Update: Sasser and Gaobot Worm Variants Attack IIS

New worms are spreading that can penetrate the security of unpatched Microsoft IIS Web servers. At least four variants of the Sasser worm (Sasser.A, Sasser.B, Sasser.C, and Sasser.D) and at least one variant of the Gaobot worm can take advantage of vulnerabilities in the Local Security Authority Subsystem Service (LSASS).

According to analyses performed by managed security services company LURHQ the Sasser worms appear to be written by the same people who wrote the series of Netsky worms. LURHQ Threat Intelligence Group said it has found evidence of a common source code base between the two worms.

The company also outlined basic differences in the Sasser worms discovered to date and said that more variants may be on the way. The analysis report states that "[differences] between variant A and B were changes to the code to implement a psuedo-forking mechanism when exploiting hosts. Variant C changed the number of scanning threads to 1024 instead of 128. Variant D changed the number of scanning threads back to 128 and implemented a ICMPSendEcho API call prior to connecting to a host via TCP in order to speed up scanning (much in the same way the Welchia worm does). Due to a bug, the D variant does not appear to run on Windows 2000, so an E variant may be forthcoming shortly."

Microsoft has released Security Bulletin MS04-011 along with a related patch as well as the article  "What You Should Know About the Sasser Worm and Its Variants" and a tool that can help clean up systems that become infected with Sasser. But be aware that the Internet Storm Center reports that some systems infected with Sasser have also simultaneously become infected with Gaobot/Agobot/Phatbot variants so additional measures might be required to ensure system integrity, including restoring systems from backups or completely rebuilding affected systems.

The worms penetrate a system and then spawn an FTP server on particular ports, which allows the worm to spread to other systems. Although the worms are one problem related to the vulnerabilities addressed with Microsoft's MS04-011 patch, there are other non-worm-related exploits in use that can take advantage of systems that don't have the MS04-011 patch installed. Administrators should update their antivirus software as well as their Intrusion Detection System (IDS) software, and ensure that firewalls don't let arbitrary ports  become open.