Sasser, Phatbot May Make LSASS Flaw An Enduring Headache

The malware community's refinements of the Sasser worm and Phatbot trojan may make the Windows LSASS security hole a more enduring security headache, with new Sasser variants appearing while Phatbot expands "botnets" to launch Spam and denial of service attacks.

Four days after Sasser's release, it appears the limited effectiveness of the inital version was likely due to its coding, rather than improved patching of Windows products. Infections grew as new variants were released Sunday and Monday. With Sasser now at version D, media have identified numerous organizations reporting compromised systems, including American Express, Goldman Sachs, Australia's Westpac Bank, Finnish financial company Sampo and British Coast Guard stations. Microsoft reports that 1.5 million users downloaded its cleanup tool via Windows Update, explaining that site's slow performance Monday.

The authors of a new variant of the NetSky virus are claiming authorship of Sasser.D as well, and security vendors confirm the two share some coding similarities. That raises the possibility of Sasser becoming "serial malware" along the lines of NetSky, which is now at version 30.

One of the most prolific families of serial malware is the Agobot/Gaobot/Phatbot trojan, which is also exploiting the LSASS hole. These stealthy trojans are among the favored tools of hackers operating networks of compromised Windows machines for Spam delivery or DDoS attacks. An analysis by LURHQ notes that Phatbot possesses "the ability to polymorph on install in an attempt to evade antivirus signatures as it spreads from system to system."

Agobot/Gaobot/Phatbot is a primary example of the effectiveness of "open source malware," with a recent version of Agobot being released under the GNU Public License. Tuesday the source code for Phatbot was released on mailing lists. "The pack includes not only the source code but also documentation and some html FAQs," said the SANS Institute. "More variants are expected." Which means additional features, according to LURHQ: "With time, the more effective bots become increasingly popular, leading to additional development from secondary developers who provide 'mods' to the bots."