Corporate users are keeping a wary eye on their networks for signs of the W32/Sasser worm that has been infecting systems worldwide since late Friday, even as antivirus firms are warning of several new variants.
The worm takes advantage of a recently disclosed vulnerability in a Windows component for managing local security and authentication functions and may have already infected between 500,000 and 1 million systems worldwide, according to security firm Internet Security Systems Inc.
Most of the infected systems so far belong to relatively unprotected home users, said Graham Cluley, senior technology consultant for antivirus firm Sophos PLC.
The impact on businesses has been limited, thanks to the standard firewall, network-filtering and antivirus systems that most have in place, he said. But that situation could begin to change as millions of mobile and home-based office workers connect infected PCs to corporate networks, Cluley said.
"So far, the Sasser worm has had a low impact," said Eric Beasley, senior network administrator at Baker Hill Corp. a Carmel, Ind.-based provider of application services to the banking industry.
The company started patching systems on Saturday and is currently checking all laptops used by employees before permitting them to log onto the corporate network. "This can be done by a company with only 160 employees (like Baker Hill). In larger environments, I am sure they have their hands full today," Beasley said.
Latham & Watkins LLP, a Los Angeles based law firm, is "watching things very closely," said Eric Goldreich, the firm's manager of technology. "We spent a long weekend -- mostly Saturday afternoon and evening -- patching servers," he said. "So far, so good -- no problems."
First Internet Inc., an Internet service provider in St. Clairsville, Ohio, has seen a "substantial" increase in attempted connections to TCP Port 445, which is what Sasser uses to exploit systems, said Mike Tindor, the company's vice president of network operations. Since the Sasser outbreak began, hits on Port 445 have been about 2.3 times greater than hits on Port 135 which is usually the busiest port, he said.
"However, we are blocking all associated Sasser ports, both inbound and outbound," Tindor said.
As a result "our network has not been impacted by this worm to any extent thus far, nor is it being used to propagate this particular worm," he said.
Sasser relies on a flaw in a Microsoft Windows component called the Local Security Authority Subsystem Service (LSASS) interface. The worm needs no user interaction to spread, nor does it travel through e-mails or attachments. It works by instructing any vulnerable Internet connected system to download and execute a copy of the malicious code. The system can cause infected systems to repeatedly reboot, but does little damage beyond that.
As of this morning, four variants of the original Sasser worm had already surfaced, according to an e-mail from Ken Dunham, director of malicious code at iDefense Inc., a security firm in Reston, Va.
Also floating around is what appears to be yet another variant of the tenacious Netsky e-mail virus that has been infecting systems worldwide since February. The latest variant, W32/Netsky-AC, poses as a cure for Sasser, according to Cluley.
"It's really sneaky," Cluley said. "It appears to be an e-mail from an [antivirus] company with a fix for Sasser." A user who clicks on the attached file will activate the virus and cause it to send copies of itself to other names in the victim's computer, he said.