Wednesday, May 05, 2004
Sandvine Threat Advisory : Sasser Worm Poses Risk to Service Provider Networks
Options Exist to Mitigate Worm's Impact and Protect the Internet Experience for Broadband Subscribers
Waterloo, Ontario; May 5, 2004 -- Sandvine has analyzed the impact of the newly discovered W32/Sasser.worm.d worm from an ISP perspective and developed strategies to mitigate it's effect on public networks.
THREAT ASSESSMENT FOR SERVICE PROVIDERS: Medium
IMPACT ON SERVICE PROVIDER NETWORKS: Most of the malicious traffic generated by Sasser and its variants occurs during attempts to identify vulnerable hosts. The worm scans for hosts by sending SYN packets to random IP addresses on port 445. This approach was intended to allow the worm to spread quickly inside enterprise networks, but also to facilitate rapid infestation across the Internet. Sandvine estimates that an individual subscriber could generate up to 230 Kb/s of malicious traffic associated with this worm, but variants such as Sasser.C have been designed to scan at much higher rates. Sasser.c has not significantly impacted the network at this point.
Sandvine first detected the Sasser worm using its Worm/DoS Traffic Mitigation (WDTM) platform, which identified a sharp increase in address scans on port 445. Scans on port 445 have roughly doubled since Sasser was first released. The total rate remains relatively low as of this alert and some of the malicious traffic on port 445 is caused by several other still-active worms.
SERVICE PROVIDER OPTIONS: Sandvine Customers that have implemented mitigation via the WDTM module have been countering the spread of the Sasser worm since May 2, 2004 and need take no further action. All major stages of the attack have been contained. Other recommended options to prevent the worm from spreading or consuming bandwidth include:
* Blocking all port 445 traffic
* Blocking packets to port 9996 that match the Sasser worm's pattern
* Blocking packets to port 5554 that match the Sasser worm's pattern
* Ensuring signature files for subscriber anti-virus software are complete
* Taking actions associated with Microsoft Security Bulletin MS04-011
See also US-CERT vulnerability note VU#753212 for more information on signature recognition (http://www.kb.cert.org/vuls/id/753212)
Analysis performed by Sandvine Security Operations Services, May 2004.