Sasser is an internet worm that caused billions of dollars of damage in 2004. It was created by a computer science student in Germany who was also behind Netsky. While there was no intentionally destructive payload, Sasser did cause many computers to slow down or crash, causing some high profile damage.
When a vulnerable system is found, the worm will send shell code to the target computer that attempts to exploit the lsass.exe buffer overflow vulnerability. The lsass.exe process may crash after being exploited, and Windows will display an alert and attempt to shut the system down. A remote shell opens on Port 9996.
It creates and executes a script file on the target named cmd.ftp, which causes the target computer to download Sasser from a worm-created FTP server on the infecting computer. The worm will be saved to the system folder. The downloaded file will have a file name of four or five random numbers, followed by _up.exe.Upon execution, Sasser attempts to create a mutex named Jobaka3l, which it uses to check if there is a Sasser worm already running on the system. It stops further infection if it finds one. Sasser copies itself to the Windows folder as avserve.exe. It adds the value "avserve.exe = (Windows folder)\avserve.exe" the registry key that will cause the worm to run when the system restarts. Attempts to shut down the computer may be hindered anyway, as the worm uses the AbortSystemShutdown API.
Sasser creates an FTP server on Port 5554, which it will use to spread itself. Ir creates a file at the root of the C: drive named win.log, which contains the IP address of the computer that the worm most recently attempted to infect, as well as the number of infected computers. The worm uses gethostbyname, a Windows API, to check the system's IP address, so it can generate an IP address based on this one. 25% of the time, the first two numbers of the IP address it generates will be the same as the current host, while the last two are random. There is a 23% chance that number will be the same and a 52% chance that the generated IP address will be completely random.
The worm makes a connection to a generated IP address on Port 445 in order to determine if there is a computer at that address. When it finds one, it sends shell code to that computer that exploits the lsass.exe buffer overflow vulnerability, opening a remote shell on Port 9996.
It creates a script on the target system named cmd.ftp, which instructs the system to download the worm from the infecting system's FTP server. After the worm has been downloaded to the target system, cmd.ftp may be deleted.
Security experts estimate that infected computers numbered in the millions. Tens of thousands of infected computers around the world repeatedly crashed and then rebooted.
The worm hit thousands of homes and businesses in Finland. The Sampo bank in Finland shut down all 130 branches for a few hours one day after being hit by the worm but were reopened by the afternoon. The corporate and Internet banking services along with ATMs functioned normally throughout the day. It had no effect on customers' money transfers or privacy.
The Finnish property and casualty insurance company If was also affected by the worm. In Sweden, the company's internal telecommunications connections stopped functioning and its internal network in Finland was shut down as a precautionary measure. The bank Nordea was not affected, as it was with the Blaster worm, as since then, it had its IT staff constantly update its computers. Finnish mobile provider TeliaSonera was also affected.
All 19 British Coastguard stations were found to have infected systems. Search-and-rescue operations were not affected, but the Coastguard did end up resorting to paper maps and pens (called "pinkies") to continue working. With the exception of computers, fax and telex machines, no other communication methods were affected at all. Fortunately, the worm had brought down the systems on an otherwise quiet day.
British Airways suffered delays when the worm hit Terminal Four at London's Heathrow Airport, as well as call centres in Manchester and Glasgow. Average delays for flights to America, Israel, The Middle East and East Africa were ten minutes. Calls to Manchester and Glasgow had to be rerouted to Newcastle.
The Deutsche Post in Germany increased its firewall protection, blocking traffic to many of its offices and delaying payments of subscribers.
High profile infections in France included the French Stock Exchange and the France Presse news agency. In Spain, judges at the national courthouse, including those investigating the March 11 bombings, were blocked by the worm.
Taiwan's state-run postal service found 1,600 workstations infected with the worm and 430 offices had to resort to "manual service" to get work done. As the Taiwan Post offers banking services, some banking transactions were disrupted. By Tuesday the Taiwan Post was back to normal.
Two Hong Kong government departments and some public hospitals were hit by Sasser. The Hong Kong Computer Emergency Response Team Coordination Center received 389 reports of the worm. Individual users were reportedly hit harder than companies.
The Asan Medical Center, one of the largest hospitals in Korea suffered delays in treating patients and had to search and write patient records with pen and paper. The Lotte Group conglomerate was forced to shut down for a day due to Sasser.
Japan, Thailand, China and India reported few incidents of the worm, partly because of a Buddhist holiday. The worm is known to have difficulty exploiting the lsass.exe vulnerability on some non-western versions of Windows, particularly the Japanese version.
Delta Airlines delayed and cancelled some flights after their computers were infected with Sasser. Credit card giant American Express also had problems with the worm. 6,000 of 17,000 computers at the University of Texas M.D. Anderson Cancer Center were infected with the worm. The Associated Press and investment bank Goldman Sachs also reported infections.
RailCorp in Australia was infected with the worm. 300,000 passengers were stranded for a short time as the worm shut down the radio network. Some stations were shut down and only 20 trains were kept running for some time. The Westpac bank had to resort to pen and paper for a short while after being infected with the worm.
The worm's name obviously comes from its exploitation of the lsass.exe vulnerability.
- F-Prot: W32/Sasser.A
- McAfee: W32/Sasser.worm.a
- Symantec: W32.Sasser.Worm
The Sasser worm was created by an 18-year-old German student named Sven Jaschan, who was also behind the original Netsky worm. Jaschan was convicted and sentenced to a 21 month suspended sentence and 30 hours of community service.
Takayoshi Nakayama, Fergal Ladley. Symantec.com, W32.Sasser.Worm.
Sindri Bjarnason. F-Prot Antivirus, W32/Sasser.A.
McAfee Antivirus, W32/Sasser.worm.a.
Helsingin Sanomat International Edition, New computer worm Sasser shuts down Sampo bank branches. 2004.05.04
Jan Libbenga. The Register, "Sasser Creates European Pandemonium". 2004.05.05
BBC News, Worm brings down coastguard PCs. 2004.05.04
Associated Press. FOX News, 'Sasser' Worm Disrupts Asian Computer Networks. 2004.05.04
Gregg Keizer. TechWeb Network, Sasser Worm Impacted Businesses Around The World. 2004.05.07
Baek Kang-nyoung. Digital Chosun Ilbo, Sasser Worm Wreaking Havoc on Computers. 2004.05.03
Bob Sullivan. MSNBC, Sasser Worm infections begin to subside. 2004.05.05