Cyber crime syndicates and Sasser

The Sasser worm will leave an estimated one million infected computers in its wake.80 percent of these will belong to home users, possibly never to be disinfected or patched, providing ideal havens for vandals to perpetuate Internet fraud, send Spam, and launch distributed denial of service attacks, says Felix Mohan

While the Sasser worm by itself isn’t a security issue, it has a role in the ongoing epidemic of malware-induced cyber crime. Focusing only on the worm’s technicalities would be a mistake.

The cyber crime epidemic

Today’s worms are the handiwork of malcontents for whom cyber crime affords lucrative returns. Money, not notoriety, is the motive. A flourishing market exists where large blocks of infected machines that can be controlled remotely are for sale. Sobig demonstrated the close nexus between malware writers and spammers— machines infected by the Sobig mass mailing worm (that inserted an open proxy into the compromised machines) were offered to spammers, $5000 bought you 10,000 compromised machines.

The thriving market for subverted PCs has swung the underworld into hyperactivity. The past ten months have seen several hacker groups and cyber crime syndicates setting up attack networks (botnets) and releasing remote attack tools through increasingly crafty malware such as Blaster, Sinit, MyDoom, Phatbot, Bagle and Netsky. February 2004 saw business rivalry unleash the Internet’s biggest cyber war between the creators of MyDoom, Bagle and Netsky; forcing corporates to scurry for cover as the world watched helplessly.

Between 23rd January and 4th May, 24 variants of Bagle, seven of MyDoom, and 30 of Netsky were released (that’s 61 worms in 100 days). The gangs hurled embedded abuses at each other through their worm code, and launched direct attacks on their adversaries’ compromised machines deleting registry entries and backdoors, and installing their own remote access tools instead.

Sasser and cyber crime

The Sasser worm should be viewed against this broader canvas. It was released on 30th April. Three days later, the creators of Netsky claimed credit for the Sasser worm with supporting evidence that convinced security experts of its veracity (the code and programming style in Sasser and Netsky are similar). On 7th May, following his arrest, an 18-year-old German student confessed to writing the Sasser worm. He is also suspected of writing the Netsky.ac worm variant that appeared three days after Sasser. Investigations are on to decipher the link between the Russian SkyNet Antivirus Group (believed to be responsible for the Netsky family of worms) and the German teenager. The web of cyber crime chains linked across the globe has turned out to be much larger and more organised than anybody ever imagined.

On 8th May, the Sasser.E worm variant was released. It has been programmed to remove registry entries used by the Bagle worm variants, providing renewed impetus to the ongoing gang war in cyberspace.

Sasser and Netsky merge

If more than 60 worms were released without much ado in 100 days, why should one Sasser worm kick off so much hype? That’s because, unlike Sasser, all the others were mass mailing worms that depended on user intervention to infect a machine, a very big handicap in itself. Unless the users clicked on an attachment, the email worm could not propagate. Worm writers are getting smarter. The latest variant of Bagle does away

with the attachment prerequisite and spreads when a vulnerable user opens the e-mail using an unpatched version of Microsoft Outlook. If their Outlook preview pane is open, the victim’s machine is compromised automatically. Even in this infection vector, some user intervention is required.

Unlike the email worms, Sasser requires no user intervention. It scans for machines having the Local Security Authority Subsystem Service (LSASS) vulnerability on its own; and on detecting a vulnerable system, it creates a remote connection to the machine in question and installs a file transfer protocol (FTP) server to download itself on to the new host. However, the spread of the Sasser worm (and other vulnerability-exploit worms like it) depends upon the users’ proclivity to patch vulnerable machines. The worm will start to slow down as users start installing the latest anti-virus, firewalls and patches; and would eventually fade away (unless a new variant comes along). In contrast, email worms tend to continue proliferating much longer, circumventing anti-virus and firewall defences that can block a vulnerability-exploit worm such as Sasser.

Security experts are now predicting that Sasser will mutate by combining with Netsky. This merger will unleash attacks through both e-mail and software vulnerabilities taking cyber crime to the next level.

Holes, exploit codes and worms Microsoft released a fix for the LSASS vulnerability on 13th April in its MS04-011 patch. Within two days, a public exploit to attack the vulnerability, written by Hi_Tech_Assassin, was rele- ased on k-otik, a French website.

Indeed, exploits for five of the 14 vulnerabilities fixed in the MS04-011 patch release were out on the Internet within six days. So one can be reasonably sure that worms that use these exploit codes will be created shortly.

However, as in the case of Sasser, other attack tools favoured by hackers will be upgraded with the new exploit codes, before creating worms that use them.

Ironically, worms can go against the interests of cyber crime syndicates because of the hype and attention they generate. Usually, a worm is the last stage in the exploit chain evolution. They tend to be

released only after other attack tools have compromised a sufficient number of machines.

Sasser and Agobot

One of the most favoured attack tools of hackers and crime syndicates operating networks of compromised Windows machines for delivering Spam or launching distributed denial of service (DDOS) attacks is the Agobot/Phatbot family of Trojans. Known as bot software, these remote attack tools can seek out and place themselves upon vulnerable computers and run silently in the background, allowing an attacker to send commands to the system while the owner works, unaware.

Hackers embedded the LSASS exploit code into the Agobot Trojan a week before the release of Sasser. The upgraded Agobot Trojan (Gaobot) is spreading fast. It exploits machines with the LSASS hole (much the same way as Sasser does) but more stealthily. While many network administrators worry about the Sasser worm, security experts believe that this quieter but equally damaging threat is slowly gaining control of large networks of computers. There is a high probability that machines infected with Sasser are also infected with Gaobot.

The crime syndicates’ improvements of the Sasser worm and Agobot/Phatbot Trojan may make the Windows LSASS security hole a long-term security menace, with new Sasser variants appearing while Agobot/Phatbot Trojans set up new ‘botnets’ to launch Spam and DOS attacks.

The Sasser.F variant is already out. Coincidentally, the creator of Agobot was arrested on the same day as the creator of Sasser; both arrests were made in Germany. Investigations are on to confirm if there are any links connecting Sasser, Agobot, and Netsky.

The bottom-line

Users should patch their systems, turn on the firewall, and install anti-virus software to protect themselves against Sasser and Gaobot. Though Sasser is spreading more rapidly, Gaobot will eventually prove to be more dangerous as it gives criminals access to infected computers.

The author is the CEO of SecureSynergy. He can be reached on felixmohan@securesynergy.com