A fast-spreading worm line that some are comparing to Blaster is exploiting a vulnerability in Windows and has infected as many as 1 million machines worldwide.
"Sasser is the MSBlast event of 2004," said Ken Dunham, director of malicious code research at iDefense. "There are lots of parallels between MSBlast and Sasser. Leading up to Sasser, we saw exploit code updated, Trojaning, and hacking of vulnerable computers, and an underground buzz that resembled that of Blast seen in 2003."
The Sasser worm--the fourth variant, tagged as Sasser.d, appeared Monday, and followed the original, Sasser.a, and two copycats, dubbed Sasser.b and Sasser.c--can infect Windows 2000, Windows XP, and Windows Server 2003 machines without resorting to E-mail and the associated file attachments that users must open to spread the malicious code.
Instead, Sasser, like last year's Blaster, exploits a recent vulnerability in a component of Windows by scanning for vulnerable systems. Sasser then creates a remote connection, installs an FTP server, and downloads itself to the new target.
Sasser exploits a vulnerability in the Windows Local Security Authority Subsystem Service (LSASS) component. Since the vulnerability's disclosure on April 13, exploit code has been circulating, and last week, numerous bot-based attacks used the vulnerability to compromise systems.