Security Watch

The Sasser threat

If the past couple of months were about the various NetSky flavors, the W32.Sasser.B worm is the riskiest at present. Symantec rates this variant of the Sasser worm as the top threat during May 2004 with a threat rating of four.

The Sasser worm (W32.Sasser.A and variants) exploit a vulnerability in Windows Local Security Authority Subsystem Service (LSASS) issue addressed by the Windows security update in conjunction with Microsoft Security Bulletin MS04-011.

The worm spreads by scanning randomly selected IP addresses for vulnerable systems.

The worm affects only Windows 2000/XP machines. This worm can run on Windows 95/98 computers, but does not infect them. However, the worm can still use these systems to infect vulnerable systems to which it can connect. The worm wastes systems resources in such systems.

According to Symantec, W32.Sasser.B.Worm differs from W32.Sasser.Worm as follows:

• Uses a different mutex: Jobaka3.
• Uses a different file name: avserve2.exe (as opposed to avserve.exe).
• Has a different MD5 (0x1A2C0E6130850F8FD9B9B5309413CD00).
• Creates a different value in the registry: "avserve2.exe."

The worm is also known as WORM_SASSER.B [Trend], W32/Sasser.worm.b [McAfee], Worm.Win32.Sasser.b [Kaspersky], W32/Sasser-B [Sophos], Win32.Sasser.B [Computer Associates], Sasser.B [F-Secure], W32/Sasser.B.worm [Panda], Win32/Sasser.B.worm [RAV] and W32/Sasser.B [F-Prot].

Protection from W32.Sasser.B

First of all, download and install the Windows security update 835732 released with Microsoft Security Bulletin MS04-011. The next step is to use a firewall at the network and client levels. It is necessary to block TCP ports 5554, 9996, and 445 at the perimeter firewall to prevent remote exploitation of the vulnerability. The default firewall with Windows XP is a sufficient enough safeguard for client computers.

Microsoft provides an online tool to remove Sasser.A, Sasser.B, Sasser.C, Sasser.D, Sasser.E, and Sasser.F. The check can be done from,

http://www.microsoft.com/security/incident/sasser.asp

Most of the antivirus vendors have come out with free worm removal tools and antivirus definitions to remove Sasser. These can be employed if the Microsoft Sasser removal tool is not effective.

'Phishing' for victims

According to a recent Gartner survey, an estimated 57 million American adults received e-mail attacks from "phishers". Phishers are black hat hackers or cyberthieves who pretend to be trusted service providers to steal consumer account information.

It is to be noted that though the sample consisted purely of Americans, it is also of relevance to Indian organizations. Organizations have to impart proper security awareness to prevent leak of sensitive information.

Survey methodology

The survey respondents included 5,000 online adults, selected as a representative sample of the U.S. population. Extrapolating from this sample, Gartner concludes that more than 30 million people were "absolutely sure" they were victims of a phishing attack, and another 27 million thought they had received what "looked like" a phishing attack - and over 90 percent said the attacks happened within the past year. Another 35 million were unsure whether they had experienced an attack, and just 49 million of 141 million online consumers said they had not experienced one.

First Take

Gartner research conducted in April 2004 indicates that millions of consumers unknowingly fall for phishing attacks—e-mail communications designed to steal consumer account information, such as credit card data, home addresses and telephone numbers. Consumers have reason to be nervous. Phishing attacks undermine their confidence in the authenticity of e-mail originators, threatening consumer trust in the very foundation of Internet-based communications.

Based on the representative sample, Gartner believes that nearly 11 million online adults—representing about 19 percent of those attacked —have clicked on the link in a phishing attack e-mail. Even more seriously, 1.78 million Americans, or 3 percent of those attacked, remember giving the phishers sensitive financial or personal information, such as credit card numbers or billing addresses, by filling in a form on a spoof Web site. Gartner believes that at least a million more individuals may have fallen for such schemes without realizing it. Direct losses from identity theft fraud against phishing attack victims—including new-account, checking account and credit card account fraud—cost U.S. banks and credit card issuers about $1.2 billion last year.

Gartner believes that the double-digit expansion of US e-commerce will slow down unless service providers adequately address consumer security concerns. A future Gartner note will outline emerging antiphishing solutions, ranging from digitally signed e-mail to managed antiphishing services. Without the implementation of phishing antidotes, consumer trust will further erode and annual U.S. e-commerce growth will slow to 10 percent or less by 2007 (0.6 probability).

Recommendations

The rise in phishing attacks is threatening consumer confidence as never before. Eventually, all participants in Internet commerce will be hurt by diminished consumer trust in online transactions. Given that the victims are more likely to suffer from identity theft, consumer distrust in Internet security is certainly a reasonable reaction. Service providers must begin implementing solutions that authenticate themselves to their customers, and their customers to them.

Increased port 5000/tcp scans

CERT (www.cert.org) has reported increasing scanning activity directed at port 5000/tcp. The activity is mainly directed at exploiting vulnerabilities in the Microsoft Windows UPnP (Universal Plug and Play) service.

CERT attributes some of this activity to two worms: W32/Bobax and W32/Kibuv. These worms scan for systems with port 5000/tcp open to identify machines running Windows XP (which enables the UPnP service by default), prior to attempting to exploit these systems. The vulnerability affects Microsoft Windows 98/ 98SE/ ME/ XP versions.

A Microsoft patch is available for the UPnP service as detailed in Microsoft Security Bulletin MS01-059 (http://www.microsoft.com/technet/security/bulletin/MS01-059.mspx).