Sasser attacks; critical QuickTime, OS X updates

This issue's topics: Introduction: * Sasser attacks; critical QuickTime, OS X updates Virus News: * Sassy worm attacks LSASS vulnerability * NZ bank hit by Sasser; trains, planes stopped, coastguard affected elsewhere * Netsky variant cashes in on Sasser opportunity Security News: * Multiple (old) vulnerabilities in Sambar disclosed * Information disclosure in MS ASP cookie retrieval * Apple fixes remote code execution flaw in QuickTime media player * Mac OS X updates include several critical security fixes * Wither NGSCB?

This issue's topics:

Introduction:

* Sasser attacks; critical QuickTime, OS X updates

Virus News:

* Sassy worm attacks LSASS vulnerability

* NZ bank hit by Sasser; trains, planes stopped, coastguard affected elsewhere

* Netsky variant cashes in on Sasser opportunity

Security News:

* Multiple (old) vulnerabilities in Sambar disclosed

* Information disclosure in MS ASP cookie retrieval

* Apple fixes remote code execution flaw in QuickTime media player

* Mac OS X updates include several critical security fixes

* Wither NGSCB?

Introduction:

It seems that there has been only one security story this week - the rampage of the Sasser worm. Although probably not affecting as many machines as Blaster, Sasser has had a surprising impact - the words of that old song float back through the mists of time; 'When will they ever learn, when will they ever learn...'. No need to say more about it here as there's tons of juicy detail below.

Aside from Sasser, some critical Apple vulnerabilities, both in its OS X operating system, and in the its popular QuickTime 6.5 media player plugin, have been fixed in the latest patches and updates shipped by the company. And it seems that the roadmap to Microsoft's 'killer solution' to viruses, spam and software and media content piracy - currently still dubbed the Next Generation Secure Computing BAse (NGSCB) - may not be as straightforward as originally suggested, with the revelation this week that it will not be shipped in the next major Windows OS revision.

Virus News:

* Sassy worm attacks LSASS vulnerability

It had to happen...

Shortly after filing last week's copy, a new worm exploiting the LSASS remote code execution vulnerability started spreading rapidly across the Internet. Known as Win32/Sasser.A, this worm spreads solely by exploiting the LSASS security hole addressed a couple of weeks earlier in the MS04-011 patch. In the following few days three more variants were also discovered, but as the details of the workings of each of those variants are much the same as for the first discovered Sasser.A, we have only provided links to descriptions of that variant.

In short, Sasser spreads by connecting to port 445 of randomly selected target IP addresses. If the target is reachable a specially formed network packet is sent to the target machine. If the target is vulnerable to the LSASS buffer overflow disclosed in MS04-011 and is running Windows 2000 or XP, the overflow is triggered and a command shell opened on port 9996 on the victim machine. The attacking machine then sends commands to port 9996 on the victim directing it to download and run a file from an FTP server running on the attacking machine on port 5554. This FTP server is actually part of the worm's code and pretty much any request to it will cause it to send a copy of itself.

Sasser has spread quite extensively, with most antivirus developers rating the second variant, Sasser.B, as the most widespread.

There is quite some confusion around the effects Sasser causes. Most variants spawn 128 threads that try to spread the worm further, and this extra processing load can have a highly noticeable impact on the performance of an infected machine. Also, because the LSASS service becomes corrupted in memory as a result of the worm exploiting it, it is shut down by the OS and, as it is a core OS sub-system, that causes the whole OS to shutdown, displaying a warning dialog on XP machines. Repeated experience of such system shutdowns does not necessarily mean your PC has become infected (although the odds are very high it has) but they do mean your PC is vulnerable to the buffer overflow and can be remotely taken over via it.

Many users who have not yet installed the MS04-011 patch now cannot because whenever they connect to the Internet, their machine shuts down before they can download the patch because of the high rate of infected machines trying to infect them. Should this be you, unbind 'File and Print Sharing' and 'Client for Microsoft Networks' from your Internet-facing network interface (usually a dial-up adaptor, but possibly an Ethernet adaptor or whatever means your machine uses to access your DSL, sastellite, etc connection). and try again (that should close port 445). Alternately, Windows XP users may choose to enable the Internet Connection Firewall option for their Internet-facing network interfaces.

Note that if you have been infected and download a 'Sasser cleaner' from the various antivirus and security sites offering such, and your machine keeps closing down or is still running very slowly, you must still obtain and install the MS04-011 patch to prevent re-infection (or, at the very least, take the ameliorating network configuration steps described above). Simply cleaning this worm is insufficient - you must install the patch or otherwise block the vulnerability it uses to get access to your machine. It is a fair bet that further worms and viruses will try to use this vulnerability in the near future, so simply eradicating this worm and updating your antivirus software so you cannot contract one of the known Sasser variants is insufficient.

More detailed workaround and recovery tips are provided by Microsoft Product Support Services (PSS) at the first link below.

PSS Security Response Alert: Sasser Worm and Variants - microsoft.com

Microsoft Security Bulletin MS04-011

Computer Associates Virus Information Center

F-Secure Security Information Center

Kaspersky Lab Virus Encyclopedia

Network Associates Virus Information Library

Sophos Virus Info

Symantec Security Response

Trend Micro Virus Information Center

* NZ bank hit by Sasser; trains, planes stopped, coastguard affected elsewhere

As with Blaster, the latest widespread worm exploiting a common Windows network vulnerability destabilized many systems not sufficiently hardened against it. Links to articles covering some of the flow-on effects of Sasser's run are provided...

Westpac gets hit by Sasser - computerworld.co.nz

Computer virus threatens trains - news.com.au

Virus sends coastguard computers off course - telegraph.co.uk

* Netsky variant cashes in on Sasser opportunity

Yet another Netsky variant was released on the heals of Sasser, or at least following the media attention Sasser received. Among other things, the e-mail messages this variant sends itself along with may claim the attachment (which is, of course, a copy of the virus) to be a fix for Sasser.B.

Rinse, lather, repeat...

Computer Associates Virus Information Center

F-Secure Security Information Center

Network Associates Virus Information Library

Sophos Virus Info

Symantec Security Response

Trend Micro Virus Information Center

Security News:

* Multiple (old) vulnerabilities in Sambar disclosed

A Russian security researcher has posted the details of several previously unacknowledged vulnerabilities in the Sambar web server. These have been fixed for some time, but many users may not have updated because of little public awareness of these security flaws.

We have linked to an archived copy of the recent Bugtraq mailing list message describing some of the issues and Sambar's security vulnerabilities page. All the recently detailed flaws are present in several popular, earlier releases of Sambar and all are fixed in the current 6.0.1 release.

Archived Bugtraq list message - securityfocus.com

Security Vulnerabilities in Sambar Server - sambar.com

* Information disclosure in MS ASP cookie retrieval

A recent posting to the Bugtraq mailing list emphasizes the importance of setting custom error pages in Active Server Page (ASP) applications on Microsoft's IIS web server. MS ASP is vulnerable to information leaks via carefully crafted cookies under an attacker's control that may allow the attacker to map out information about the web server and the ASP application's file locations that could ease a more malicious attack.

Archived Bugtraq list message - securityfocus.com

* Apple fixes remote code execution flaw in QuickTime media player

Security researchers at eEye Digital Security have discovered a heap overflow in Apple's QuickTime media player. They report this vulnerability can be reliably exploited to execute code of an attacker's choice in the security context of the user running the application that hosts the QuickTime plugin. The nature of this overflow is described as 'textbook' meaning malicious hackers should be able to easily devise working exploits for this vulnerability. eEye says that Apple QuickTime 6.5 and Apple iTunes 4.2.0.72 are affected and suggest obtaining Apple's fixed update via the built-in update functions of the affected applications.

Apple QuickTime (QuickTime.qts) Heap Overflow - eeye.com

* Mac OS X updates include several critical security fixes

The latest Mac OS X security updates were released a few days ago. Administrators of OS X 10.2.8 and 10.3.3 (client and server versions of both) should check the Apple Security Updates link for details on these security updates. The updates them selves can be obtained through Software Update preferences or directly from the Apple Downloads site, also linked below.

Apple Security Updates - apple.com

Apple Downloads - apple.com

* Wither NGSCB?

The Register has an interesting article on some very recent shenanigans about the future of Microsoft's much-touted 'big brother' security and DRM promises. Initially dubbed Palladium, furthered by an industry alliance under the banner TCPA (Trusted Computing Platform Alliance, more recently re-branded as NGSCB (Next Generation Secure Computing Base) and promised as part of Longhorn (Redmond's codename for the next major version of Windows), it seems the road ahead is rockier than initially suggested. Read Andrew Orlowski's interesting article at the link below.

MS Trusted Computing back to drawing board - theregsiter.co.uk

Join the newsletter!

Error: Please check your email address.

More about Andrew Corporation (Australia)AppleCA TechnologieseEye Digital SecurityF-SecureKasperskyKasperskyMicrosoftSecure ComputingSophosSymantecTrend Micro AustraliaTrusted Computing Platform AllianceWestpacWestpac

Show Comments
[]