulnerability was patched by Microsoft in the April 2004 instalment of its monthly security packages, prior to the release of the worm.
An indication of the worm’s infection of a computer is the existence of the file C:WIN.LOG or C:WIN2.LOG on its hard disk, as well as seemingly random crashes with LSASS.EXE on the screen caused by faulty coding used in the worm. The most common symptom of the worm is the shutdown timer that appears due to the worm crashing LSASS.exe.
Examples of the damage caused by Sasser include: News agency Agence France-Presse (AFP) had all of its satellite communications blocked for hours; Delta Air Lines had to cancel several trans-atlantic flights because its computer systems had been swamped by the worm; Nordic insurance company If and its Finnish owners Sampo Bank came to a complete halt and had to close their 130 offices in Finland; The X-ray department at Lund University Hospital had all of its four layer X-ray machines disabled for several hours and had to redirect emergency X-ray patients to a nearby hospital; The University of Missouri was forced to "unplug" its network from the wider Internet in response to the worm; The British Coastguard had its electronic mapping service disabled for a few hours; Goldman Sachs, Deutsche Post, and the European Commission also all had issues with the worm.
German computer science student Sven Jaschan, 18, from Rotenburg, Lower Saxony was arrested on May 7, 2004, for writing the worm. German authorities closed in on him thanks to information obtained in response to a $250,000 bounty offer by Microsoft.
One of Jaschan’s friends had informed Microsoft that his friend had created the worm. He further revealed that not only Sasser, but also Netsky.AC, a variant of the Netsky worm, was his creation. Another variation of Sasser, Sasser.E, was found to be circulating shortly after the arrest. It was the only variation that attempted to remove other worms from the infected computer, much in the way Netsky does.
Jaschan was tried as a minor because the German courts determined that he was 17 when he created the worm, which was actually released on his 18th birthday (April 29, 2004). Jaschan was found guilty of computer sabotage and illegally altering data. On July 8, 2005, he was handed a 21 month suspended sentence.
Dealing with Sasser
The shutdown sequence can be aborted by clicking ‘start’ then using the Run command to enter ‘shutdown -a’. This aborts the system shutdown so the user can continue to use the computer. The shutdown.exe file is not available by default within Windows 2000, but can be installed from the Windows 2000 resource kit. It is available in Windows XP.
Another option to stop the worm from shutting down a computer is to change the time and/or date on its clock to earlier. The shutdown time will move as far into the future as the clock was set back.