The Sasser threat
If the past couple of months were about the various NetSky flavors, the W32.Sasser.B
worm is the riskiest at present. Symantec rates this variant of the Sasser worm
as the top threat during May 2004 with a threat rating of four.
The Sasser worm (W32.Sasser.A and variants) exploit a vulnerability in Windows
Local Security Authority Subsystem Service (LSASS) issue addressed by the Windows
security update in conjunction with Microsoft Security Bulletin MS04-011.
The worm spreads by scanning randomly selected IP addresses
for vulnerable systems.
The worm affects only Windows 2000/XP machines. This worm can run on Windows
95/98 computers, but does not infect them. However, the worm can still use these
systems to infect vulnerable systems to which it can connect. The worm wastes
systems resources in such systems.
According to Symantec, W32.Sasser.B.Worm differs from W32.Sasser.Worm as follows:
- Uses a different mutex: Jobaka3.
- Uses a different file name: avserve2.exe (as opposed
- Has a different MD5 (0x1A2C0E6130850F8FD9B9B5309413CD00).
- Creates a different value in the registry: "avserve2.exe."
The worm is also known as WORM_SASSER.B [Trend], W32/Sasser.worm.b [McAfee],
Worm.Win32.Sasser.b [Kaspersky], W32/Sasser-B [Sophos], Win32.Sasser.B [Computer
Associates], Sasser.B [F-Secure], W32/Sasser.B.worm [Panda], Win32/Sasser.B.worm
[RAV] and W32/Sasser.B [F-Prot].
Protection from W32.Sasser.B
First of all, download and install the Windows security update 835732 released
with Microsoft Security Bulletin MS04-011. The next step is to use a firewall
at the network and client levels. It is necessary to block TCP ports 5554, 9996,
and 445 at the perimeter firewall to prevent remote exploitation of the vulnerability.
The default firewall with Windows XP is a sufficient enough safeguard for client
Microsoft provides an online tool to remove Sasser.A, Sasser.B, Sasser.C, Sasser.D,
Sasser.E, and Sasser.F. The check can be done from,
Most of the antivirus vendors have come out with free worm removal tools and
antivirus definitions to remove Sasser. These can be employed if the Microsoft
Sasser removal tool is not effective.
'Phishing' for victims
According to a recent Gartner survey, an estimated 57 million American adults
received e-mail attacks from "phishers". Phishers are black hat hackers
or cyberthieves who pretend to be trusted service providers to steal consumer
It is to be noted that though the sample consisted purely of Americans, it is
also of relevance to Indian organizations. Organizations have to impart proper
security awareness to prevent leak of sensitive information.
The survey respondents included 5,000 online adults, selected as a representative
sample of the U.S. population. Extrapolating from this sample, Gartner concludes
that more than 30 million people were "absolutely sure" they were
victims of a phishing attack, and another 27 million thought they had received
what "looked like" a phishing attack - and over 90 percent said the
attacks happened within the past year. Another 35 million were unsure whether
they had experienced an attack, and just 49 million of 141 million online consumers
said they had not experienced one.
Gartner research conducted in April 2004 indicates that millions of consumers
unknowingly fall for phishing attackse-mail communications designed to
steal consumer account information, such as credit card data, home addresses
and telephone numbers. Consumers have reason to be nervous. Phishing attacks
undermine their confidence in the authenticity of e-mail originators, threatening
consumer trust in the very foundation of Internet-based communications.
Based on the representative sample, Gartner believes that nearly 11 million
online adultsrepresenting about 19 percent of those attacked have
clicked on the link in a phishing attack e-mail. Even more seriously, 1.78 million
Americans, or 3 percent of those attacked, remember giving the phishers sensitive
financial or personal information, such as credit card numbers or billing addresses,
by filling in a form on a spoof Web site. Gartner believes that at least a million
more individuals may have fallen for such schemes without realizing it. Direct
losses from identity theft fraud against phishing attack victimsincluding
new-account, checking account and credit card account fraudcost U.S. banks
and credit card issuers about $1.2 billion last year.
Gartner believes that the double-digit expansion of US e-commerce will slow
down unless service providers adequately address consumer security concerns.
A future Gartner note will outline emerging antiphishing solutions, ranging
from digitally signed e-mail to managed antiphishing services. Without the implementation
of phishing antidotes, consumer trust will further erode and annual U.S. e-commerce
growth will slow to 10 percent or less by 2007 (0.6 probability).
The rise in phishing attacks is threatening consumer confidence as never before.
Eventually, all participants in Internet commerce will be hurt by diminished
consumer trust in online transactions. Given that the victims are more likely
to suffer from identity theft, consumer distrust in Internet security is certainly
a reasonable reaction. Service providers must begin implementing solutions that
authenticate themselves to their customers, and their customers to them.
Increased port 5000/tcp scans
CERT (www.cert.org) has reported increasing scanning activity directed at port
5000/tcp. The activity is mainly directed at exploiting vulnerabilities in the
Microsoft Windows UPnP (Universal Plug and Play) service.
CERT attributes some of this activity to two worms: W32/Bobax and W32/Kibuv.
These worms scan for systems with port 5000/tcp open to identify machines running
Windows XP (which enables the UPnP service by default), prior to attempting
to exploit these systems. The vulnerability affects Microsoft Windows 98/ 98SE/
ME/ XP versions.
A Microsoft patch is available for the UPnP service as detailed
in Microsoft Security Bulletin MS01-059 (http://www.microsoft.com/technet/security/bulletin/MS01-059.mspx).