W32.Sasser (ve Turevleri: A,B,C) ( Yakup SAYIN )       Bu Makele 2641 Kez Okunmuş 11.06.2007

Aylar önce ortalığı kasıp kavuran Blaster solucanı gibi yeni bir solucan daha duyuruldu: W32.Sasser.B.Worm Bu solucan Windows NT4SP6A, W2KSP2 ve 2003 Server sürümündeki işletim sistemleri üzerinde etkili oluyor ve LSASS (NT LM Security Support Provider) üzerinden bulaşarak ağdaki rastgele IP'li makinalara kendisini bulaştırıyor. eEye Network Sasser Scanner: http://karakan.com/files/virus/sasser/retinasasser.exe Symantec SasserFixer : http://www.karakan.com/files/virus/sasser/fixsasser.exe Microsoft Yamalari : http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx Detayli araclar ve manuel temizleme bilgileri icin eEye Security nin ilgili makalesi yazinin devaminda mevcut. eEye Offers Free Scanning Tool to Identify Workstations Vulnerable to "Sasser" Worm As a service to the network security community, eEye has announced the availability of a free tool to scan network computers and detect if any are vulnerable to the "Sasser.A/B/C" worm currently circulating worldwide. The tool allows administrators to quickly identify vulnerable workstations that do not contain the patch required to protect from the attack, and it provides information on where to locate the patch made available from Microsoft. Download the FREE Retina Sasser Audit Tool here: http://www.eeye.com/html/Research/Tools/Download.asp?file=RetinaSasser The Retina Sasser audit tool is based off of eEye's award-winning Retina Network Security Scanner. Current customers of Retina may scan for the LSASS vulnerability that the Sasser worm is using to infect servers. This vulnerability is rated as critical and should be remediated immediately. -------------------------------------------------------------------------------- Detecting the Vulnerability Both the full version of Retina and the free scanning tool will detect if a workstation is vulnerable to the worm, not if the workstation is infected. Due to the nature of the worm, an infected workstation will not register as either "Patched" or "Unpatched". If you suspect that the worm has infected a workstation, you can install a network traffic analyzing tool like eEye's Iris on the same subnet as the server to monitor traffic to and from the machine. Once an infection is verified, you should restart the machine (shutting down an infected workstation will remove any trace of the worm) and apply the necessary software patch. For more information on Iris Network Traffic Analyzer, visit: http://www.eeye.com/html/Products/Iris/index.html -------------------------------------------------------------------------------- Sasser Worm Overview The worm, labeled Sasser.A, has been propagating by leveraging a flaw in Microsoft Windows LSA (Local Security Authority) Service (LSASRV.DLL). This flaw was discovered by eEye Digital Security and reported to Microsoft on October 8, 2003. The worm begins by targeting servers running versions of Microsoft Windows 2000 and XP that have not been properly patched for the vulnerability. Sasser has the ability to execute without requiring any action on the part of the user. The worm copies itself to a folder in the Windows System directory and adds a registry run key to load at system start-up, creating the value "avserve.exe"=%windows%\avserve.exe in the registry key: HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run The Sasser worm can infect any vulnerable computer that is switched on and connected to the Internet. Unlike other worms and viruses, it is not spread by email and does not require any user action to propogate. In reported instances so far, the worm has been observed shutting down a computer then automatically re-booting it, repeating several times. How it Propagates Sasser scans random IP addresses for vulnerable systems. When one is found, the worm exploits the system by executing a script. This script instructs the target victim to download and execute the worm from the infected host. The infected host accepts this FTP traffic on TCP port 5554. For an analysis of the worm please visit: http://www.eeye.com/html/Research/Advisories/AD20040501.html For complete information on the Windows Local Security Authority Service flaw (LSASS vulnerability), please visit: http://www.eeye.com/html/Research/Advisories/AD20040413C.html