Sasser

infectionvectors.com

Updated August 2004

Infection Vector:        LSASS Vulnerability described in MS04-011

Impact:                       Medium (significant traffic generated), open FTP server

Sasser quickly became one of the most damaging and far-reaching worms in virus history, alongside Blaster, Nimda, Slammer, and CodeRed. Released within 3 weeks of the announcement of the Local Security Authority Subsystem Service (LSASS) buffer overflow vulnerability in April of 2004, Sasser tore through networks with exceptional speed.

Sasser finds targets by randomly selecting addresses. This follows the following algorithm:

52% of the time none of the localhost address is used, all four octets are random

25% of the time the first two octets of the localhost are used, the last two are random

23% of the time the first octet of the localhost is used, the last three are random

For every address generated, Sasser attempts to connect via TCP 445 and checks the returned SMB banner for vulnerable machines. If successful, the worm sends the LSASS exploit and shell code, trying to force the machine to connect back to the originator and download the virus code. The localhost has an FTP server on TCP 5554 open for this purpose, the victim machine opens the shell on TCP 9996.

The following Registry modification is made:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

avserve2.exe=%Windir%\avserve2.exe

Each variant through F changes mutex names, thread count, etc. without substantial modification to the worm.

LSASS will crash if the exploit is successful, requiring the machine to restart.

UPDATE: Sasser.G

Released August 23, 2004, Sasser.G drops a copy of Netsky when it infects a machine. It spreads via randomly selected addresses and uses the same LSASS exploit as previous versions.