[ISN] Worm feeds on Sasser-infected computers

From: InfoSec News (isn@private)
Date: Fri May 14 2004 - 01:40:53 PDT

  • Next message: InfoSec News: "[ISN] Students warn of hacking threat"

    http://news.com.com/2100-7349_3-5212284.html
    
    By Robert Lemos 
    Staff Writer
    CNET News.com
    May 13, 2004
    
    Computers compromised by the Sasser worm may be vulnerable to a
    scavenging program that exploits a flaw in the software left behind by
    the worm, a security researcher said Thursday.
    
    The worm--dubbed Dabber--has started spreading to Microsoft Windows
    systems, but likely won't have a large impact, said Joe Stewart,
    senior security researcher with network protection firm Lurhq.
    
    "It is not going to be a big problem for anyone that is paying any
    attention at all to computer security," he said. "If somebody does get
    it, they probably already have Sasser and, most likely, Agobot as
    well."
    
    Dabber is not the first worm to exploit back doors into compromised
    systems left behind by previous attackers. Two worms, Doomjuice and
    Deadhat, infected systems already compromised with the MyDoom virus.
    
    However, Dabber may be the first worm to attack systems using a flaw
    in a previous malicious program. In this case, the file transfer
    protocol (FTP) server installed by Sasser to enable the worm to
    transfer itself to new hosts has a buffer-overflow vulnerability.  
    Dabber uses that security flaw to spread to the new machine.
    
    Once it copies itself to a new host, the worm will change the system
    settings so that operating system runs the malicious program every
    time it starts up. Dabber will also attempt to block other worms,
    which may have infected the machine, from running.
    
    Finally, the worm will establish a back door into the software to
    allow knowledgeable attackers to take control of the system.
    
    The scavenging worm arrives as German police are investigating more
    leads in the Sasser case. Already, the suspected author has been
    arrested in that country, based on information leaked to Microsoft by
    informants interested in reward money.
    
    
    
    _________________________________________
    ISN mailing list
    Sponsored by: OSVDB.org
    



    This archive was generated by hypermail 2b30 : Fri May 14 2004 - 02:31:43 PDT