IDG News Service - A message buried in a new version of the Netsky e-mail worm is claiming responsibility for the Sasser Internet worm, and computer security experts say there is evidence the claim is legitimate.
Analysis of the Sasser and Netsky code reveals many similarities between the two worms, even as a new version of Netsky appeared today that capitalized on fears caused by Sasser Internet worms by posing as an antivirus software patch, experts said.
Netsky-AC is the 30th version of the mass-mailing e-mail worm to be released since Netsky-A appeared in February. Like earlier versions of Netsky, the AC variant uses e-mail messages and infected file attachments to spread from computer to computer.
A message buried in the worm's code and directed to antivirus vendors claims responsibility for Sasser, which first appeared on Friday and infected computers around the world by exploiting a recently disclosed hole in a component of Microsoft Corp.'s Windows operating system called the Local Security Authority Subsystem Service, or LSASS (see story).
"Hey av firms, do you know that we have programmed the sasser virus?!? Yeah, thats true," the message reads, in part.
The message is attributed to "the Skynet," a virus-writing group that also claimed responsibility for other Netsky variants. The worm's author or authors included a sample of the Sasser worm's raw "source" code as proof of the legitimacy of the claim, said Graham Cluley, senior technology consultant at Sophos PLC.
Analysis of that code and other elements of the Sasser code reveals similarities with the Netsky worm, said Joe Stewart, senior security researcher at LURHQ, a managed security services provider in Myrtle Beach, S.C .
After being run through a computer code compiler, the source code matches samples of the finished worm that LURHQ researchers obtained, said Stewart.
Other parts of Sasser are also very similar to elements of Netsky. "If you take Netsky apart, you can see similarities in the style," he said.
Those similarities include almost identical code to generate random numbers and a number of subroutines that Sasser and Netsky both use to interact with Windows, Stewart said.
The proliferation of new Sasser variants within hours of the first worm's release, each with subtle modifications of the original worm, also recalls the Netsky worm's proliferation, Cluley said.
Recent Sasser variants, such as Sasser.C and Sasser.D, which were discovered today (see story), make changes to the worm's code that are designed to increase the number of infections. Sasser.C increases the amount of system resources devoted to searching for infected hosts. Sasser.D introduces
Free Insider GuideCopyright © 1994 - 2012 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.
