Security experts are continuing to issue warnings about the Sasser Internet worm as organizations struggle to clean up the damage caused by infected hosts.
American Express joined a number of U.S. universities in reporting infections from the Sasser worm this week. Meanwhile, the SANS Institute's Internet Storm Center (ISC) maintained a yellow warning Tuesday despite expectations earlier in the day that the Sasser outbreak would wind down Monday, according to interviews.
Sasser exploits a recently disclosed hole in a component of Microsoft's Windows operating system called the Local Security Authority Subsystem Service, or LSASS. Microsoft released a software patch, MS04-011, on April 13.
The SANS Institute's Internet Storm Center said on Monday that it was maintaining its yellow alert, indicating a "significant new threat" on the Internet due to "the continuing spread of Sasser and other malicious code targeting the MS04-011 vulnerabilities," according to the ISC.
Among other things, modifications in new Sasser variants Sasser.C and Sasser.D, which appeared on Monday, prompted the ISC to maintain the yellow alert on Tuesday. Internet Storm Center chief technology officer Johannes Ullrich said he expected Sasser to die down Monday, prompting a return to the "green" status by the end of the day.
American Express experienced Sasser infections on employee desktops beginning Sunday that disrupted the company's internal networks, but did not have an impact on customer services according to Judy Tenzer, a company spokesperson.
American Express refused to reveal how many computers were affected, or how the worm penetrated the company's network, but the infections were limited to employee desktops and did not affect critical servers at the company, she says.
Reports surfaced Monday of unexplained computer problems at other companies, as well.
Delta Airlines experienced technical difficulties on Saturday that forced the cancellations of some flights. The computer problems began at 2:50 P.M. local time on Saturday and were fixed by 9:30 Saturday evening, says Katie Connell, a Delta spokesperson.
Connell would not common on the cause of the problems, or which systems were affected, citing a continuing investigation. Delta does use Microsoft products and the Windows operating system, she says.
Back to School
In Boston, colleges and universities felt the effects of the worm, according to David Escalante, director of computer policy and security information technology at Boston College, in Chestnut Hill, Massachusetts.
Around 200 machines on BC's campus network were infected with Sasser, most of them laptop and desktop computers owned by students, he says.
BC blocked traffic on port 445, which is used by the Sasser worm to spread, before the outbreak. Information technology staff are analyzing the infections, which may have come from students who brought infected laptops back onto campus from home, Escalante says.
Staff are also struggling with complications caused by Sasser, which causes many Windows XP and Windows 2000 machines to crash repeatedly, preventing students from logging onto the desktop and installing the appropriate software patch.
Making matters worse, BC students are approaching final exam period. The Sasser outbreak prompted a run on the student computer center Saturday, with panicked students worried about the welfare of term projects and other materials on Sasser-infected machines, he says.
Other schools also faced large-scale outbreaks, including more than 1000 machines at Boston University, according to a source.
Among leading financial services companies, the impact of Sasser was generally light. Companies including Citibank and Lehman Brothers Holdings had around a dozen Sasser infections, rather than hundreds or thousands of systems infections, according to a source.
Microsoft's recent decision to move from weekly to monthly software patches has raised the stakes for companies that ignore the security bulletins and updates, says Firas Raouf, chief operating officer of eEye Digital Security, which discovered the LSASS vulnerability.
"Now you have a handful of vulnerabilities that are addressed by a single patch, so if you don't deploy a patch, you're opened four or five doors to your network," he says.
Large companies are often reluctant to press software patches into service out of fear they will break critical applications used by employees or customers. However, waiting too long to apply a software patch exposes companies to infection by a worm or virus that takes advantage of the software hole fixed by the patch, Raouf says.
The most important thing is for organizations to have a process in place to handle new vulnerabilities when they are revealed so that they can act quickly to scan for vulnerable machines, test patches, deploy patches, or apply workarounds as needed, he says.