Sussing the Sasser Worm
Avoiding similar problems in future
On Friday 7 May 2004, German police arrested an 18-year-old student near Rotenburg, North Germany. He is the alleged author of the Sasser worm.
Like many people who write self-replicating programs, the student showed little regard for consequences.
But Sasser was vicious and spread rapidly. Only days before the press was full of horror stories: the British coastguard's computers were down, British Airways flights were delayed because of problems with check-in desks, computers in Hong Kong hospitals and Taiwan post offices had stopped working.
Luckily the worm appears to have done little lasting damage and is easily removed. We may not be so lucky in future. What if it had erased our hard disks or scanned for credit card numbers rather than blindly replicating itself?
What is Sasser?
Sasser is a worm. Like a virus, a worm tries to replicate itself but this one doesn't use email as the means of infection. Instead, this one transmits itself directly over the internet from computer to computer taking advantage of a known (and fixed) security vulnerability in Microsoft Windows software as a backdoor into people's systems.
Once it has worked its way onto a host computer, it saves a copy of itself on the hard disk, changes the operating system so that this copy runs every time the computer starts up and tries to stop the user shutting down the computer.
Then comes the nasty part. It starts transmitting copies of itself over the internet using the computer equivalent of dialling random phone numbers. This means any computer that is connected to the net is potentially vulnerable. Of course not all these randomly-dialled computers will exist and many will be protected but it can try hundreds of systems a minute and it only needs to find a few to propagate itself.
The Sasser worm underlines the need for a multi-layered defence. To protect yourself against Sasser and its ilk: