Wednesday, May 05, 2004

Sandvine Threat Advisory : Sasser Worm Poses Risk to Service Provider Networks

Options Exist to Mitigate Worm's Impact and Protect the Internet Experience for Broadband Subscribers

Waterloo, Ontario; May 5, 2004 -- Sandvine has analyzed the impact of the newly discovered W32/Sasser.worm.d worm from an ISP perspective and developed strategies to mitigate it's effect on public networks. 

THREAT ASSESSMENT FOR SERVICE PROVIDERS: Medium

IMPACT ON SERVICE PROVIDER NETWORKS: Most of the malicious traffic generated by Sasser and its variants occurs during attempts to identify vulnerable hosts.  The worm scans for hosts by sending SYN packets to random IP addresses on port 445.  This approach was intended to allow the worm to spread quickly inside enterprise networks, but also to facilitate rapid infestation across the Internet. Sandvine estimates that an individual subscriber could generate up to 230 Kb/s of malicious traffic associated with this worm,  but variants such as Sasser.C have been designed to scan at much higher rates.  Sasser.c has not significantly impacted the network at this point.

Sandvine first detected the Sasser worm using its Worm/DoS Traffic Mitigation (WDTM) platform, which identified a sharp increase in address scans on port 445.  Scans on port 445 have roughly doubled since Sasser was first released.  The total rate remains relatively low as of this alert and some of the malicious traffic on port 445 is caused by several other still-active worms.

SERVICE PROVIDER OPTIONS: Sandvine Customers that have implemented mitigation via the WDTM module have been countering the spread of the Sasser worm since May 2, 2004 and need take no further action.  All major stages of the attack have been contained. Other recommended options to prevent the worm from spreading or consuming bandwidth include:

* Blocking all port 445 traffic

* Blocking packets to port 9996 that match the Sasser worm's pattern

* Blocking packets to port 5554 that match the Sasser worm's pattern

* Ensuring signature files for subscriber anti-virus software are complete

* Taking actions associated with Microsoft Security Bulletin MS04-011

See also US-CERT vulnerability note VU#753212 for more information on signature recognition (http://www.kb.cert.org/vuls/id/753212)

Analysis performed by Sandvine Security Operations Services, May 2004.

About Sandvine
Sandvine’s award-winning network equipment helps broadband service providers better manage the growing burden of peer-to-peer (P2P) activity while protecting subscribers and preserving the overall Internet experience. Sandvine Peer-to-Peer Policy Management helps service providers take control of P2P traffic, stop the proliferation of destructive worm code and achieve new operational efficiencies. Sandvine products are protecting the Internet experience for millions of broadband subscribers worldwide. To find out more, visit Sandvine online at www.sandvine.com.

linkback: http://www.sandvine.com/news/pr_detail.asp?ID=46