Sussing the Sasser Worm

Avoiding similar problems in future

On Friday 7 May 2004, German police arrested an 18-year-old student near Rotenburg, North Germany. He is the alleged author of the Sasser worm.

Like many people who write self-replicating programs, the student showed little regard for consequences.

But Sasser was vicious and spread rapidly. Only days before the press was full of horror stories: the British coastguard's computers were down, British Airways flights were delayed because of problems with check-in desks, computers in Hong Kong hospitals and Taiwan post offices had stopped working.

Luckily the worm appears to have done little lasting damage and is easily removed. We may not be so lucky in future. What if it had erased our hard disks or scanned for credit card numbers rather than blindly replicating itself?

What is Sasser?

Sasser is a worm. Like a virus, a worm tries to replicate itself but this one doesn't use email as the means of infection. Instead, this one transmits itself directly over the internet from computer to computer taking advantage of a known (and fixed) security vulnerability in Microsoft Windows software as a backdoor into people's systems.

Once it has worked its way onto a host computer, it saves a copy of itself on the hard disk, changes the operating system so that this copy runs every time the computer starts up and tries to stop the user shutting down the computer.

Then comes the nasty part. It starts transmitting copies of itself over the internet using the computer equivalent of dialling random phone numbers. This means any computer that is connected to the net is potentially vulnerable. Of course not all these randomly-dialled computers will exist and many will be protected but it can try hundreds of systems a minute and it only needs to find a few to propagate itself.

Protect Yourself

The Sasser worm underlines the need for a multi-layered defence. To protect yourself against Sasser and its ilk:

•	First, you need a firewall. Microsoft Windows Firewall or a commercial firewall like McAfee, Symantec or Zonelabs will stop worms like Sasser connecting to your computer in the first place.
•	Second, you need to make sure your computer is up-to-date. Sasser exploited a vulnerability that Microsoft had already fixed and people with the latest versions of the Windows operating systems were not infected.
•	Third, anti-virus software can detect and stop viruses and worms (but only if they are kept up-to-date so that they know about the latest threats).
•	Fourth, RegistryProt prevents rogue programs from changing the system registry so that they automatically start when Windows boots up.