Sasser Worm Spreading Through LSASS Exploit

The Sasser worm began spreading among unpatched Windows computers today, exploiting a known security hole in LSASS. While Sasser uses similar mechanics as earlier mega-worms Slammer and Code Red, Sasser thus far doesn't appear to be the dramatic event anticipated by worm-wary security firms.

F-Secure reports that the new worm attacks through TCP port 445 (Windows networking), spreads itself through an FTP server on port 5554, and leaves port 9996 open for future exploits. Sasser has received a level 3 rating from Symantec, the middle of its five-point alert scale. Secunia also perceives Sasser as a medium threat, and The Internet Storm Center moved to yellow alert condition, but cautioned that "the exact impact is not clear at this point."

LSASS, the Local Security Authority Server Service, helps manage IP security and authentication for Windows networking. Several buffer overflow exploits published this week are known to provide attackers full remote administrative privileges on Windows 2000 (Pro and Server) and Windows XP. Sasser detects a target computer's operating system, and varies its tactics for the different Windows OSes. Systems that have applied the Microsoft patch for update MS04-11 are protected from Sasser.

The relatively modest early impact of Sasser suggest protracted warnings may have brought improved compliance for Windows users patching their machines. It's worth noting that Windows Update received about twice the normal level of traffic following the April 11 release MS04-11, causing server slowdowns for the crucial service. Internet Security Systems also noted that "common network-filtering policies have limited the infection rate of Sasser."