Flash Update (May 3rd 09:30 AM): We did receive some initial reports about a significant rise in ICMP traffic, which may point to a new worm with Nachi style ICMP component Sasser/SasserB and SasserC are just one component of multiple MS04-011 Exploits Threatening Networks SasserC, reported by Joe Stewart of Security Service Provider LURHQ ( http://www.lurhq.com ), is currently undergoing analysis. Joe reports that SasserC spawns 1024 threads to attack other systems, and it seems poised to torch networks that are not patched for the MS04-011 vulnerabilities. Let's hope MS shares some realtime numbers of infected systems from their customers use of the Microsoft Sasser cleaning tool (link below). In addition, Gaobot variants are actively exploiting systems using MS04-011 vulnerabilities too. Speaking of Gaobot variants, the ISC has received quite a few submissions of suspected malware this week from participants for analysis. The suspected malware failed detection by vendor malware scanning applications. Our recent experience with submitting the new variants to the vendors for confirmation, identification and deployment of new definitions to detect the obvious malware indicates that there's a 72 hour lag between submission and deployment of definitions to detect the malware. During that time, many Universities are reporting that the malware is causing disruptions and incident responses ranging from minor to major. In an effort to reduce their own support costs, many network operators are referring owners of infected systems to Microsoft for support and cleanup help, Microsoft provides free support for virus and trojan infection cleanup; "Get Help with Security and Virus-related Issues" "Get free help by phone: 1 (866) 727-2338 (Toll free; US and Canada only)" http://www.microsoft.com/security/protect/support.asp">http://www.microsoft.com/security/protect/support.asp ISC and ISC Participants - MS04-011 exploits and Malware Analysis Handlers and ISC participants contributing to this weekends analysis (links next) were; Lorna Hutcheson, Toby Kohlberg, Scott Fendley, David Tulo, (Senior Network Forensics Engineer), Joe Stewart (GCIH, Senior Security Researcher LURHQ) and Eric Jacobsen - snort signature. We would also like to extend a big thanks for all of the other ISC participants who took the time this week to submit their reports of suspicious activity, files of suspected malware and individual efforts at analysis of the exploitation of the Microsoft vulnerabilities announced over the last 6 months! ISC and ISC Participant analysis of MS-04-011 exploits and Sasser information; Handler's Diary May 1st 2004 http://isc.sans.org/diary.php?date=2004-05-01 Handler's Diary April 30th 2004 http://isc.sans.org/diary.php?date=2004-04-30 Sasser Removal Tools Symantec W32.Sasser Removal Tool http://www.sarc.com/avcenter/venc/data/w32.sasser.removal.tool.html F-Secure Sasser Removal Tool ftp://ftp.f-secure.com/anti-virus/tools/f-sasser.zip ftp://ftp.f-secure.com/anti-virus/tools/f-sasser.exe McAfee Sasser Removal Tool http://vil.nai.com/vil/stinger Microsoft's Sasser Removal Tool http://www.microsoft.com/downloads/details.aspx?FamilyId=76C6DE7E-1B6B-4FC3-90D4-9FA42D14CC17&displaylang=en">http://www.microsoft.com/downloads/details.aspx?FamilyId=76C6DE7E-1B6B-4FC3-90D4-9FA42D14CC17&displaylang=en "Step 4: Review Additional Technical Resources - If the cleaning tool above doesn't work for you, use the free worm removal tool available at your preferred antivirus software vendor's Web site" AV Vendor and Other Sasser Analysis links LURHQ analysis; http://www.lurhq.com/sasser.html Symantec http://securityresponse.symantec.com/avcenter/venc/data/w32.sasser.worm.html http://securityresponse.symantec.com/avcenter/venc/data/w32.sasser.b.worm.html RAV http://www.rav.ro/virus/showvirus.php?v=214 http://www.rav.ro/virus/showvirus.php?v=215 F-Secure http://www.f-secure.com/weblog/ http://www.f-secure.com/v-descs/sasser.shtml http://www.f-secure.com/v-descs/sasser_b.shtml McAfee http://vil.nai.com/vil/content/v_125007.htm http://vil.nai.com/vil/content/v_125008.htm TREND Micro http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SASSER.A CA http://www3.ca.com/threatinfo/virusinfo/virus.aspx?id=39012 http://www3.ca.com/threatinfo/virusinfo/virus.aspx?id=39021 Microsoft's Sasser Warning and Tool Information Yesterday, May 1st, <U>the</U> top announcement at Microsoft.Com was and still is - "Sasser Worm: Important Information - What to do to protect against or remove the worm - Actions you can take" (click the radio button and there's a tool for removal). http://www.microsoft.com "Step 3: Automatically Check For and Remove Sasser You can use this tool to search your hard drive for and try to remove the Sasser worm and its variants. To do so, click Check My PC for Infection. "Check my PC for Infection" Also "Note If you'd like to run this scanning and cleaning tool manually, you can access it from the Microsoft.com Download Center" |
Patrick 193 Posts May 3rd 2004 |
Thread locked Subscribe |
May 3rd 2004 1 decade ago |
Sign Up for Free or Log In to start participating in the conversation!