In-Depth

Security Briefs: Worm Attacks Unpatched Computers; Apple Closes Vulnerability

Global organizations go offline to prevent Sasser damage; Apple patches QuickTime, OS X to close buffer overflow vulnerability

• By Mathew Schwartz
• 05/12/2004

Countering Sasser Variants

A new worm, Sasser, is able to spread automatically—and rapidly—by simply finding an unpatched computer on the Internet. Multiple Sasser variants are making the rounds, infecting organizations around the world. Microsoft’s Web site slowed and even went offline briefly as users struggled to download a fix.

“W32.Sasser.B.Worm is a network-aware worm that exploits a known Microsoft vulnerability and spreads by scanning randomly chosen IP addresses on Microsoft systems that have not been patched,” notes Symantec.

“Sasser doesn’t require human interaction to spread. Unlike the Slammer worm which was only memory-resident, Sasser copies itself as a file and runs as a process in the background,” says David Endler, director of Digital Vaccine for intrusion prevention vendor TippingPoint.

Users with infected computers may experience frequent reboots and crashes, or see the following error message with a 60-second timer: “The system process ‘C:WINDOWSsystem32lasass.exe’ terminated unexpectedly with status code-1073741819. The system will now shut down and restart.”

Sasser—four variants (A to D) have been found to date—exploits a Microsoft LSASS service vulnerability announced and patched by Microsoft in April 2004. Affected software includes Windows XP, Windows NT Service Packs 1 (SP1), 2, 3, and 4. Symantec notes previous versions of Windows are immune to all versions of Sasser so far, yet may be carriers, passing some variants on to others. For example, “W32.Sasser.B.Worm can run on, but not infect, Windows 95/98/Me computers.”

Sasser has reportedly affected a number of organizations around the world, including American Express in the United States, British Airways in Britain (with flights delayed as a result), 1,200 machines at the European Commission in Brussels, Hong Kong’s government systems, and 1,600 machines in Taiwan’s post office. So far, at least, hundreds of thousands of machine have been affected worldwide.

“This case resembles the Blaster incident from August 2003,” says Mikko Hypponen, director of antivirus research at F-Secure. “Both were automatic worms using a relatively new hole in Windows and causing frequent reboots.”

After Microsoft issued its LSASS patch, working exploits appeared almost immediately, lately culminating in the fast-spreading Sasser. “This is another example of the increasing trend of automated worm exploitation typically following public exploit release by several days,” says Endler.

Antivirus provider Kaspersky Labs notes the worm was written using the Visual C compiler and is about 15 KB in size. “When launching, the worm registers itself in the system registry autorun key,” says the firm. The worm scans available IP addresses, then downloads and launches copies of the worm when able. “In order to do this the worm launches an FTP server on TCP port 5554 and on request from the victim computer, loads a copy of itself. For Sasser.A, a copy of the worm will be loaded under the name ‘_up.exe,’” says Kaspersky, where “_” is a random number. Not all worm variants follow that naming behavior.

Microsoft recommends users take three steps for unpatched or Sasser-affected systems.

1. Activate a software-based firewall such as the built-in Windows XP firewall or the free ZoneAlarm from Zone Labs.

2. Install Microsoft’s 835732 “critical” update.

3. Use a free tool from Microsoft or antivirus vendors to scan for the presence of Sasser.A, Sasser.B, Sasser.C, and Sasser.D, then automatically remove it.

In Sasser’s wake, Symantec reiterated best practices for security administrators to help protect their enterprise against this and future such attacks. They include deactivating any unneeded services, such as FTP, telnet, and Web servers; keeping patch levels up to date, especially on public-facing computers; enforcing password policies and requiring complex passwords; and blocking common file types used to transmit viruses as e-mail attachments, including .vbs, .bat, .exe, .pif, and .scr files. The firm also recommends fast isolation for any affected computers, and reiterating to employees that attachments shouldn’t be opened unless a user is certain of the attachment’s provenance and the sender’s intention.

For more information, see Microsoft’s “What You Should Know About the Sasser Worm and Its Variants” at http://www.microsoft.com/security/incident/sasser.asp.

RELATED STORIES

Report: Last Year Was Worst Ever for Viruses
http://info.101com.com/default.asp?id=4361

Killing Slammer Is Not Enough
http://info.101com.com/default.asp?id=234

= = =

Apple Patches QuickTime, OS X Remote Buffer Overflow Attack

Apple patched what vulnerability information provider Secunia characterizes as a “highly critical” vulnerability in its QuickTime software. The vulnerability affects Macintosh OS versions of Apple’s QuickTime 6.5 and iTunes 4.2.0.72.

eEye Digital Security, which discovered the vulnerability, said it could be used to run arbitrary code on a user’s computer. Apple counters that a successful attack could only “cause QuickTime to terminate.”

Either way, the culprit is a QuickTime extension, QuickTime.qts, which other applications use to access QuickTime functionality. “The vulnerability is reportedly caused due to an integer overflow within a routine used for copying Sample-to-Chunk table entries from the ‘stsc’ atom data in a QuickTime-format movie (.mov) into an array,” says Secunia. A specially crafted movie could take advantage of the vulnerability by writing too many entries to the table, causing a heap overflow.

Security research and consultancy firm @stake also warned of a vulnerability in AppleFileServer (AFS), which affects OS X versions 10.2.8, 10.3.2, and 10.3.3. “AFP is a protocol used to remotely mount drives, similar to NFS or SMB/CIFS. AFP is not enabled by default. It is enabled through the Sharing Preferences section by selecting the ‘Personal File Sharing’ checkbox,” says @stake.

An attacker could cause a remote buffer overflow—before authentication even occurs—to attain administrator privileges. @stake says it successfully created a proof of concept; the exploit hasn’t been seen in the wild.

“If you do not need AFS, disable it. If you do need it, upgrade to the latest version of Panther,” notes @stake.

Apple addressed the above issues and several others in its 2004-04-05 security update.

Link to Apple advisory:
http://docs.info.apple.com/article.html?artnum=61798

Link to QuickTime 6.5.1:
http://www.apple.com/quicktime/download/

RELATED STORY

Alert: British Security Suffers; Apple Patches 14 Vulnerabilities
http://info.101com.com/default.asp?id=3488