Security Experts Tracking New Sasser Variant
A third variant of the Sasser wormSasser Cis closely related to the two earlier versions, but it spawns 1024 threads on infected systems.With two variants of the Sasser worm already infecting computers through a recent vulnerability in Windows, security experts now are tracking a third version of the worm and an exploit that attacks the same flaw. Sasser.C is closely related to the two earlier versions of the worm, except for the fact that it spawns 1024 threads on infected systemsnearly 10 times the number created by Sasser and Sasser.B. There also is a separate piece of code that attacks the weakness in Windows LSASS (Local Security Authority Subsystem Service) component; it is a tool that generates traffic that closely resembles that of the Sasser worms. However, the tool only generates traffic on port 445, and does not attempt any FTP connections to the machine it is attacking. The tool also does not try to communicate over ports 5554 and 9996 the way that the worms do, according to an analysis of the exploit done by The SANS Institute, in Bethseda, Md.
The exploit also tries to learn the operating system type of the attacked PC and then send a shell back to a designated IP address. If this effort fails, the LSASS service crashes and the machine reboots.
Be sure to add our eWEEK.com security news feed to your RSS newsreader or My Yahoo page: