The Sasser worm will leave in its wake an estimated one million infected computers — 80% of which would belong to home users, possibly never to be disinfected or patched, providing ideal havens for vandals through which to perpetuate Internet fraud and crime, spam, and launch distributed denial of service attacks.

And yet, the Sasser worm itself isn't the security issue. Focusing only on the worm's technicalities would sidetrack attention from its role in the ongoing epidemic of malware-induced cyber crime.

The cyber crime epidemic
Worms today are the handiwork of those for whom cyber crime, quite simply, affords lucrative returns. Money, not notoriety, is now the inspiration.

Today there exists a flourishing market for infected machines. Large blocks of infected machines, that can be controlled remotely, are openly offered for sale. Sobig demonstrated the close nexus between malware writers and spammers — machines infected by the Sobig mass mailing worm (which inserted an open proxy in the machines) were offered to spammers at a fee of US$5000 for every 10000 compromised machines.

The thriving market for compromised machines has swung the underworld into hyperactivity. The past ten months have seen several hacker groups and cyber crime syndicates setting up attack networks (botnets) and releasing remote attack tools through increasingly crafty malware like Blaster, Sinit, MyDoom, Phatbot, Bagle, Netsky et al. In February of this year, business rivalry unleashed the Internet's biggest cyber war between the creators of MyDoom, Bagle and Netsky worms; forcing corporates to scurry for cover as the world watched on helplessly.

Between 23rd January and 4th May, 24 variants of Bagle, 7 of MyDoom, and 30 of Netsky were released (61 worms in 100 days). The gangs hurled embedded abuses at each other through their worm code, and launched direct attacks on their adversaries' compromised machines deleting registry entries and backdoors, and installing their own remote access tools instead.

Sasser and cyber crime
The Sasser worm should be viewed against this larger canvas. It was released on 30th April. Three days later, the creators of Netsky claimed credit for the Sasser worm with supporting evidence that convinced security experts of its veracity (the code and programming style in Sasser and Netsky is similar). On 7th May, following his arrest, an 18-year-old German student confessed to writing the Sasser worm. He is also suspected of writing the Netsky.ac worm variant that appeared three days after Sasser. Investigations are on to decipher the link between the Russian SkyNet Antivirus Group (believed to be responsible for the Netsky family of worms) and the German teenager. The web of cyber crime chains linked across the globe is emerging as much larger and more organized than ever imagined.

On 8th May, the Sasser.E worm variant was released. It has been programmed to remove registry entries used by the Bagle worm variants, giving renewed impetus to the ongoing gang war.

Sasser and Netsky merger
If more than 60 worms were released without much ado in 100 days, why should one Sasser worm kick up so much hype? Because, unlike Sasser, all the others were mass mailing worms that depended on user intervention to infect (this is a very big handicap). Unless the user clicked open an attachment, the email worm wouldn't propagate. But worm writers are wisening up. The latest variant of Bagle does away with the attachment prerequisite altogether and spreads when a vulnerable user opens the e-mail using an unpatched version of Microsoft Outlook. If their Outlook preview pane is open, the victim's machine is compromised automatically. But even in this infection vector, some user intervention is required.

Unlike the email worms, the Sasser requires no user intervention at all. It, on its own, scans for machines having the Local Security Authority Subsystem Service (LSASS) vulnerability; and on detecting a vulnerable system, creates a remote connection to the system, installs a file transfer protocol server and then downloads itself to the new host.

However, the spread of the Sasser worm (and other vulnerability-exploit worms like it) is related to the users' proclivity to patch their vulnerable machines. The worm would start to slow down as more and more users begin installing the latest antivirus, firewalls and patches; and would eventually fade away (unless a new variant comes along). In contrast, email worms tend to continue their proliferation much longer, circumventing antivirus and firewall defences that would have blocked a vulnerability-exploit worm like Sasser.

Security experts are now predicting the mutation of Sasser by combining it with the Netsky worm. The merger of Netsky and Sasser variants will unleash attacks through both e-mail and software vulnerabilities raising the launching pad of cyber crime to the next higher level.

Holes, exploit codes and worms
Microsoft released a fix for the LSASS vulnerability on 13th April in its MS04-011 patch. Within two days, a public exploit to attack the vulnerability, written by Hi_Tech_Assassin, was released on the French language web site k-otik.

Indeed, exploits for five of the 14 vulnerabilities fixed in the MS04-011 patch release were out on the Internet within six days. So one can be reasonably sure that worms that use these exploit codes will be created shortly. However, as in the case of Sasser, other attack tools favoured by hackers will be upgraded with the new exploit codes, before creating worms that use them.

Ironically, worms can go against the interests of cyber crime syndicates because of the hype and attention they generate. Usually, a worm is the last in the exploit evolution chain. They tend to be released only after other attack tools have compromised sufficient machines.

Sasser and Agobot
One of the most favoured attack tools of hackers and crime syndicates operating networks of compromised Windows machines for Spam delivery or distributed denial of service attacks is the Agobot/Phatbot Trojan family. Known as bot software, these remote attack tools can seek out and place themselves on vulnerable computers, then run silently in the background, allowing an attacker to send commands to the system while its owner works away, unaware.

Hackers embedded the LSASS exploit code into the Agobot Trojan a week before the release of Sasser. The upgraded Agobot Trojan (Gaobot) is spreading fast. It exploits machines with the LSASS hole (much the same way as Sasser does) but more stealthily. While many network administrators worry about the Sasser worm, security experts are warning that this quieter but equally damaging threat is slowly gaining control of large networks of computers. There is a high probability that machines infected with Sasser are also infected with Gaobot.

The crime syndicates' improvements of the Sasser worm and Agobot/Phatbot Trojan may make the Windows LSASS security hole a more long-term security menace, with new Sasser variants appearing while Agobot/Phatbot Trojans set up new 'botnets' to launch Spam and denial of service attacks. The Sasser.F variant is already out. Coincidently, the creator of Agobot was arrested on the same day as the creator of Sasser, both in Germany. Investigations are on to confirm if there are any links connecting Sasser, Agobot, and Netsky.

The bottom-line
Users should patch their systems, turn on the firewall, and install antivirus software to protect against Sasser and Gaobot (which is the greater threat). Though Sasser is the more rapidly spreading of the two, Gaobot can be much more dangerous, because it gives criminals access to the infected computer.

Patch systems. Turn on firewalls. Install antivirus software.