The Sasser worm that affected Westpac on Tuesday apparently spread from computers at the bank’s Australian branches, the bank says.
Bank spokesman Paul Gregory says Sasser started to spread through Westpac’s internal network between 1.30pm and 2pm on Tuesday. Staff were forced to turn off infected computers and work instead with more traditional tools: paper and pens.
“That was a couple of hours before we close,” Gregory says. “That might have been more of an issue for us at a different time of the day.”
Gregory says the virus probably arrived directly from an outbreak in the bank’s Australian branches. “Obviously, we’re trying to figure out how this got through the firewall,” he says.
Firewalls would normally block traffic to port 445, which Sasser uses. The worm targets a vulnerability in Windows NT, 2000 and XP operating systems and spreads simply by connecting to an unpatched machine over the internet.
Microsoft issued a patch for the vulnerability on April 13, but many computers remained unpatched by the time Sasser emerged over the weekend.
The worm infected desktops and branch systems, Gregory says, but not Westpac’s ATM machines. The main impact was to slow down the bank’s corporate network, particularly email and web access.
“There was no customer impact and we then worked overnight to disinfect the computers.”