Experts weigh Sasser-Netsky worm connection

Sasser first appeared on Friday and infected computers around the world

A message buried in a new version of the Netsky e-mail worm is claiming responsibility for the Sasser Internet worm, and computer security experts say there is evidence the claim is legitimate.

Analysis of the Sasser and Netsky code reveals many similarities between the two worms, even as a new version of Netsky appeared today that capitalized on fears caused by Sasser Internet worms by posing as an antivirus software patch, experts said.

Netsky-AC is the 30th version of the mass-mailing e-mail worm to be released since Netsky-A appeared in February. Like earlier versions of Netsky, the AC variant uses e-mail messages and infected file attachments to spread from computer to computer.

A message buried in the worm's code and directed to antivirus vendors claims responsibility for Sasser, which first appeared on Friday and infected computers around the world by exploiting a recently disclosed hole in a component of Microsoft Corp.'s Windows operating system called the Local Security Authority Subsystem Service, or LSASS (see story).

"Hey av firms, do you know that we have programmed the sasser virus?!? Yeah, thats true," the message reads, in part.

The message is attributed to "the Skynet," a virus-writing group that also claimed responsibility for other Netsky variants. The worm's author or authors included a sample of the Sasser worm's raw "source" code as proof of the legitimacy of the claim, said Graham Cluley, senior technology consultant at Sophos PLC.

Analysis of that code and other elements of the Sasser code reveals similarities with the Netsky worm, said Joe Stewart, senior security researcher at LURHQ, a managed security services provider in Myrtle Beach, S.C .

After being run through a computer code compiler, the source code matches samples of the finished worm that LURHQ researchers obtained, said Stewart.

Other parts of Sasser are also very similar to elements of Netsky. "If you take Netsky apart, you can see similarities in the style," he said.

Those similarities include almost identical code to generate random numbers and a number of subroutines that Sasser and Netsky both use to interact with Windows, Stewart said.

The proliferation of new Sasser variants within hours of the first worm's release, each with subtle modifications of the original worm, also recalls the Netsky worm's proliferation, Cluley said.

Recent Sasser variants, such as Sasser.C and Sasser.D, which were discovered today (see story), make changes to the worm's code that are designed to increase the number of infections. Sasser.C increases the amount of system resources devoted to searching for infected hosts. Sasser.D introduces a faster technique for determining whether Windows machines are online and worthy of infection attempts, though the change works only on Windows XP systems and causes Sasser to crash on computers running Windows 2000, Stewart said.

A similar pattern followed the release of Netsky-A, which most antivirus companies called a low risk when it appeared. Later versions of the worm improved on the first version and spread more widely. Netsky variants accounted for the top five viruses reported to Sophos in April, the company said.

However, the fact that Sasser contains code from Netsky doesn't mean the same person or persons created both viruses, Stewart said.

An author's message buried in the Netsky-K worm promised to be "the last version," after which the author would publish the worm's code on the Internet. Many more variants followed that release, and the code is believed to be widely available within virus-writing circles, meaning that Sasser could be the work of anybody with access to that code. The exploit code for the LSASS vulnerability was also circulated widely on the Internet in the days preceding Sasser's release, Stewart said.

"I think that they just saw the [LSASS] exploit out there and saw that it worked pretty well, so they borrowed elements of the code already written for Netsky and threw together [Sasser] in a short time frame," Stewart said.

However, Internet worms like Sasser have a shorter amount of time to spread than e-mail worms, which can continue to thrive as long as they find new ways to trick e-mail users. Despite the release of new variants, the rate of new Sasser infections was falling earlier today (see story). And the number of infected machines also appeared to be dropping, according to LURHQ statistics, Stewart said.

The decreases were most likely the result of Internet users heeding warnings about Sasser and patching vulnerable Windows systems or blocking the ports that Sasser uses to spread, he said.

Copyright © 2004 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon