Sasser is a
computer worm
A computer worm is a standalone malware computer program that replicates itself in order to spread to other computers. It often uses a computer network to spread itself, relying on security failures on the target computer to access it. It wil ...
that affects computers running vulnerable versions of the
Microsoft
Microsoft Corporation is an American multinational technology corporation producing computer software, consumer electronics, personal computers, and related services headquartered at the Microsoft Redmond campus located in Redmond, Washing ...
operating systems
An operating system (OS) is system software that manages computer hardware, software resources, and provides common services for computer programs.
Time-sharing operating systems schedule tasks for efficient use of the system and may also inc ...
Windows XP
Windows XP is a major release of Microsoft's Windows NT operating system. It was released to manufacturing on August 24, 2001, and later to retail on October 25, 2001. It is a direct upgrade to its predecessors, Windows 2000 for high-end and ...
and
Windows 2000
Windows 2000 is a major release of the Windows NT operating system developed by Microsoft and oriented towards businesses. It was the direct successor to Windows NT 4.0, and was Software release life cycle#Release to manufacturing (RTM), releas ...
. Sasser spreads by exploiting the system through a vulnerable
port
A port is a maritime facility comprising one or more wharves or loading areas, where ships load and discharge cargo and passengers. Although usually situated on a sea coast or estuary, ports can also be found far inland, such as Ham ...
. Thus it is particularly virulent in that it can spread without user intervention, but it is also easily stopped by a properly configured
firewall
Firewall may refer to:
* Firewall (computing), a technological barrier designed to prevent unauthorized or unwanted communications between computer networks or hosts
* Firewall (construction), a barrier inside a building, designed to limit the spre ...
or by downloading system updates from
Windows Update
Windows Update is a Microsoft service for the Windows 9x and Windows NT families of operating system, which automates downloading and installing Microsoft Windows software updates over the Internet. The service delivers software updates for Wind ...
. The specific hole Sasser exploits is documented by Microsoft in it
MS04-011bulletin, for which a patch had been released seventeen days earlier. The most characteristic experience of the worm is the shutdown timer that appears due to the worm crashing
LSASS.
History and effects
Sasser was created on April 30, 2004. This worm was named Sasser because it spreads by exploiting a
buffer overflow
In information security and programming, a buffer overflow, or buffer overrun, is an anomaly whereby a program, while writing data to a buffer, overruns the buffer's boundary and overwrites adjacent memory locations.
Buffers are areas of memory ...
in the component known as LSASS (
Local Security Authority Subsystem Service
Local may refer to:
Geography and transportation
* Local (train), a train serving local traffic demand
* Local, Missouri, a community in the United States
* Local government, a form of public administration, usually the lowest tier of administrat ...
) on the affected operating systems. The worm scans different ranges of
IP address
An Internet Protocol address (IP address) is a numerical label such as that is connected to a computer network that uses the Internet Protocol for communication.. Updated by . An IP address serves two main functions: network interface ident ...
es and connects to victims' computers primarily through
TCP
TCP may refer to:
Science and technology
* Transformer coupled plasma
* Tool Center Point, see Robot end effector
Computing
* Transmission Control Protocol, a fundamental Internet standard
* Telephony control protocol, a Bluetooth communication s ...
port 445. Microsoft's analysis of the worm indicates that it may also spread through port 139. Several variants called ''Sasser.B'', ''Sasser.C'', and ''Sasser.D'' appeared within days (with the original named Sasser.A). The LSASS vulnerability was patched by Microsoft in the April 2004 installment of its monthly security packages, prior to the release of the worm. Some technology specialists have speculated that the worm writer reverse-engineered the patch to discover the vulnerability, which would open millions of computers whose operating system had not been upgraded with the security update.
The effects of Sasser included the
news agency
A news agency is an organization that gathers news reports and sells them to subscribing news organizations, such as newspapers, magazines and All-news radio, radio and News broadcasting, television Broadcasting, broadcasters. A news agency may ...
Agence France-Presse
Agence France-Presse (AFP) is a French international news agency headquartered in Paris, France. Founded in 1835 as Havas, it is the world's oldest news agency.
AFP has regional headquarters in Nicosia, Montevideo, Hong Kong and Washington, D.C ...
(AFP) having all its satellite communications blocked for hours and the
U.S.
The United States of America (U.S.A. or USA), commonly known as the United States (U.S. or US) or America, is a country Continental United States, primarily located in North America. It consists of 50 U.S. state, states, a Washington, D.C., ...
flight company
Delta Air Lines
Delta Air Lines, Inc., typically referred to as Delta, is one of the major airlines of the United States and a legacy carrier. One of the List of airlines by foundation date, world's oldest airlines in operation, Delta is headquartered in Atla ...
having to cancel several trans-atlantic flights because its computer systems had been swamped by the worm. The
Nordic insurance company ''If'' and their Finnish owners ''Sampo Bank'' came to a complete halt and had to close their 130 offices in
Finland
Finland ( fi, Suomi ; sv, Finland ), officially the Republic of Finland (; ), is a Nordic country in Northern Europe. It shares land borders with Sweden to the northwest, Norway to the north, and Russia to the east, with the Gulf of B ...
. The
British
British may refer to:
Peoples, culture, and language
* British people, nationals or natives of the United Kingdom, British Overseas Territories, and Crown Dependencies.
** Britishness, the British identity and common culture
* British English, ...
Coastguard
A coast guard or coastguard is a maritime security organization of a particular country. The term embraces wide range of responsibilities in different countries, from being a heavily armed military force with customs and security duties to ...
had its electronic mapping service disabled for a few hours, and
Goldman Sachs
Goldman Sachs () is an American multinational investment bank and financial services company. Founded in 1869, Goldman Sachs is headquartered at 200 West Street in Lower Manhattan, with regional headquarters in London, Warsaw, Bangalore, H ...
,
Deutsche Post
The Deutsche Post AG, operating under the trade name Deutsche Post DHL Group, is a German multinational package delivery and supply chain management company headquartered in Bonn, Germany. It is one of the world's largest courier companies. T ...
, and the
European Commission
The European Commission (EC) is the executive of the European Union (EU). It operates as a cabinet government, with 27 members of the Commission (informally known as "Commissioners") headed by a President. It includes an administrative body o ...
also had issues with the worm. The
X-ray
An X-ray, or, much less commonly, X-radiation, is a penetrating form of high-energy electromagnetic radiation. Most X-rays have a wavelength ranging from 10 picometers to 10 nanometers, corresponding to frequencies in the range 30&nb ...
department at
Lund University Hospital
Lund (, , ) is a city in the southern Swedish province of Scania, across the Öresund strait from Copenhagen. The town had 91,940 inhabitants out of a municipal total of 121,510 . It is the seat of Lund Municipality, Scania County. The Öresu ...
had all their four layer
X-ray machine
An X-ray machine is any machine that involves X-rays. It may consist of an X-ray generator and an X-ray detector.
Examples include:
*Machines for medical projectional radiography
*Machines for computed tomography
*Backscatter X-ray machines, used ...
s disabled for several hours and had to redirect emergency X-ray patients to a nearby hospital.
Author
On 7 May 2004, 18-year-old
German
German(s) may refer to:
* Germany (of or related to)
**Germania (historical use)
* Germans, citizens of Germany, people of German ancestry, or native speakers of the German language
** For citizens of Germany, see also German nationality law
**Ger ...
Sven Jaschan
Sven Jaschan (born 29 April 1986) is a former black-hat hacker turned white-hat and a security expert/consultant and creator of the NetSky worms, and Sasser computer worms.
History
Jaschan lived in the village of Waffensen, Germany, and at ...
from
Rotenburg Rotenburg may refer to:
*Rotenburg (district), Lower Saxony, Germany
*Rotenburg an der Wümme, capital of the district
*Rotenburg an der Fulda, near Kassel in Hesse
*Rothenburg ob der Tauber, in the Franconia region of Bavaria
*Hersfeld-Rotenburg, ...
,
Lower Saxony
Lower Saxony (german: Niedersachsen ; nds, Neddersassen; stq, Läichsaksen) is a German state (') in northwestern Germany. It is the second-largest state by land area, with , and fourth-largest in population (8 million in 2021) among the 16 ...
, then student at a technical college, was arrested for writing the worm. German authorities were led to Jaschan partly because of information obtained in response to a bounty offer by Microsoft of US$250,000.
One of Jaschan's friends had informed Microsoft that his friend had created the worm. He further revealed that not only Sasser, but also Netsky.AC, a variant of the
Netsky worm Netsky is a prolific family of computer worms which affect Microsoft Windows operating systems. The first variant appeared on Monday, February 16, 2004. The "B" variant was the first family member to find its way into mass distribution. It appeared ...
, was his creation. Another variation of Sasser, Sasser.E, was found to be circulating shortly after the arrest. It was the only variation that attempted to remove other worms from the infected computer, much in the way Netsky does.
Jaschan was tried as a minor because the German courts determined that he created the worm before he was 18. The worm itself had been released on his 18th birthday (29 April 2004). Sven Jaschan was found guilty of computer sabotage and illegally altering data. On Friday, 8 July 2005, he received a 21-month suspended sentence.
Side effects
An indication of the worm's infection of a given
PC is the existence of the files
C:\win.log,
C:\win2.log or
C:\WINDOWS\avserve2.exe on the PC's hard disk, the
ftp.exe running randomly and 100% CPU usage, as well as seemingly random crashes with LSA Shell (Export Version) caused by faulty code used in the worm. The most characteristic symptom of the worm is the shutdown timer that appears due to the worm crashing LSASS.exe.
Workarounds
The shutdown sequence can be aborted by pressing start and using the Run command to enter
shutdown -a. This aborts the system shutdown so the user may continue what they were doing. The shutdown.exe file is not available by default within Windows 2000, but can be installed from the Windows 2000 resource kit. It is available in Windows XP.
A second option to stop the worm from shutting down a computer is to change the time and/or date on its clock to earlier; the shutdown time will move as far into the future as the clock was set back.
See also
*
Blaster (computer worm)
Blaster (also known as Lovsan, Lovesan, or MSBlast) was a computer worm that spread on computers running operating systems Windows XP and Windows 2000 during August 2003.
The worm was first noticed and started spreading on August 11, 2003. The ...
*
Nachia (computer worm)
*
BlueKeep (security vulnerability)
BlueKeep () is a Vulnerability (computing), security vulnerability that was discovered in Microsoft's Remote Desktop Protocol (RDP) implementation, which allows for the possibility of remote code execution.
First reported in May 2019, it is pr ...
*
Timeline of notable computer viruses and worms
A timeline is a display of a list of events in chronological order. It is typically a graphic design showing a long bar labelled with dates paralleling it, and usually contemporaneous events.
Timelines can use any suitable scale representin ...
External links
Microsoft Security Bulletin: MS04-011*
Bugtraq ID 10108Read here how you can protect your PC (Microsoft Security page)- Includes links to the info pages of major anti-virus companies.
New Windows Worm on the Loose (Slashdot article)Report on the effects of the worm from the BBCGerman admits creating Sasser (BBC News)Sasser creator avoids jail term (BBC News)
{{DEFAULTSORT:Sasser (Computer Worm)
Exploit-based worms
Hacking in the 2000s