Experts Probe Sasser, Netsky Link

A message buried in a new version of the Netsky e-mail worm is claiming responsibility for the Sasser Internet worm, and computer security experts say that there is evidence that the claim is legitimate.

Analysis of the Sasser and Netsky code reveals many similarities between the two worms, even as a new version of the Netsky e-mail worm appeared on Monday that capitalized on fears caused by Sasser Internet worms by posing as an antivirus software patch, experts say.

Netsky-AC is the thirtieth version of the mass-mailing e-mail worm to be released since Netsky-A appeared in February. Like earlier versions of Netsky, the AC-variant uses e-mail messages and infected file attachments to spread from computer to computer.

Sending a Message

A message buried in the worm's code and directed to antivirus vendors claims responsibility for Sasser, which first appeared on Friday. Sasser infected computers around the world by exploiting a recently disclosed hole in a component of Microsoft's Windows operating system called the Local Security Authority Subsystem Service, or LSASS.

"Hey av firms, do you know that we have programmed the sasser virus?!? Yeah, thats true," the message reads, in part.

The message is attributed to "the Skynet," a virus writing group that also claimed responsibility for other Netsky variants. The worm's author or authors included a sample of the Sasser worm raw "source" code as proof of the legitimacy of the claim, says Graham Cluley, senior technology consultant at Sophos.

Analysis of that code, and other elements of the Sasser code, reveal similarities with the Netsky worm, says Joe Stewart, senior security researcher at LURHQ, a managed security services provider in Myrtle Beach, South Carolina.

After being run through a computer code compiler, the source code matches samples of the finished worm that LURHQ researchers obtained, says Stewart.

Similar Styles

Other parts of Sasser are also very similar to elements of Netsky. "If you take Netsky apart, you can see similarities in the style," he says.

Those similarities include almost identical code to generate random numbers and a number of subroutines that Sasser and Netsky both use to interact with Windows, Stewart says.

The proliferation of new Sasser variants within hours of the first worm's release, each with subtle modifications of the original worm, also recalls the Netsky worm's proliferation, Cluley says.

Recent Sasser variants, such as Sasser.C and Sasser.D, discovered Monday, make changes to the worm's code that are designed to increase the number of infections. Sasser.C increases the amount of system resources devoted to searching for infected hosts. Sasser.D introduces a faster technique for determining whether Windows machines are online and worthy of trying to infect, though the change only works on Windows XP systems and causes Sasser to crash on computers running Windows 2000, Stewart says.

A similar pattern followed the release of Netsky-A, which most antivirus companies called a low risk when it appeared. Later versions of the worm improved on the first version and spread more widely. Different Netsky variants accounted for the top five viruses reported to Sophos in April, the company says.

Searching for the Source

However, the fact that Sasser contains code from Netsky doesn't mean the same person or persons created both viruses, Stewart says.

An author's message buried in the Netsky-K worm promised to be "the last version," after which the author would publish the worm's code on the Internet. Many more variants followed that release and the code is believed to be widely available within virus writing circles, meaning that Sasser could be the work of anybody with access to that code. The exploit code for the LSASS vulnerability was also circulated widely on the Internet in the days preceding Sasser's release, he says.

"I think that they just saw the [LSASS] exploit out there and saw that it worked pretty well, so they borrowed elements of the code already written for Netsky and threw together [Sasser] in a short time frame," he says.

However, Internet worms like Sasser have a shorter window of time in which to spread than e-mail worms, which can continue to thrive as long as they find new ways to trick e-mail users. Despite the release of new variants, the rate of new Sasser infections was falling Monday. The number of infected machines also appeared to be dropping, according to LURHQ statistics, Stewart says.

The decreases were most likely due to Internet users heeding warnings about Sasser and patching vulnerable Windows systems or blocking the ports that Sasser uses to spread, he says.