Home Sasser

Sasser

Category: Malware

Type: Worm

Platform: Windows

Variants: Sasser.A, Sasser.B, Sasser.C, and Sasser.D.

Damage potential: Causes disruption by exploiting unpatched vulnerabilities in Windows systems, which may lead to system crashes, network outages, and data corruption. It executes code remotely to help attackers gain control over infected systems, disrupt business operations, and cause downtime.

Overview

Discovered in 2004, Sasser is a computer worm that exploits a vulnerability in the Windows Local Security Authority Subsystem Service (LSASS), known as MS04-011. It spreads automatically across networks and infects unpatched systems without user interaction. 

Sasser causes system crashes, disrupts network operations, and leads to significant downtime. It executes remote code on infected machines and gives attackers control of compromised systems. Attackers use Sasser to target businesses and government networks with the goal of causing disruption.

Cybercriminals rely on Sasser’s ability to spread undetected to rapidly compromise vulnerable systems. Its fast propagation and operational impact make it a useful tool for gaining unauthorized access and creating widespread disorder.

Microsoft released a patch soon after Sasser’s discovery to close this vulnerability. If you regularly update your system, it is likely safe from Sasser because the patch blocks the worm’s ability to spread.

Possible symptoms

Sasser may significantly disrupt system stability by exploiting core Windows processes and aggressively scanning for new targets. Symptoms of a Sasser infection include:

  • Sluggish or unresponsive system performance.
  • Unexpected system crashes or errors.
  • Unusual network activity or bandwidth spikes.
  • Unknown or suspicious processes running in Task Manager.
  • Increased CPU or memory usage.
  • Disabled or malfunctioning security software.
  • The system shutting down or rebooting shortly after startup.
  • Redirection or alteration of web traffic.

Sources of the infection

Cybercriminals may use various methods to spread the Sasser worm:

  • Exploiting unpatched vulnerabilities. Sasser spreads by exploiting a buffer overflow vulnerability in the Windows LSASS. If your system lacks the relevant security patch, the worm can infect it remotely without any interaction on your part.
  • Scanning for vulnerable hosts. Once active, Sasser scans random IP addresses to find other unpatched systems. It connects over TCP port 445 and transfers itself to those systems using its own FTP server.
  • Direct-to-IP infection. Sasser does not rely on email or file attachments. Instead, it connects directly to IP addresses and pushes the payload, making perimeter-based defenses less effective.
  • Local network propagation. If one system inside a corporate or home network becomes infected, Sasser can quickly spread to others within the same network that remain unpatched.
  • No need for user interaction. Unlike many malware strains, Sasser doesn’t require the user to click a file or open an attachment. Your device can become infected simply by connecting it to a vulnerable network.

Protection

The best way to protect against Sasser is to stay informed about network worms and the tactics attackers use to exploit vulnerabilities. The most effective measures to protect against Sasser include:

  • Using antivirus and anti-malware software. Install and regularly update reliable antivirus software that includes detection for worms.
  • Regularly updating systems and software. Keep your operating system, browsers, and all applications up to date to patch vulnerabilities in services like LSASS that Sasser exploits.
  • Using Threat Protection Pro™. NordVPN’s advanced Threat Protection Pro™ feature blocks malicious sites and scans files for malware as you download them. It also scans your software for known risks, flaws, and gaps in security.
  • Improving network security. Set up firewalls, intrusion detection systems, and endpoint protection to block traffic from malicious sources that may attempt to exploit vulnerabilities in the system, such as the one targeted by Sasser.
  • Blocking TCP/UDP port 445. Make sure that port 445, commonly used by Sasser for propagation, is blocked on your firewall to prevent unsolicited connections from spreading the worm.
  • Implementing multi-factor authentication (MFA). MFA adds an extra layer of security to your accounts that makes it harder for attackers to take control of systems or gain unauthorized access to critical resources.
  • Disabling unnecessary services. Disable the LSASS service or any unnecessary network services on machines that do not require them to reduce attack surfaces.
  • Monitoring network traffic. Use network monitoring tools to detect unusual activity that may indicate an active worm infection.

Removal of Sasser

If you suspect Sasser has infected your system, immediately disconnect your device from the internet to prevent further propagation of the worm to other devices on the network. Next, restart your computer in safe mode to limit Sasser’s ability to run and spread.

Run a full system scan with reputable antivirus or anti-malware software that is capable of detecting and removing worms. Follow the software’s recommended steps to thoroughly remove Sasser. Allow the software to quarantine or delete any detected threats.

After removing the worm from your system, update your operating system and all software with the latest security patches to prevent future infections. Additionally, review and strengthen your network security by ensuring firewalls are configured properly, and vulnerabilities like the one exploited by Sasser are patched.

If the infection persists or you cannot completely remove it, contact a cybersecurity professional for further assistance.