Protecting Against The Sasser Worm

As the Sasser worm rolled across the Internet Monday, users scrambled to patch systems and clean up infected machines.

The first chore is to install a firewall if one isn't already present on the network or an individual PC. Like the MSBlast worm of last summer, Sasser infects systems without any human intervention, can spot a vulnerable machine quickly while it's online, and can cause the machine to constantly reboot, making it difficult to retrieve the fix.

The long-term defense against Sasser, said security analysts, is to apply the patch against the LSASS vulnerability on Windows XP, Windows 2000, and Windows Server 2003 systems. (But as noted last week, the patch is itself flawed, and can make some Windows 2000 machines to crash at startup; Microsoft has yet to deploy a patched patch.)

Microsoft first released the patch for the LSASS vulnerability April 13 as part of its monthly round of security alerts. The patch can be retrieved using the Windows Update service, or downloaded directly from the Security Bulletin MS04-011.

Users can also filter traffic targeting UDP ports 135, 137, 138, and 445, as well as TCP ports 135, 139, 445, 593, and any ports above 1024, said Symantec in its analysis and advisory for Sasser. Companies should also monitor incoming traffic for packets targeting TCP port 9996 -- the port an infected machine uses to await a connection from the attacker -- and outgoing traffic destined for TCP port 5554, which is the port used by the FTP server that Sasser installs on compromised systems.Users of Internet Explorer can also sniff for and remove Sasser.a and Sasser.b -- the first two variants of the worm -- by using the ActiveX control tool found on the Sasser page Microsoft posted on Saturday. An option for non-IE browser users is to download the tool and run it independently of Internet Explorer.

Several anti-virus and security vendors have also posted free-for-the-downloading tools that remove the Sasser worm from infected computers. Among them are Symantec, Sophos, McAfee, and Panda Software.

All anti-virus vendors urged their customers to update their definition files immediately -- and keep them updated -- to protect their PCs against Sasser.