Another Sasser worm appears

A new version of the Sasser Internet worm, Sasser-F, appeared on Monday, despite claims by German authorities to have arrested the sole author of that worm on Friday.

Antivirus software companies issued warnings about the new worm, which one antivirus expert called a crude adaptation that was unlikely to spread widely. The discovery, more than three days after German authorities arrested an 18-year-old German man for creating Sasser, suggests that the worm’s code is circulating on the Internet and raises the specter of more Sasser versions, experts said.

Like earlier versions of Sasser, the F-variant exploits a recently disclosed hole in a component of Microsoft Corp.’s Windows operating system called the Local Security Authority Subsystem Service, or LSASS. Microsoft released a software patch, MS04-011, on April 13, that fixes the LSASS vulnerability.

Symantec Corp. rated Sasser-F a “Category 2” or low level threat and released a virus definition update for its products. Sophos PLC and Panda Software SL also issued alerts.

Microsoft will update its Sasser cleaner tool to detect the new variant, a company spokesperson said.

After receiving tips about the suspected author, identified in news reports as Sven Jaschan, on May 5, Microsoft provided information to German authorities in Lower Saxony that lead to his arrest. Jaschan provided an “extensive” confession when he was taken into custody, admitting to creating both the Sasser and Netsky worms in an effort to fight infections of the Mydoom and Bagle worms, according to a statement provided by German authorities.

Based on that alleged confession, authorities and Microsoft believed that Jaschan wrote all the versions of Sasser, including a new variant, Sasser-E, that appeared at the time of his arrest, according to Brad Smith, senior vice-president and general counsel at Microsoft.

However, antivirus experts raised questions about the timing of the E-variant, which was not detected by antivirus companies until hours after the arrest. Experts also said that changes in the Netsky worm family over time and messages in both worms pointed to a group of virus writers, not a lone author.

Asked Monday about the company’s reaction should a new variant appear, Brad Smith, senior vice-president and general counsel at Microsoft, said a new Sasser worm would not change Microsoft’s belief that it led police to the Sasser author.

“A new variant won’t change our thinking about variants A through E. What it will mean is that somebody else is up to something else, as well,” he said.

Smith cited German police reports of “overwhelming” evidence that Jaschan created the worm and the young man’s alleged confession as proof of his link to the first five versions of the worm.

However, the investigation is ongoing and other arrests in the case were possible, he said.

The new Sasser version does not disprove the lone-author idea, but suggests that the Sasser worm source code has been released on the Internet, said Patrick Hinojosa, chief technology officer of Panda Software U.S.

An analysis of the Sasser-F worm’s code revealed that it is an offshoot of the original worm, Sasser-A, that does not include any of the changes or improvements to the worm introduced in previous variants, he said.

That would make sense, if the author released the Sasser source code with the initial worm, then made modifications to it himself, Hinojosa said.

“It makes sense that this is a variant of the (Sasser-A) source code. It’s been out for more than a week and made the rounds of whatever computing underground (Jaschan) was connected to. Now somebody has had a chance to play with it,” he said.

Hinojosa called the changes to Sasser-F “child-like.” The changes include a switching the name of a process created by the worm to “Bill Gates,” and the addition of new comments containing expletives, Hinojosa said.

The apparent release of the Sasser source code complicates the picture of who’s responsible for Sasser. Once source code is available for a worm, it “lowers the bar” of technical knowledge needed to create a variant or a new worm, said Gerhard Eschelbeck, chief technology officer at Qualys Inc.

Only an investigation of Jaschan’s computer will confirm what role he had in the creation of the Sasser worm and its variants, and whether he worked with others to create and distribute the worms, Hinojosa said.

Related Download
A Guide to Print Security for Canadian Organizations Sponsor: HP
A Guide to Print Security for Canadian Organizations
IT security vulnerabilities are a growing cause for concern for organizations trying to protect their data from printer breaches.
Register Now