[ISN] Sasser infections hit Amex, others

From: InfoSec News (isn@private)
Date: Thu May 06 2004 - 03:09:59 PDT

  • Next message: InfoSec News: "Re: [ISN] [Vmyths.com ALERT] Hysteria over ''Sasser'' worm"

    By Paul Roberts
    IDG News Service
    Security experts are continuing to issue warnings about the Sasser
    Internet worm as organizations struggled to clean up the damage caused
    by infected hosts.
    American Express joined a number of U.S. universities in reporting
    infections from the Sasser worm on Monday and the SANS Institute's
    Internet Storm Center (ISC) maintained a yellow warning Tuesday
    despite expectations earlier in the day that the Sasser outbreak would
    wind down Monday, according to interviews.
    Sasser exploits a recently disclosed hole in a component of
    Microsoft's Windows operating system called the Local Security
    Authority Subsystem Service, or LSASS. Microsoft released a software
    patch, MS04-011, on April 13.
    The SANS Institute's Internet Storm Center said on Monday that it was
    maintaining its yellow alert, indicating a "significant new threat" on
    the Internet due to "the continuing spread of Sasser and other
    malicious code targeting the MS04-011 vulnerabilities," according to
    the ISC.
    Among other things, modifications in new Sasser variants Sasser.C and
    Sasser.D, which appeared on Monday, prompted the ISC to maintain the
    yellow alert on Tuesday. Internet Storm Center chief technology
    officer Johannes Ullrich said he expected Sasser to die down Monday,
    prompting a return to the "green" status by the end of the day.
    American Express experienced Sasser infections on employee desktops
    beginning Sunday that disrupted the company's internal networks, but
    did not have an impact on customer services according to Judy Tenzer,
    a company spokeswoman.
    American Express refused to reveal how many computers were affected,
    or how the worm penetrated the company's network, but the infections
    were limited to employee desktops and did not affect critical servers
    at the company, she said.
    Reports surfaced Monday of unexplained computer problems at other
    companies, as well.
    Delta Airlines experienced technical difficulties on Saturday that
    forced the cancellations of some flights. The computer problems began
    at 2:50 P.M. local time on Saturday and were fixed by 9:30 Saturday
    evening, said Katie Connell, a Delta spokeswoman.
    Connell would not common on the cause of the problems, or which
    systems were affected, citing a continuing investigation. Delta does
    use Microsoft products and the Windows operating system, she said.
    In Boston, colleges and universities felt the effects of the worm,
    according to David Escalante, director of computer policy and security
    information technology at Boston College (BC), in Chestnut Hill, Mass.
    Around 200 machines on BC's campus network were infected with Sasser,
    most of them laptop and desktop computers owned by students, he said.
    BC blocked traffic on port 445, which is used by the Sasser worm to
    spread, before the outbreak. IT staff are analyzing the infections,
    which may have come from students who brought infected laptops back
    onto campus from home, Escalante said.
    Staff are also struggling with complications caused by Sasser, which
    causes many Windows XP and Windows 2000 machines to crash repeatedly,
    preventing students from logging onto the desktop and installing the
    appropriate software patch.
    Making matters worse, BC students are approaching final exam period.  
    The Sasser outbreak prompted a run on the student computer center
    Saturday, with panicked students worried about the welfare of term
    projects and other materials on Sasser-infected machines, he said.
    Other schools also faced large-scale outbreaks, including more than
    1,000 machines at Boston University, according to a source.
    Among leading financial services companies, the impact of Sasser was
    generally light. Companies including Citibank and Lehman Brothers
    Holdings had around a dozen Sasser infections, rather than hundreds or
    thousands of systems infections, according to a source.
    Microsoft's recent decision to move from weekly to monthly software
    patches has raised the stakes for companies that ignore the security
    bulletins and updates, said Firas Raouf, COO of eEye Digital Security,
    which discovered the LSASS vulnerability.
    "Now you have a handful of vulnerabilities that are addressed by a
    single patch, so if you don't deploy a patch, you're opened four or
    five doors to your network," he said.
    Large companies are often reluctant to press software patches into
    service out of fear they will break critical applications used by
    employees or customers. However, waiting too long to apply a software
    patch exposes companies to infection by a worm or virus that takes
    advantage of the software hole fixed by the patch, Raouf said.
    The most important thing is for organizations to have a process in
    place to handle new vulnerabilities when they are revealed so that
    they can act quickly to scan for vulnerable machines, test patches,
    deploy patches or apply workarounds as needed, he said.
    ISN mailing list
    Sponsored by: OSVDB.org

    This archive was generated by hypermail 2b30 : Thu May 06 2004 - 04:56:23 PDT