Sasser

Shutdown screenshot

The computer worm Sasser (The name is a play composed of the English verb "to sass" - "give cheeky answers" and the fact that he the service LSASS exploits) spread in early May 2004 in high speed on computers with Microsoft - operating systems Windows 2000 and Windows XP .

origin

The "official" name of the worm is W32.Sasser . The systems affected included computers at banks , travel companies and public institutions. The computers of the German Postbank , the Finnish Sampo Bank , Delta Air Lines and the European Commission as well as other companies and authorities worldwide were affected . Sasser's programmer, Sven Jaschan, a then 17-year-old student from Waffensen near Rotenburg (Wümme) , was temporarily arrested on May 7, 2004. The then computer science student (vocational school) is also responsible for the viruses in the Netsky series.

distribution

Sasser was not sent as an email attachment. As soon as a user connects to the Internet , the worm exploited a bug in a Windows system service called the Local Security Authority Subsystem Service (LSASS). If he found a vulnerable computer, he infected it with a code that copied the actual worm from computers that were already infected. For this he started on port 5554 an FTP - server .

The worm switched off the infected computer at irregular intervals. The material damage was difficult to measure because it essentially consisted of general productivity losses in companies and the fact that third parties (e.g. customers and interested parties) were temporarily unable to access and use Internet sites.

Within a short time, several variants of the worm appeared: Sasser.B , Sasser.C and Sasser.D (the original is called Sasser.A ). In addition, an email worm called Netsky.AC exploited users' fear of Sasser: As the sender, he pretended to be a manufacturer of anti-virus software and, among other things, disguised himself as a program to remove Sasser.B.

Another worm, called Phatbot , closed the back doors that other worms had opened and, for example, deleted the pest on the Bagle or Mydoom worms . However, Sasser was changed by Phatbot to find out all the IP addresses of the worm and followed Sasser to infect the infected computers. You can recognize this infection by a file called wormride.dll in the Windows directory. If this file is available, the computer is infected with both worms.

Sasser infected an estimated two million computers. The worst attack to date by the W32.Blaster worm , also known as Lovsan , infected 9.5 million computers and caused considerable financial damage worldwide, according to Microsoft estimates.

To locate the Sasser programmer, Microsoft offered a $ 250,000 reward.

The developer Sven Jaschan was sentenced on July 8, 2005 by the youth lay judge of the district court in Verden to a youth penalty of one year and nine months on probation and 30 hours of community service.

Trivia

The shutdown could be prevented with the command shutdown -aunder Start> Run.

Web links

Alfred Krüger: worms made in Germany . Telepolis . August 9, 2004. Retrieved January 28, 2009.
Sasser Trial: Microsoft pays a $ 250,000 bounty . Heise Security . July 8, 2005. Retrieved January 28, 2009.
"Sasser" programmer: The worm from the Wümme . Star . June 17, 2004. Retrieved January 24, 2016.

Individual evidence

↑ Microsoft's data protection officer testifies in the Sasser trial . heise online. July 6, 2005. Retrieved January 28, 2009.
↑ FAZ.net May 9, 2004: From weapons to the world
↑ Der Hacker von der Wümme on Rotenburger-rundschau.de, November 19, 2016, accessed August 18, 2017
↑ Sasser network worm - measures for protection and removal. Retrieved April 15, 2020 .

[1] Microsoft's data protection officer testifies in the Sasser trial . heise online. July 6, 2005. Retrieved January 28, 2009.

[2] FAZ.net May 9, 2004: From weapons to the world

[3] Der Hacker von der Wümme on Rotenburger-rundschau.de, November 19, 2016, accessed August 18, 2017

[4] Sasser network worm - measures for protection and removal. Retrieved April 15, 2020 .