Network Security & Hardware - eWeek


Battery 500 Project Charged Up over All-Electric Cars
Charting the Final Frontier--Google Maps for Indoors
Get Smarter Technology on Your Mobile!
  Network Security & Hardware


Sasser: The Last Big Network Worm?



 By: Ryan Naraine
2005-05-16
Article Rating:starstarstarstarstar / 0


There are 0 user comments on this Network Security & Hardware story.


  Table of Contents:
  1. Sasser: The Last Big Network Worm?
  2. ' On the Enterprise Side '

Rate This Article:
Poor Best
Sasser: The Last Big Network Worm?
( Page 1 of 2 )

One year after the last major Windows worm, Microsoft talks up its security response improvements, but analysts warn against being lulled into a state of complacency.

Debby Fry Wilson has more than a few reasons—and sleepless nights—to remember Sasser, the last major network worm to clog Windows systems around the world.

It was on her birthday, a year ago this month, when the first Sasser reports started filtering in and, for Wilson and her colleagues at the MSRC (Microsoft Security Response Center), the outbreak presented an opportunity to test a new emergency-response system that had just been implemented by Microsoft.

Coming off a string of intense worm activity in 2003, when the SQL Slammer and Blaster worms hogged the headlines and caused damage worldwide, Microsoft was better prepared for Sasser, which was squirming through a Windows hole that had been already been patched.

"We did know that this particular vulnerability had the potential to be exploited into a worm," said Wilson. "We had already done a few things to draw attention to the bulletin and get customers to prioritize and apply the patches."

Resource Library:

"We were aware that proof-of-concept exploits were circulating, and we were working behind the scenes with anti-virus and other partners to keep a close eye on unusual activity," said Wilson, who is the director at the MSRC responsible for mobilizing Microsofts security response communication.

Between the time Microsoft issued its Sasser patch the day the worm was first detected, at least three proof-of-concept exploits were being widely distributed on security mailing lists.

By April 27, 2004, the proof-of-concepts were compiled into an actual exploit that erupted into Sasser, Wilson recalled.

Within the first three hours, Wilson said the MSRC published a Sasser landing page with detailed protection–and disinfection–instructions.

"After Blaster in 2003, we had revamped our communications to act immediately to mobilize our people around the world.

Within minutes, we knew what needed to be done to protect customers," Wilson said, recalling that the initial guidance was for customers to enable a firewall and download/deploy the MS04-011 patch.

"Then, we worked on the first version of a click-and-clean worm removal tool for customers who had been infected."

"We had implemented a pre-defined process for identifying and evaluating a security incident, and it worked very well. We were able to determine the appropriate response and minimize the damages."

"With Blaster, recovery took 38 days. With Sasser, we brought that down to five days," Wilson said.

Read more here about the damage caused by Blaster.

Now, after yearlong lull in network worm activity, Wilson said she believes Microsofts evangelism around software security is beginning to bear fruit.

She points to three significant post-Blaster events: the Windows Firewall turned on by default in XP SP2 (Service Pack 2), the adoption of automatic updates as a major component to PC maintenance, and the industrys increased awareness around the need for updated anti-virus software.

"On the consumer side, 200 million customers are applying patches automatically. When a security update goes out, the period of time a customer is at risk has gotten much smaller. Weve seen a 400 percent increase in the use of Windows Update and a 320 [percent] increase in the user of Automatic Updates since SP2 launched."

Next Page: On the enterprise side.





  Reader Comments: Sasser: The Last Big Network Worm?
>>> Be the FIRST to comment on this article!
 


 
 
>>> More Network Security & Hardware Articles          >>> More By Ryan Naraine
 


xr㶲0;; ʷ♵M=RJV,ҌפN"!1Ejm%gy 7]hɗ8["h4}Aȅ3&ל۔O]sSãw$5C2I=*rdz&9%G jL7R}f]S kkL|Ax  tjOt0.Pk< Z535ԗoˏ~e0-ZIQ6)6Nմ,lZ P8$H.( fwm<"6\'|w* pTƖþ=aM"h4"j>v\'gώ>ȀYF {.Qu^?!ڮq 4]^Nૌ=ah /\1r.b,ѽ[@M*6 L=iTVE;&3ýtf?;9zu v=rDJ53ҧ =K;O=k\w=jP?B1 I uBģzr(˺79hmyaijTӪrT5X;r~Ucm9 2w7ϷFu˯ j:Uu7ںs nm)kCi\w{ݳ>~n]\|r m + AַRߘ+0QT&*rp4M2A 1qzj`q%oFV4E; KHr gSd!XI#/YTU![SҺ췮۽NΏۭ3do̲5<JEӀ Zvf!?Y׫ӛkiGκ}!+|q!5M0\ܱ:֪׷V1?aj; dPp9LwjT ?vO_Zd@Odp"˧S~tǷP[,.s$BrZ~@X*V Q3of5 tA[&%4ɔSHu t:99~}MjV㭱*҄& 9B:A`ܺNR49Vϡ8蟉$Wm4@r5)6B̄H )wR<',)|YU>hI"E[f8 .)J!"xN3̸"ȅQ.% Ć> bO}ದyp1zYY5'*taeEUis[ӢKsqnUOV؂)3G#вnZ 7MGRŦcUJfzTJMU~ X@8ʍ??1m!SGñA 3M:v`: 0hvz?>RӚOCqOCGs>H2胎6ml8-ƹ" ,70}HOQI4wX(=cO6%_¤>< )gV=H:}mP`5$ǎC-ߟLs#08w ɝ5y0fkwCPbLTM}PC\7 >)@}9g)QmNl}h`1 5%aF@i0xzOEȣ$@!-i]R@Az68 -,rr /~#y-#!bTLZ'9Tv{B#Tz(΍gR1eb -d[b~Il eV&vϏa[LboD6], S mo3-mu{6 z`N&'syjVRTECzdEWg6}ˁ)s#ϖ̡ Gx}lj?DŽR[eXLdd ٚM GZL^͙=wʠ:'_ ۝.g;N/=]҇1 4fכ d50J%gYA3'|(@]4>+WuPÃ"`"+42[=! = Pȭ}3R;= Mrʳ&#@7X>ť`N)mtй+>q^uiԚv ei6X+ME[1(Ŀ+úZjp Hoh koռ²yc<6B6`9HM^> 2fˣ(U6LF%jIo2@n=ȢmDG*+i#SOoZrirX,y|-lD0(2n( 鿛R&a+\ڨ`OwAsm0HoO]6 8{y4!%6$;~LS cOЭ,h8)4jkzF of`׆ K ؈bȁUraڋҝebeQ;k)eS_HZQ6Ϯ[- V!0\0|pT30`,e/6&])W=aT5"I16D ȸau-Ce0S?؉ ܕVR5]֩;lRfz|tݱM% WҀap‘"=jmA4>\Pbr>+ eT)5*IMym"P/?ˇ%Ŵ谢zԘ{}Qː 0gtWed->흧 IR-ʪZJsVV2:EƟQpV6ʼnG =q?@*:2 XZ 0(E{0 qDLҀJ ^ƙl)baJ)?oyRYf0`%l* ?ŤD LkʚQzCgé#fuMaFžJV-=o`B[$ zDÈ i{qņZ ) 4};`[ 欭h+,s Jb+ʹV(EcTedކgy>cIpR|5YN ~7z_EnMsU-nyFD3 =JTȍN=Dp?n216Em/POG]մRߗ/19W|6t8YW TOg_`jld Wc?֍L>"mǤ|e2,tn1a%[œ>C?9dN u3 U sf> ||0jZ5}rNNxT!"kq(n} #"#N_ q#Z7pթrVgH*A:er,×?Yy" 24{Ic#&a\kxkc_(uO( EGIuzd*+ZR<*n,: /6" ޜbl[ ezפ\+ԕKOe3q18@X=x}d6 j>cWՄθ4;f[IdYyڤiD@kXJ7eVV5XI0iUI+T Z} 2aU}/*\%IvSfn Ϛ8`rOn{W90T%u͇RiEmT)玾ߓNt,q=C H\}PK(,~w9ـo |\V*Z솣d9#R@BZNb.x<'߾b[D pLaV*7xo~.RȓC$ |J D< 2{qc^?3Z cSwO?J _BQ`nо(&wmOI@ NEw%]w7!)hl{ٗΚŗCV7]vYf?{xXTD1CN'͋~4/A ̯> H t{DYw{.|ʜ(=}!Gzzy}69oa`Jwnk7rO0>V8_Kҽ᧥}es7t3VTsb{I6ӱ$BUUk ۻʾ\8%'+Tx|11@7Yud3D?ye11>gnR;=z#xck~=Ϥ2]a^R/o}VZtC.qD &^--^\RK>]_+U@< b]_I{Oz[6N ئw3ӧcgf7X#ŸA!{zeNj.X r4hg azc{ƹ39ោJ;mݭnM M A;"J [<N=>4 2UCnK_&Z1iE0pDVa%$\}5 ߊ;bE Im1ZQ|=N83{K4jZSWל7&/6o).wi{\na'x0d\ڊ}aK~~ &~/ilp8_qFm`)3C[3ԩ>oPtj9;N Cs˸i^\(MSjrFK*$"4I/ò;_b GNXhf:j AEP' xmS^GjN (oa6J]ߨ@3%<,[c(2ib7)#K2g@=[5 l)]c*餷E9qD)s-DCtutle{/b " &:6[!6X8Me9PGP; أZcuU^cAxAkY wܸR{JIY,dIɒTd+N\$.e%!Z-auRlKɶ!#Br'\wꐬ$d"ǔdNeyRN,4 L<"_FQ_m 8?sqBimn¥L"ZQJՊp5Q9ۏMz<͈ Oޣ OxɂZySWK5ܤIܤxF@]DC<+Vi:Y w{҉;M?a'q)|ԸtXlH:#T*jժ,U*?sI}X.t zyR(Tc0MABϢJ9WoK_x",V'e[Lu!5lys_qtTԱlKz ][m+H 0#!0Z-| 1"E;\eI)IZi[*8sŧiz Ɏ$KXcI+JE@ JB ucSsL+ y"UO%gǶBd r|c5=; aZE!hx,v6q!"A$1D@%~;\*Z'Q[܋ymM<4AL.q55PJC$v,g>+0Y-I8.yW@ };ZbҦ[{rұ2Z&n\kIDUJH[3 QFYн_SlKݗ: mR]*zL-ox? ΂`ȀmUZHc-9.I~q@%;+I]vu($qӆ:+^@MXH\%ilCl²[܄%<; Z\8 *%f"sWu Db5Ҥ׳aهz;ϼ$  D 9~eswZdƮ5.Ec w80")+:wCbDHXmX'q,[=fqHB=_c2hF3BAXc{{#ŵ훯>Ⱦ6ݹ/3ΐmU!Q OX?qxa"Vp=FM%Z(芈K9;<OP,?cx,+heƆe-[SXbW+lů3daD9fu+ lKtDX<,bXivq!:Ĺ*ϣOH'У{n0yFx(9Tr7Ҳ;h.~wux/;v҃V{Crbş-Rz˔.)㒥)0̝\B7{՗Џ/㮲+ķz4 /` f"^RhZsh~̽l7&fm]$5?hVr6`Flj[-0'/EQz\g3@]1{tѕ4^JYN+Y_ˮYʋSg%:$6dfph6+Nl$8&wUQqD3*o Sw$X-$g^&=_}|!|Ms-i x_ڋK۪_h"c}D`%2m/Aړ5iİO:X]^4bVd@/]j S}PC=nx.۶o4n;*Gf]=G? ځrUQo|֊[N{wҪ=WQJ9,&|4Ґtr'u[1~R^PAgXt~GD)Fѝߣ>Y?`CP}fɷw10c"^2QȏQ QE)ԝSTC^-A$ZDpSo\h;q'H|' D<;ҐDHQ#=t]Th6.KDŢW\3gv@R(kX5XFRw (G*׶'~/.X"j\d[0mgބؕĠAIB4FĸW\1n"IHU׼-R-wD9DNE0H*]^|u ~8]bɤ1=^Pl&qnf \95͂E / tCc%5S(5ub?=G/utIkb"]J1xy[O֘1h*B ǯ9=j"j+ jD-~0ǻi1zy \ 6M}^Šx!y?f׵Gao=!vcK;7ޟ6]4_q=!o7;G'Չ  mݹ]yrjLxnXE8av cIO⪠ہ9Ftk6٦KMµAʥ 8I֡QD#'2&U"cmުJ~RR,Cy^)?߹cWVRѪEr`0n­*^ֱ|z`! `z%Ed#usK%XSt^_8,6K&oMqLtxZډBL{R~|KAr|w\ۭ5]5)˔8&h@Jp?{wi/1~J+ɱF=Ν(9SF;6vCWѵATJ{=EJ-h>#Թ<׉?bu{ι\`{|Th ͬ-j%!V㬤]%I퓔`YeN&09ݱX.?DқQq߷~mF0+b[q{ZakLxt4Ӆ_~Z#ZNHh J;Y]~_!Ƅ!Pc |)W'nYVmIr .kh>a{' )(5 U@D8AnIݲY9Њ>co‹I`(8NB}x+VzO"?{| ̋XH t4*$:bm;A=~yDLROw\ND_K_!߰VIm{7R[ $y*?ZEDW# `xH(Fپ Eo]^ Cv% ^\<yS]ܕ h,/1~aNSc} 6$ER+/UL  [z.peL\ к|ŧtS_!m#!kA1HS*|k[7\_R0F$u2C:΁ Z]hIED#ThbGF#M=/׽nrj&[ք aAJzxsIA!1ׁ7,ǰlFLNH+Gl/u zQ8 +&(?,q E {GLƙ;fQWtB_$)FKdCE T&}fA=bAa~L­!RF·:=msMi0q>"(S[]ă0>]QPO:1 Ln 0GY:N+r P:ςys!aZ;ūAguUsp VH+^@03:}G`fڟ`WW_Y4uEz{'~{I[E.Z'}ҽlIk%w@/BP~ (By79hp(?g@ |OPisy;8oo.oӌr_;i_fCk(_6_ 05:;w~' >зAЧAg'?QF/3 3ϡ<Pw2a|/32C~.a.3Ư f _ *?UFk  {/>_?m.)>Crs~~3w7Y7{dwɹN2!(ofY NoT8\8_JeY+ OY射<(Ay>++P/nt3 ث : ?3/z^}AV&ir]!,.5P^eo4v+iA-{}yK֑`˼7((gG6+F.Э-'ވm]=g%Iy=0?$Mu{1پWߕ\)ܲ}:QOXE)9K8G#i@A1xZLԸʲGpoQV" #<5 b37}e\ 7㌠6ɧv {xuCZח͋Uc=tz}EPW4tȪ9(~H"7<R9Ì)螩z(oF =s~o̮- l>EM++J9wwr.Y〈b`>KjUUEVro VVjb`" ^x|Demګ.91C=b{hǬ[ɖb(wp E?&G^3ua^ʘE,e 'æȗጽIۯX ā` pTR Pcoy =s] YI4;Mܹ?|NF6.eа!7a,sv[F0 |w35<>7-3/DFlvK=c/,gn<΀=v`"-s(+0>L򟥕%v Uuv=ׇ"2cX =`?Gcax/MaMă n='IDπnuMf@gYl)VxRDNKPRJVr.Q ?nfoUTx/ē_| 3.qI[l=$~5|t,Cry´៴Dq+A%%}YQ v.yhFz%4yHRݤO[=$sDs݅ ߠ(b/<% *`>#.X&">m?'.}Nu;H' "@2dr]˼ˎXQYɶ<:d2֭kc'pg!MX0 <ձ]w O`7@#>Ƌrd{Go]kSsL%^cHPWFׁݞV Xo} 8lO.d|}ρ!XsCQ%7` =[-Hˍt/Asl+ 6-  `⎈me6iZDR*,E&f , ~sf㿞9QKז-9B<ok3)+o[wt-(odVw@8l6ږ?Y c/1k$~El=fҮ\)Vbʕ.Sܟ=Bȗa҃fHEX (K#LwEΠ8u vKѺ V7"aa^o1n,ـ9&@/6saȽgz`Z>]x O!0gWP Y-fE9ZqpR.C79=I }˦bn܌aB&cv L%g% s^೐|,/A-TT/>%h2bo _ Og |>":0X+n:' ^Ekb`!g˾t/Jz`g񳣸Fk+|vQJedv=̭Mӝo3a-d4džIkckj:()