Noah Wooten
Mr. Kugler, Mr. Wright, and Mrs. McCutcheon
2nd Period
October 2nd 2017
This article describes one of the CVEs used by the Sasser Windows worm. A CVE or Common Vulnerabilities and Exposures, is a way to track security holes in various programs and operating systems. This describes the way a buffer overflow, or where an application fills its “buffer”, a pool of memory it has access to, with arguments that overwrite its own memory to exploits various critical system processes. An argument is something you add to a command. For example, the “echo” command spits back the argument you provided to it. So, “echo asdf”, would display “asdf” on your screen. The arguments of that command is ‘asdf’. The buffer overflow is achieved by sending too many arguments for LSASS.exe to parse, and then the buffer overflow can write its own code remotely. This causes programs to be able to overwrite a normal Microsoft service with their own malicious one. The Sasser worm exploits a hole in LSASS, or Local System Authority Subsystem Service, which handles permissions. The worm causes a buffer overflow in LSASS.EXE to obtain system permissions and complete its payload.
This website is very helpful because it assists tracking down the specific side effects of the malware. It also described to me when it was patched. The specific vulnerability used by the Sasser worm is CVE-2003-0533, meaning is was patched in Windows XP SP2 as a major release, and anyone not updated to SP2, such as people on RC2, RTM, SP1, and SP1a have SP2 available for update, and if someone didn’t want to update, Windows Update had a critical update patch released.
CVE -CVE-2003-0533. (n.d.). Retrieved from http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0533
This article talks about the history and payloads of Sasser. Sasser is not purposely a destructive worm, although it caused over $19,000,000,000 of damage. It works by exploiting CVE-2003-0533. It arrives on your system by someone who opens a malicious file on your network. That executable opens a FTP server on your computer, that holds the worm. Then, Sasser starts sniffing IP addresses. An IP address is 0-255:0-255:0-255:0-255, so once it finds a vulnerable computer, it starts a network remote shell at port 9996. It obtains this through an exploit in LSASS, which tricks it into parsing an executable, and then crashing LSASS.EXE. This is notable because a side effect of exploiting LSASS.EXE in the way that the worm does, causes it to forcibly crash. When Windows detects LSASS.EXE isn’t running, it tells the user to save their data and shut down the machine, as LSASS cannot be restarted without reloading the operating system. Although you can abort the shutdown, your system is very unstable and prone to further infection, as LSASS manages user permissions, and without it, every program has kernel-level permissions. Another result of this is is you no longer Lock or Switch users on your computer through the Start Menu. Manually doing this through command line or pressing CTRL+ALT+DEL and selecting to Switch Users sends you to normal XP login screen, but no users will show, as LSASS handles login. Without it, you technically can still login, but Windows won’t let you because it can’t verify you know the password, so it disables all accounts until it can verify through LSASS.. Now, it drops a file called “avserve.exe”, which is a copy of the worm. With LSASS.EXE crashed, users won’t appear at in the login window. Another side effect of LSASS.EXE crashing is that you get dialogs about system shutdown warnings. These can be easily bypassed, but they leave to general system instability.
I think this article is extremely helpful. This helps understand the consequences of the worm, and the way it works. This helps figure out the estimated effects on the operating systems I’m using. Since Windows 95, 98, and ME are built on MS-DOS, there are many differences to Windows 2000, XP RTM, SP1, SP1a, SP2, SP3, and SP3 with full updates. This website also gives information as the various payloads and ways to be sure of a full-infection.
Sasser | Malware Wiki | FANDOM powered by Wikia. (n.d.). Retrieved October 4, 2017, from http://malware.wikia.com/wiki/Sasser
This article describes about a buffer overrun that can be exploited by an anonymous user. This can cause anyone, including the Sasser worm to exploit this remotely. Local Security Authority Subsystem Service handles the permissions and remote connections of a system. When another computer sends a large request, LSASS doesn’t know what to do, and the then it uses a buffer overflow to execute the virus. The virus uses 128 threads of your system with its FTP server, causing max CPU usage. This article also explains that Windows Server 2003 and Windows XP x64 Editions were compiled in a way that LSASS isn’t vulnerable to the exploit, and the payload isn’t executed.
I find this website very helpful, because it is official Microsoft information about the vulnerability. It includes much more detail about the exploit itself than the malware, which gives me a better idea on the way worm spreads, and helps me estimate the results, and determine side effects to sure that the exploit successfully ran.
Microsoft Security Bulletin MS04-011 – Critical. (n.d.). Retrieved from https://technet.microsoft.com/library/security/ms04-011