Infecting more than a million machines worldwide, the Sasser worm, by no means as damaging as last year’s Blaster and Welchia worms, has nonetheless been an “annoyance” for Canadian business.
Edmonton and Halifax were among the organizations that fought short but pitched battles against the worm in an effort to contain its spread.
“I wouldn’t say no problems, (but) it wasn’t earth-shattering,” said David Muise, divisional manager, information technology for the City of Halifax. “We had, I think, 280 infections out of…1,800 clients,” he said. “It was mostly an annoyance, the city kept working,” he added.
The City of Edmonton also had to shut down systems including its Web site and e-mail. For several hours, thousands of employees had to rely on faxes and phone calls to communicate, according to a Canadian Press story. The city’s manager of IT refused to go into more detail when contacted by ComputerWorld Canada, although she did not deny the report.
Air Canada, heavily hit by Welchia last summer when reservation and check-in systems were brought to their knees, was unaffected by Sasser, spokesperson Laura Cooke said.
Temple University in Philadelphia also had infections, but they were easily contained. “Our internal network is highly segmented,” said Ariel Silverstone, the University’s chief information security officer. “So an infected machine could only infect those (unpatched) machines in its subnet.” Sasser exploits a recently disclosed hole in a component of Windows called the Local Security Authority Subsystem Service, or LSASS.
Microsoft released the software patch MS04-011 on April 13 that plugs the LSASS hole.
Temple had about 100 infections out of 14,000 machines, half of which were external machines belonging to university staff or students. Silverstone said one of the reasons there were not more problems was a very successful program to warn users of the need to patch their systems. Compliance was over 90 per cent, he said. Silverstone agreed with Muise that Sasser was more of an “annoyance” than anything.
American Express Co. was one of the more high-profile corporations to experience a Sasser infection. Employee desktops were infected, which subsequently disrupted the company’s internal networks. It did not have an impact on customer services, according to Judy Tenzer, a company spokeswoman.
External machines connecting to internal corporate networks were suspected to have caused some of the infections, since a properly maintained firewall at the network level will prevent Sasser’s attempt to enter via port 445. “I suspect that it came in…when somebody brought their laptop from home, plugged it in behind the firewall,” Muise said. “We don’t use personal firewalls on our private networks.”
Silverstone said desktop firewalls, though a nice security feature, are not even in the discussion phase at the university. A major limiting factor is the inevitable increase in help desk calls, he said.
The Sasser worm hit networks only 17 days after Microsoft released a patch on April 13. For many, the increasingly small window between patch and attack (Blaster had a 26 day window) is a major cause for concern.
“The problem we have is that we don’t patch [our computers] automatically, because we have to test [the patches] because quite often Microsoft patches step on other applications,” Muise said. “And we hadn’t had time to complete all the testing before we got hit,” he added. “So we were between a rock and a hard place…(but) fortunately all of our major applications, like SAP, run on Unix,” he said.
