Organisations that evaded last week's Sasser worm infestation have credited vigilant patching processes and preventative measures such as installing server-based behavior-blocking software and worm filtering gateways.
Anti-virus software, on the other hand, was of limited use in stopping the four known variants of Sasser because the worm could re-infect machines even with the most up-to-date virus signatures, says Vincent Gullotto, vice president at Network Associates's Avert Labs. "If you don't have the Windows patch in place, this can happen," he says.
According to Mikko Hypponen, head of anti-virus research at F-Secure, the Sasser worm variants don't delete files or leave Trojans. This makes it a fairly benign worm and a lot like the Blaster worm of last August. Like Blaster, damage stems from Sasser's intense network scanning, which can paralyze networks.
Among those experiencing Sasser's sting this week were American Express, Goldman Sachs, Air Canada, British Airways, Deutsche Post, the European Commission and several schools, including the University of California and University of Massachusetts.
"It affected some of our support systems and caused a degree of disruption internally," said Lucas Banpraag, a Goldman Sachs spokesman. "It delayed processing of some orders." The Sasser worm infested the financial firm's network a week after hitting its offices in Asia. Goldman Sachs is reviewing how it prioritises patch management and wants better guidance from Microsoft, the spokesman said.
Microsoft had made the patch available more than a week ago for the so-called Local Security Authority Subsystem Service (LSASS) vulnerability that Sasser exploits, giving it a critical rating.
But the sheer size of some organisations makes it hard for them to patch all systems, says Alfred Huger, senior director of engineering for security response at Symantec. Wolters Kluwer, an 18,500-employee firm in Amsterdam that provides legal information services, got hit with Sasser.
"It was only half a dozen PCs out of hundreds," says Mike Antico, CTO for the firm's North American divisions. "How did these people escape being patched? We think it's because they bring in portable computers."
Many corporations test patches before applying them to machines, particularly critical servers, so the larger the organisation, the harder it is to go through this process before a worm appears to take advantage of a newly identified hole.
Companies say they are turning to other defensive measures above and beyond simply patching. One of these is behavior-based software that blocks worms and other types of attacks by recognising suspicious activity.
"Our Windows environment was patched within three days of the released LSASS patch, except for one server where a critical system needed to be regression-tested longer," says Eben Barry, manager of IT operations at Network Health, a Medicaid insurance provider. Luckily, this time the delay did not result in an infection.
The organisation has deployed Sana Security's Primary response software on its patched and unpatched servers, and configured it in advance to minimize potential Sasser worm exploits. Other firms say worm-blocking barriers at the Internet gateway stopped Sasser's flood from striking them.
Andre Foster, vice president of IT at Cable Bahamas in Nassau, says he set up TippingPoint Technologies' UnityOne appliance to filter out Sasser after seeing Blaster sap the service provider's network capacity last year.
Mark Georgis, network administrator at Long Beach Transit says he used Fortinet's FortiGate appliance to block Sasser coming in from the Internet and monitored for any worm outbreaks on the inside with Network Instruments' Observer tool. But luck was on his side, too, as Georgis acknowledges all the organisation's patching wasn't up to date.
"I was scared to death," he says. The Sasser scare now has him setting up his LANDesk systems management tool to automate patch updates to desktops the minute they're available.
What were your experiences with the Sasser worm? What lessons have you learnt? What system do you have in place and did it work? Share your tales of hate and love on our discussion forum.
Find your next job with techworld jobs