Open main menu
Home
Random
Recent changes
Special pages
Community portal
Preferences
About Wikipedia
Disclaimers
Incubator escapee wiki
Search
User menu
Talk
Dark mode
Contributions
Create account
Log in
Editing
Sasser (computer worm)
(section)
Warning:
You are not logged in. Your IP address will be publicly visible if you make any edits. If you
log in
or
create an account
, your edits will be attributed to your username, along with other benefits.
Anti-spam check. Do
not
fill this in!
==History and effects== Sasser was created on April 30, 2005.<ref>{{Cite web |last=Macrae |first=Duncan |date=2014-04-11 |title=Everything you need to know about the Sasser worm |url=https://techmonitor.ai/technology/cybersecurity/everything-you-need-to-know-about-the-sasser-worm-4213147 |access-date=2023-02-06 |website=Tech Monitor |language=en-US}}</ref> This worm was named Sasser because it spreads by exploiting a [[buffer overflow]] in the component known as LSASS ([[Local Security Authority Subsystem Service]]) on the affected operating systems. According to a report by eEye Digital Security published on April 13, 2004, this buffer overflow relies on an apparently deprecated API call to Microsoft Active Directory, which both allows for unchecked remote queries and crashes LSASS.exe if given a long string.<ref>{{Cite web |date=2006-01-09 |title=Network Security, Vulnerability Assessment, Intrusion Prevention |url=http://www.eeye.com/html/Research/Advisories/AD20040413C.html |archive-url=https://web.archive.org/web/20060109033004/http://www.eeye.com/html/Research/Advisories/AD20040413C.html |url-status=dead |archive-date=2006-01-09 |access-date=2023-02-06 }}</ref> Once on a machine, the worm scans different ranges of [[IP address]]es and connects to victims' computers primarily through [[Transmission Control Protocol|TCP]] port 445. If a vulnerable installation of XP or 2000 is found, the worm utilizes its own FTP server hosted on previously infected machines to download itself onto the newly compromised host. Microsoft's analysis of the worm indicates that it may also spread through port 139. Several variants called ''Sasser.B'', ''Sasser.C'', and ''Sasser.D'' appeared within days (with the original named Sasser.A). The LSASS vulnerability was patched by Microsoft in the April 2004 installment of its monthly security packages, prior to the release of the worm. Some technology specialists have speculated that the worm writer reverse-engineered the patch to discover the vulnerability, which would open millions of computers whose operating system had not been upgraded with the security update.<ref>{{Citation |title=Net-Worm.Win32.Sasser On a Physical PC Network | date=30 April 2014 |url=https://www.youtube.com/watch?v=BhtyEdhepIc |language=en |access-date=2023-02-06}}</ref> The effects of Sasser included the [[news agency]] [[Agence France-Presse]] (AFP) having all its satellite communications blocked for hours and the [[United States|U.S.]] flight company [[Delta Air Lines]] having to cancel several trans-atlantic flights because its computer systems had been swamped by the worm. The [[Nordic countries|Nordic]] insurance company ''If'' and their Finnish owners ''Sampo Bank'' came to a complete halt and had to close their 130 offices in [[Finland]]. The [[United Kingdom|British]] [[Her Majesty's Coastguard|Coastguard]] had its electronic mapping service disabled for a few hours, and [[Goldman Sachs]], [[Deutsche Post]], and the [[European Commission]] also had issues with the worm. The [[X-ray]] department at [[Lund University Hospital]] had all their four layer [[X-ray machine]]s disabled for several hours and had to redirect emergency X-ray patients to a nearby hospital.
Edit summary
(Briefly describe your changes)
By publishing changes, you agree to the
Terms of Use
, and you irrevocably agree to release your contribution under the
CC BY-SA 4.0 License
and the
GFDL
. You agree that a hyperlink or URL is sufficient attribution under the Creative Commons license.
Cancel
Editing help
(opens in new window)