Surviving the Sasser Worm

I hope everyone survived the Sasser worm without too much pain. When the first reports about Sasser appeared last weekend, I wasn’t too concerned about the worm infecting any of our consulting clients because of the way that Sasser spreads: It randomly tries IP addresses and attempts to connect on TCP port 445. The worm then creates a remote shell on TCP 9996, and uses the shell to connect to an infected computer’s rogue FTP server running on port 5554. All our clients have firewalls in place that block these ports, and they have virus protection with automatic virus pattern updates. However, late last week, I received a call from a client, and I initially thought that the client had somehow become infected with the worm. After closer investigation, the problem turned out to be just an Ad Aware popup and was a false alarm. However, this incident got me thinking about precautions that companies should take for mobile users.

This particular client has an employee that uses a laptop and a broadband connection at home. The user was surfing the Internet over the weekend without firewall protection. If the laptop had become infected, then connected to the corporate LAN, the laptop could have caused serious network damage. For this reason, make sure that any laptop users have virus protection with current virus patterns. Windows XP Service Pack 2 (SP2) will, by default, turn on the Windows Firewall (formerly known as the Internet Connection Firewall—ICF) to protect XP machines from Internet threats. If your company has laptop users that use their computers and a broadband connection at home, the company should consider paying for a firewall to protect users while they surf from home. The easiest way to justify this expense is to explain to management the threat to the corporate LAN if an infected laptop plugs into the network. The cost for a few firewall appliances will be a lot less than the cost in time and lost productivity if the IT department or an outside consultant has to remove a virus and repair the damage. Remember that intruders have a knack for attacking your weakest link.

Some companies have a policy to let only certain inbound ports (FTP, SMTP, HTTP, HTTPS) through their firewall, yet allow any outbound Internet traffic. I don't believe this approach is restrictive enough. The Sasser worm is a great argument for restricting both inbound and outbound traffic on the firewall. If the firewall is configured to restrict outbound traffic, then even if a machine is infected with the Sasser worm, the firewall would prevent the worm from spreading to other locations. For critical updates, consider using Software Update Services (SUS) or its successor, Windows Updates Services (WUS), to approve the critical update and distribute it to your workstations. For laptop users, configure their machines to automatically install the critical updates rather than receive them through WUS or SUS, especially if the laptop user connects to the corporate LAN infrequently. Of course, you run the risk that a critical update might cause a problem with the laptop, but that problem is less severe than becoming infected with a virus because the update wasn't installed.

With more and more hacking and virus activity on the Internet these days, you need to have a multipronged strategy in place to combat any new virus or hacking threats. Make sure you install firewalls for broadband users at home, have a firewall policy that restricts both inbound and outbound traffic, keep up to date with critical updates, and make sure every computer is protected with antivirus software and the latest pattern files.

If you’re upgrading to Microsoft Exchange Server 2003 and are running Research In Motion's (RIM's) Blackberry Enterprise Server (BES), you must upgrade to BES 3.6 Service Pack 2a (SP2a); only this version supports Exchange 2003. If you don't upgrade, the wireless syncing will fail for mailboxes located on Exchange 2003.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.