Sasser is a
computer worm
A computer worm is a standalone malware computer program that replicates itself in order to spread to other computers. It often uses a computer network to spread itself, relying on security failures on the target computer to access it. It wi ...
that affects computers running vulnerable versions of the
Microsoft
Microsoft Corporation is an American multinational corporation, multinational technology company, technology corporation producing Software, computer software, consumer electronics, personal computers, and related services headquartered at th ...
operating systems
An operating system (OS) is system software that manages computer hardware, software resources, and provides common daemon (computing), services for computer programs.
Time-sharing operating systems scheduler (computing), schedule tasks for ef ...
Windows XP
Windows XP is a major release of Microsoft's Windows NT operating system. It was release to manufacturing, released to manufacturing on August 24, 2001, and later to retail on October 25, 2001. It is a direct upgrade to its predecessors, Wind ...
and
Windows 2000
Windows 2000 is a major release of the Windows NT operating system developed by Microsoft and oriented towards businesses. It was the direct successor to Windows NT 4.0, and was released to manufacturing on December 15, 1999, and was official ...
. Sasser spreads by exploiting the system through a vulnerable
port
A port is a maritime facility comprising one or more wharves or loading areas, where ships load and discharge cargo and passengers. Although usually situated on a sea coast or estuary, ports can also be found far inland, such as ...
. Thus it is particularly virulent in that it can spread without user intervention, but it is also easily stopped by a properly configured
firewall
Firewall may refer to:
* Firewall (computing), a technological barrier designed to prevent unauthorized or unwanted communications between computer networks or hosts
* Firewall (construction), a barrier inside a building, designed to limit the spre ...
or by downloading system updates from
Windows Update
Windows Update is a Microsoft service for the Windows 9x and Windows NT families of operating system, which automates downloading and installing Microsoft Windows software updates over the Internet. The service delivers software updates for Wind ...
. The specific hole Sasser exploits is documented by Microsoft in it
MS04-011bulletin, for which a patch had been released seventeen days earlier. The most characteristic experience of the worm is the shutdown timer that appears due to the worm crashing
LSASS.
History and effects
Sasser was created on April 30, 2004. This worm was named Sasser because it spreads by exploiting a
buffer overflow
In information security and programming, a buffer overflow, or buffer overrun, is an anomaly whereby a program, while writing data to a buffer, overruns the buffer's boundary and overwrites adjacent memory locations.
Buffers are areas of memor ...
in the component known as LSASS (
Local Security Authority Subsystem Service
Local may refer to:
Geography and transportation
* Local (train), a train serving local traffic demand
* Local, Missouri, a community in the United States
* Local government, a form of public administration, usually the lowest tier of administra ...
) on the affected operating systems. The worm scans different ranges of
IP address
An Internet Protocol address (IP address) is a numerical label such as that is connected to a computer network that uses the Internet Protocol for communication.. Updated by . An IP address serves two main functions: network interface ident ...
es and connects to victims' computers primarily through
TCP port 445. Microsoft's analysis of the worm indicates that it may also spread through port 139. Several variants called ''Sasser.B'', ''Sasser.C'', and ''Sasser.D'' appeared within days (with the original named Sasser.A). The LSASS vulnerability was patched by Microsoft in the April 2004 installment of its monthly security packages, prior to the release of the worm. Some technology specialists have speculated that the worm writer reverse-engineered the patch to discover the vulnerability, which would open millions of computers whose operating system had not been upgraded with the security update.
The effects of Sasser included the
news agency
A news agency is an organization that gathers news reports and sells them to subscribing news organizations, such as newspapers, magazines and radio and television broadcasters. A news agency may also be referred to as a wire service, newswi ...
Agence France-Presse (AFP) having all its satellite communications blocked for hours and the
U.S.
The United States of America (U.S.A. or USA), commonly known as the United States (U.S. or US) or America, is a country primarily located in North America. It consists of 50 states, a federal district, five major unincorporated territor ...
flight company
Delta Air Lines
Delta Air Lines, Inc., typically referred to as Delta, is one of the major airlines of the United States and a legacy carrier. One of the world's oldest airlines in operation, Delta is headquartered in Atlanta, Georgia. The airline, along wi ...
having to cancel several trans-atlantic flights because its computer systems had been swamped by the worm. The
Nordic
Nordic most commonly refers to:
* Nordic countries, written in plural as Nordics, the northwestern European countries, including Scandinavia, Fennoscandia and the North Atlantic
* Scandinavia, a cultural, historical and ethno-linguistic region in ...
insurance company ''If'' and their Finnish owners ''Sampo Bank'' came to a complete halt and had to close their 130 offices in
Finland
Finland ( fi, Suomi ; sv, Finland ), officially the Republic of Finland (; ), is a Nordic country in Northern Europe. It shares land borders with Sweden to the northwest, Norway to the north, and Russia to the east, with the Gulf of Bo ...
. The
British
British may refer to:
Peoples, culture, and language
* British people, nationals or natives of the United Kingdom, British Overseas Territories, and Crown Dependencies.
** Britishness, the British identity and common culture
* British English ...
Coastguard
A coast guard or coastguard is a maritime security organization of a particular country. The term embraces wide range of responsibilities in different countries, from being a heavily armed military force with customs and security duties to ...
had its electronic mapping service disabled for a few hours, and
Goldman Sachs,
Deutsche Post
The Deutsche Post AG, operating under the trade name Deutsche Post DHL Group, is a German multinational package delivery and supply chain management company headquartered in Bonn, Germany. It is one of the world's largest courier companies. ...
, and the
European Commission
The European Commission (EC) is the executive of the European Union (EU). It operates as a cabinet government, with 27 members of the Commission (informally known as "Commissioners") headed by a President. It includes an administrative body ...
also had issues with the worm. The
X-ray
X-rays (or rarely, ''X-radiation'') are a form of high-energy electromagnetic radiation. In many languages, it is referred to as Röntgen radiation, after the German scientist Wilhelm Conrad Röntgen, who discovered it in 1895 and named it ' ...
department at
Lund University Hospital
Lund (, , ) is a city in the southern Swedish province of Scania, across the Öresund strait from Copenhagen. The town had 91,940 inhabitants out of a municipal total of 121,510 . It is the seat of Lund Municipality, Scania County. The Öresu ...
had all their four layer
X-ray machine
An X-ray machine is any machine that involves X-rays. It may consist of an X-ray generator and an X-ray detector.
Examples include:
*Machines for medical projectional radiography
*Machines for computed tomography
*Backscatter X-ray machines, use ...
s disabled for several hours and had to redirect emergency X-ray patients to a nearby hospital.
Author
On 7 May 2004, 18-year-old
German
German(s) may refer to:
* Germany (of or related to)
**Germania (historical use)
* Germans, citizens of Germany, people of German ancestry, or native speakers of the German language
** For citizens of Germany, see also German nationality law
**Ger ...
Sven Jaschan from
Rotenburg Rotenburg may refer to:
* Rotenburg (district), Lower Saxony, Germany
* Rotenburg an der Wümme, capital of the district
* Rotenburg an der Fulda, near Kassel in Hesse
*Rothenburg ob der Tauber
Rothenburg ob der Tauber () is a town in the distric ...
,
Lower Saxony
Lower Saxony (german: Niedersachsen ; nds, Neddersassen; stq, Läichsaksen) is a German state (') in northwestern Germany. It is the second-largest state by land area, with , and fourth-largest in population (8 million in 2021) among the 16 ...
, then student at a technical college, was arrested for writing the worm. German authorities were led to Jaschan partly because of information obtained in response to a bounty offer by Microsoft of US$250,000.
One of Jaschan's friends had informed Microsoft that his friend had created the worm. He further revealed that not only Sasser, but also Netsky.AC, a variant of the
Netsky worm, was his creation. Another variation of Sasser, Sasser.E, was found to be circulating shortly after the arrest. It was the only variation that attempted to remove other worms from the infected computer, much in the way Netsky does.
Jaschan was tried as a minor because the German courts determined that he created the worm before he was 18. The worm itself had been released on his 18th birthday (29 April 2004). Sven Jaschan was found guilty of computer sabotage and illegally altering data. On Friday, 8 July 2005, he received a 21-month suspended sentence.
Side effects
An indication of the worm's infection of a given
PC is the existence of the files
C:\win.log,
C:\win2.log or
C:\WINDOWS\avserve2.exe on the PC's hard disk, the
ftp.exe running randomly and 100% CPU usage, as well as seemingly random crashes with LSA Shell (Export Version) caused by faulty code used in the worm. The most characteristic symptom of the worm is the shutdown timer that appears due to the worm crashing LSASS.exe.
Workarounds
The shutdown sequence can be aborted by pressing start and using the Run command to enter
shutdown -a. This aborts the system shutdown so the user may continue what they were doing. The shutdown.exe file is not available by default within Windows 2000, but can be installed from the Windows 2000 resource kit. It is available in Windows XP.
A second option to stop the worm from shutting down a computer is to change the time and/or date on its clock to earlier; the shutdown time will move as far into the future as the clock was set back.
See also
*
Blaster (computer worm)
Blaster (also known as Lovsan, Lovesan, or MSBlast) was a computer worm that spread on computers running operating systems Windows XP and Windows 2000 during August 2003.
The worm was first noticed and started spreading on August 11, 2003. The ...
*
Nachia (computer worm)
*
BlueKeep (security vulnerability)
*
Timeline of notable computer viruses and worms
A timeline is a display of a list of events in chronological order. It is typically a graphic design showing a long bar labelled with dates paralleling it, and usually contemporaneous events.
Timelines can use any suitable scale represent ...
External links
Microsoft Security Bulletin: MS04-011*
Bugtraq ID 10108Read here how you can protect your PC (Microsoft Security page)- Includes links to the info pages of major anti-virus companies.
New Windows Worm on the Loose (Slashdot article)Report on the effects of the worm from the BBCGerman admits creating Sasser (BBC News)Sasser creator avoids jail term (BBC News)
{{DEFAULTSORT:Sasser (Computer Worm)
Exploit-based worms
Hacking in the 2000s