Weekly Report on Viruses and Intrusions – Sasser Worm Variants, DSScan, JohnTheRipper and Brutus.A
This week’s virus activity has centered around the epidemic caused by the appearance of four variants of the Sasser worm. However, they are not the only malicious code that have emerged this week. Therefore, as well as describing the Sasser worms, this week’s report will also look at Netsky.AC, three new hacking tools called DSScan, JohnTheRipper and Brutus.A, and the Briss.A Trojan.
The appearance of the A, B, C and D variants of the Sasser worm have caused a widespread epidemic that has affected users worldwide. These malicious code are designed to exploit a vulnerability recently discovered in some versions of Windows called LSASS. By exploiting this vulnerability, they do not need to use traditional means of transmission to infect computers, as they can get into computers directly through the Internet. The four variants of Sasser are very similar to one another, and only differ in the name of the files they create on the system or the number of processes they load in memory in order to spread.
The Sasser worms cause a buffer overflow that results in the affected systems restarting every 60 seconds. In order to solve this problem, as well as using an updated antivirus to scan and disinfect the computer, it is essential to install the patch released by Microsoft to fix the LSASS vulnerability, which can be downloaded over here.
As computers are restarted every minute, users may not have enough time to eliminate the worm from the computer and download the Microsoft patch. To avoid this problem, one of the options available to users is to put back the system clock by following the steps below:
– When the window warning that the computer is going to be restarted appears, double click on the clock that appears in the bottom right corner of the monitor.
– When the date and time settings screen opens, in the textbox in which the hours and minutes appear, change the time to a few hours earlier than the time that appears.
Panda Software has made its PQRemove tools available to users. These applications not only disinfect computers but also restore system configurations altered by the worm.
One of the PQREMOVE tools is specifically designed for networks, and removes Sasser and all its variants from any network that could have been affected. This tool can be downloaded from: http://www.pandasoftware.com/support. The other PQREMOVE applications can disinfect any computer attacked by any of the variants of the Sasser worms. These can be downloaded from: http://www.pandasoftware.com/download/utilities.
Netsky.AC is a new variant of this family of mass-mailing worms that has been attacking the Internet over the last few months. However, the most interesting aspect of this worm is the message hidden in its code, which boasts that the authors of the Netsky worms also created the Sasser worms:
Hey, av firms, do you know that we have programmed the sasser virus?!?. Yeah thats true! Why do you have named it sasser? A Tip: Compare the FTP-Server code with the one from Skynet.V!!! LooL! We are the Skynet…’
Here is an part of the sasser sourcecode you named so, lol
However, until these delinquents are caught, users should continue to keep their guard up against the highly probable appearance of new viruses. Considering how the previous attacks were carried out, it is likely that the authors of the Sasser and Netsky worms are putting the final touches to an extremely dangerous malicious code that -as they have done up until now – they will unleash at the weekend.
“These authors could try to create a virus that spreads via e-mail as well as exploiting the LSASS vulnerability. By doing this, it could get round the firewall protection that blocks the Sasser worms. This could be especially dangerous for companies that, as they have firewall protection installed, have not applied the Microsoft patches,” says Luis Corrons, head of PandaLabs.
DSScan.A, JohnTheRipper and Brutus.A are three new hacking tools. These are legitimate tools that, in theory, are not designed to cause any damage. However, they can also be used by hackers to carry out malicious actions.
DSScan.A is a network tool that detects computers affected by the LSASS vulnerability. JohnTheRipper.A allows hackers to steal passwords from computers running Unix or Windows operating systems.
Brutus.A is a program that allows malicious users to crack passwords using brute force attacks. This technique involves trying every possible combination until the correct password is found.
Finally, Briss.A is a Trojan that goes memory resident and installs other malware on the computer every 24 hours, without the user realizing. It also carries out other actions, such as capturing certain key combinations.
Like many other Trojans, Briss.A cannot spread by itself; it needs the help of a malicious user. The means of transmission it uses include: floppy disks, e-mail messages with attachments, Internet downloads, etc.