Sasser Worm Fairly Benign, Says AT&T Security Manager

The new Sasser worm meandering its way from server to server on the Internet -- it's not passed along via e-mail -- is unlikely to have widespread devastating impact, although new, more onerous variants could develop, said the manager of AT&T's security operation Monday.

"It attacks PCs," said David Cottingham, director of AT&T Managed Security Services in an interview. "And there's a patch for it. If the patch is in place, you'll be protected." Microsoft announced the vulnerability in April, and the writer of the worm moved quickly to exploit it, said Cottingham.

Cottingham said AT&T's customers were sent Sasser alerts via e-mail and pager at noon on Saturday, along with detailed information on how to protect against it. As of early Monday, there were two variants extant. Cottingham said the patch--which has been available from Microsoft since last month--will protect against any variants of the worm. "We'll be on the lookout to see if it changes," said Cottingham.

Cottingham said Sasser is illustrative of a growing trend: worm and virus writers--some are calling them "cyber terrorists"--move quickly to exploit a software vulnerability immediately after it's announced, typically by Microsoft. While Sasser is moving slowly and is considered to be poorly written, it potentially can address a huge population of Windows 98 and XP users.

Whether the worm will continue to replicate itself in different variations remains to be seen, Cottingham said, noting that AT&T Internet Protect and AT&T Personal Firewall are in place to thwart the incursions for AT&T customers. The AT&T system watches threats that sometimes take several days, even weeks, to build up. "With the Slammer [worm] we saw anomalies and spikes by an order of magnitude of 10," he said. "We were able to put appropriate patches in place, so there was essentially zero impact."By monitoring the threats as they become more dangerous over time, effective patches can be put in place. The Sasser worm targets a weakness in Microsoft Windows Local Security Authority Subsystem Service (LSASS.) At this point, the worm doesn't look to do serious damage--and no damage at all to those who have installed the relevant patch--but it could become more dangerous if more variants are created.

"Hackers will try a test bed first," said Cottingham. "They tweak the code. We watch these attacks bubble up. When they get it right, it can propagate in 10 minutes. These things can really go when they go." AT&T has more than 350 security analysts, including several PhD cryptographers, who monitor Internet traffic 24 hours a day, seven days a week. Cottingham noted that they examine protocols and not customer payloads, so there's no violation of privacy involved.

Cottingham noted another new security trend: more threats to enterprise networks are coming from within the enterprise than from without. Better defensive firewalls, filters, and systems are in place to block threats from entering through enterprise portals. Often, a traveling employee with a laptop will inadvertently introduce a virus or a worm to an enterprise network. The AT&T approach--forcing remote-access workstations to have anti-virus software in place or the machine will be blocked from the network--has been an effective way of dealing with many internal threats, Cottingham said.

What about a killer threat, a virus that some say could bring down the entire Internet?

"We haven't seen the big one," said Cottingham. "No one can predict that it will happen." If and when it comes, he said the security world will be ready for it. While he believes the Web won't ever be completely free from malicious cyber attacks, he said its security is improving all the time and is gaining on the cyber terrorists.0