The Sasser worm that struck corporate and academic networks last week shows how easily a single “chink in the armour” can badly affect a company’s systems, a local virus specialist says.
Sasser has claimed a number of high-profile international victims, including the United Nations, American Express, Delta Airlines and US universities. In New Zealand the University of Otago and Westpac bank were struck by the worm but Xtra says its network suffered no significant effects after it blocked the network port Sasser uses.
Christchurch virus specialist Nick FitzGerald says Sasser is a greater threat to corporate networks than some other malware because, like Blaster, it spreads automatically through exposed network services. Corporate firewalls are more likely to detect viruses that spread via email attachments, but once a worm like Sasser has penetrated behind a firewall the network is essentially wide open.
“It only takes one misconfigured firewall to get in, and once it’s in, it’s in,” FitzGerald says. “It’s extremely rare to use firewalls between departments and remote sites.”
Typically an organisation will be hit by a worm after a local user plugs an infected laptop into the network behind the firewall, FitzGerald says. Virtual private network connections to other branch offices allow the worm to spread more easily, as they bypass firewalls at other locations. “It will logically look like one flat LAN.”
FitzGerald attributes Sasser’s success to Microsoft’s “mind-bogglingly stupid” decision to enable little-used network services like the local security authority subsystem service (LSASS), which contains the vulnerability that Sasser exploits. Microsoft issued a patch for the LSASS vulnerability on April 13.
Xtra reduced the spread of the room by blocking port 445, used by LSASS, in and out of its network. Spokeswoman Katrina King says the company will consider blocking ports on a case-by-case basis.