Sasser worm exposes patching failures 

By Ellen Messmer Network World, 05/10/04

Organizations that evaded last week's Sasser worm infestation credited vigilant patching processes and preventative measures such as installing server-based behavior-blocking software and worm filtering gateways.

Anti-virus software, on the other hand, was of limited use in stopping the four known variants of Sasser because the worm could re-infect machines even with the most up-to-date virus signatures, says Vincent Gullotto, vice president at Network Associates' Avert Labs. "If you don't have the [Windows] patch in place, this can happen," he says.

According to Mikko Hypponen, head of anti-virus research at F-Secure in Helsinki, Finland, the Sasser worm variants don't delete files or leave Trojans. This makes it a fairly benign worm and a lot like the Blaster worm of last August. Like Blaster, damage stems from Sasser's intense network scanning, which can paralyze networks.

Among those experiencing Sasser's sting last week were American Express, Goldman Sachs, Air Canada, British Airways, Germany's Deutsche Post, the European Commission and several schools, including the University of California, Irvine and University of Massachusetts at Amherst.

"It affected some of our support systems and caused a degree of disruption internally," says Lucas Banpraag, a Goldman Sachs spokesman. "It delayed processing of some orders."

The Sasser worm infested the financial firm's network a week after hitting its offices in Asia. Goldman Sachs is reviewing how it prioritizes patch management and wants better guidance from Microsoft, the spokesman says.

Microsoft had made the patch available more than two weeks ago for the so-called Local Security Authority Subsystem Service (LSASS) vulnerability that Sasser exploits, giving it a critical rating.

But the sheer size of some organizations makes it hard for them to patch all systems, says Alfred Huger, senior director of engineering for security response at Symantec.

Wolters Kluwer, an 18,500-employee firm in Amsterdam that provides legal information services, got hit with Sasser.

"It was only half a dozen PCs out of hundreds," says Mike Antico, CTO for the firm's North American divisions. "How did these people escape being patched? We think it's because they bring in portable computers."

Many corporations test patches before applying them to machines, particularly critical servers, so the larger the organization, the harder it is to go through this process before a worm appears to take advantage of a newly identified hole.

Companies say they are turning to other defensive measures above and beyond simply patching. One of these is behavior-based software that blocks worms and other types of attacks by recognizing suspicious activity.

"Our Windows environment was patched within three days of the released [LSASS] patch, except for one server where a critical system needed to be regression-tested longer," says Eben Barry, manager of IT operations at Network Health, a Medicaid insurance provider in Cambridge, Mass. Luckily, this time the delay did not result in an infection.

The organization has deployed Sana Security's Primary response software on its patched and unpatched servers, and configured it in advance to minimize potential Sasser worm exploits.

Other firms say worm-blocking barriers at the Internet gateway stopped Sasser's flood from striking them.

Andre Foster, vice president of IT at Cable Bahamas in Nassau, says he set up TippingPoint Technologies' UnityOne appliance to filter out Sasser after seeing Blaster sap the service provider's network capacity last year.

Mark Georgis, network administrator at Long Beach Transit in California, says he used Fortinet's FortiGate appliance to block Sasser coming in from the Internet and monitored for any worm outbreaks on the inside with Network Instruments' Observer tool. But luck was on his side, too, as Georgis acknowledges all the organization's patching wasn't up to date.

"I was scared to death," he says. The Sasser scare now has him setting up his LANDesk systems management tool to automate patch updates to desktops the minute they're available.

RELATED LINKS

Microsoft LSASS patch