Video | Business Headlines | Internet | Science | Scientific Ethics | Technology | Search


Symantec Security Response:

Symantec Security Response:

W32.Sasser.B.Worm rated Level 4

Good afternoon

Within recent weeks, several critical vulnerabilities have been disclosed and in some cases, worms and other automated tools have been launched exploiting these vulnerabilities. Exploit code has been made publicly available for all of these vulnerabilities.

Most notably, W32.Sasser.B.Worm, which attempts to exploit the LSASS vulnerability, has been impacting systems worldwide. W32.Sasser.B.Worm, rated today by Symantec as a Level 4 threat, spreads by scanning randomly chosen IP addressed for vulnerable system. Currently Symantec Security Response is seeing approximately 150 submissions per hour (see below for more information regarding this threat).

To provide clarity on some of the most recent and significant cyber threat activities, below you'll find a brief update outlining the top three recent vulnerabilities and the malicious threats associated with them.

Please let me know if you have questions or would like to speak with a Symantec security expert. Rachael Joel Botica Butler Raudon Partners Tel: 09 303 3862 or 021 403 504

1. Microsoft Windows LSASS Buffer Overrun Vulnerability/W32.Sasser.B.Worm Background The Microsoft Windows LSASS Buffer Overrun Vulnerability was originally announced on April 13, 2004 in Microsoft Security Bulletin MS04-011. A buffer overflow vulnerability exists in the LSASS service that could allow remote code execution on an affected system. LSASS provides an interface for managing local security, domain authentication, and Active Directory processes. If the system was compromised, an attacker could gain complete control of the machine and perform actions on the affected machine similar to a user or administrator, such as erase files, steal information, etc. Exploitation may occur over TCP ports 135, 139, 445, 593 and ports greater than 1024, as well as UDP ports 135, 137, 138 and 445. More information about the LSASS vulnerability can be found at

Symantec recommends users to update their virus definitions to protect against W32.Sasser.Worm and its variant. Symantec Security Response has developed removal tools to clean infections of W32.Sasser.Worm and W32.Sasser.B.Worm. Additionally Symantec recommends blocking TCP ports 5554, 9996 and 445 at the perimeter firewall and install the appropriate Microsoft patch (MS04-011) to prevent remote exploitation of the vulnerability.

Recent Updates On May 1, 2003, Symantec Security Response identified a variant of the Sasser worm as a Level 3 threat -- W32.Sasser.B.Worm. On May 2, W32.Sasser.B.Worm was upgraded to a Level 4 threat due to the increased submission rate. Symantec Security Response has tracked 2,234 worldwide submissions, including 23 corporate submissions. Unlike the original Sasser worm, W32.Sasser.Worm is predominately infecting consumer systems. The worm also attempts to exploit the LSASS vulnerability and spreads by scanning randomly chosen IP addresses for vulnerable systems. Additional information on W32.Sasser.B.Worm can be found at ht ml. On April 30, 2003, Symantec Security Response identified W32.Sasser.Worm as a Level 3 threat. W32.Sasser.Worm attempts to exploit the MS04-011 vulnerability and spreads by scanning randomly-chosen IP addresses for vulnerable systems. Symantec Security Response tracked 301 worldwide submissions, including 113 corporate submissions. For additional information on W32.Sasser.Worm, visit ml . Symantec has also identified malicious code based on a Gaobot variant that has been modified to propagate through the Microsoft Windows LSASS vulnerability. Gaobot is a type of Trojan that uses IRC. While not as epidemic as a worm, Gaobot still presents an immediate threat due to it's ability to compromise a wide range of computers. W32.Gaobot.AFW is a Level 1 threat that spreads through open network shares and several Windows vulnerabilities including LSASS. W32.Gaobot.AFW can also spread through backdoors installed by Beagle and Mydoom worms, and the Optix family of backdoors. W32.Gaobot.AFJ is another variant that leverages the Microsoft Windows LSASS vulnerability.

2. Microsoft Private Communications Transport (PCT) Protocol Buffer Overrun Vulnerability/backdoor.mipsiv Background The Microsoft PCT Vulnerability was originally announced on April 13, 2004 in Microsoft Security Bulletin MS04-011. The Microsoft PCT vulnerability affects all IIS Web servers running Microsoft IIS with SSL enabled. Windows 2003 servers are not vulnerable unless the PCT protocol has been enabled by the administrator. Symantec recommends users to install the PCT patch immediately. If it is not possible, IT administrators can disable the PCT protocol in the registry. Additionally, vulnerability assessment and intrusion detection systems can be deployed to detect the presence of the vulnerability and/or the presence of the exploit. For more information about this vulnerability:

Recent Updates On April 28, Symantec identified a new Trojan called backdoor.mipsiv. Backdoor.Mipsiv is a Trojan that performs different backdoor-type functions by connecting to an IRC server and joining a specific channel to listen for instructions. Additionally, the Trojan contains keylogging and network scanning functionalities. Backdoor.Mipsiv uses the same port as the PCT vulnerability. On April 21, exploit code was made public.

3. Multiple Vendor Transmission Control Protocol (TCP) Sequence Number Approximation Vulnerability Background A vulnerability in TCP implementations was reported on April 20, 2004, that may permit unauthorized remote users to reset TCP sessions. This issue affects products released by multiple vendors. This issue may permit TCP sequence numbers to be more easily approximated by remote attackers. This vulnerability is possible because affected implementations will accept TCP sequence numbers within a certain range of the expected sequence number for a packet in the session. This will permit a remote attacker to inject a SYN or RST packet into the session, causing it to be reset and effectively allowing for denial-of-service attacks. An attacker could exploit this issue by sending a packet with an approximated sequence number and forged source IP address and TCP port. The end result would be a disruption of normal Internet traffic.

Internet Service Providers are aware of the TCP flaw and there are a number of mitigation strategies. Among others, IT administrators should turn on IP security (IPSEC) which will allow for sensitive TCP protocol data to be encrypted when transmitted over the wire. While there are serious risks if systems are left unpatched, Symantec feels the majority of the systems should be safe. Additional information can be found at

Recent Update

On April 22 2004, Symantec Security Response confirmed that an exploit has been publicly released for the Transmission Control Protocol (TCP) vulnerability. At this time, there is no evidence of a widespread threat.


© Scoop Media

Business Headlines | Sci-Tech Headlines


I Sing The Highway Electric: Charge Net NZ To Connect New Zealand

BMW is turning Middle Earth electric after today announcing a substantial contribution to the charging network Charge Net NZ. This landmark partnership will enable Kiwis to drive their electric vehicles (EVs) right across New Zealand through the installation of a fast charging highway stretching from Kaitaia to Invercargill. More>>


Watch This Space: Mahia Rocket Lab Launch Site Officially Opened

Economic Development Minster Steven Joyce today opened New Zealand’s first orbital launch site, Rocket Lab Launch Complex 1, on the Mahia Peninsula on the North Island’s east coast. More>>


Marketing Rocks!
Ig Nobel Award Winners Assess The Personality Of Rocks

A Massey University marketing lecturer has received the 2016 Ig Nobel Prize for economics for a research project that asked university students to describe the “brand personalities” of three rocks. More>>


Nurofen Promotion: Reckitt Benckiser To Plead Guilty To Misleading Ads

Reckitt Benckiser (New Zealand) intends to plead guilty to charges of misleading consumers over the way it promoted a range of Nurofen products, the Commerce Commission says. More>>


Half A Billion Accounts, Including Xtra: Yahoo Confirms Huge Data Breach

The account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (the vast majority with bcrypt) and, in some cases, encrypted or unencrypted security questions and answers. More>>


Rural Branches: Westpac To Close 19 Branches, ANZ Looks At 7

Westpac confirms it will close nineteen branches across the country; ANZ closes its Ngaruawahia branch and is consulting on plans to close six more branches; The bank workers union says many of its members are nervous about their futures and asking ... More>>

Interest Rates: RBNZ's Wheeler Keeps OCR At 2%

Reserve Bank governor Graeme Wheeler kept the official cash rate at 2 percent and said more easing will be needed to get inflation back within the target band. More>>


Get More From Scoop

Search Scoop  
Powered by Vodafone
NZ independent news