Project Description
Attack Analyses
Publications
Student Theses
Cluster "Scylla"
Contact
Authors:
Arno Wagner,
wagner@tik.ee.ethz.ch,
Thomas Dübendorfer,
duebendorfer@tik.ee.ethz.ch,
Initial version May 9th, 2004
Introduction
Sasser and its variants is an Internet worm that does exploit a known vulnerability in the Windows (TM) operating system. It was first observed in the wild on Saturday, April 1th, 2004.
The worm first tries to open a connectiom to port 445 TCP on a randomly selected target host. If the connection is sucessful and a host compromise can be achieved, the main worm code is fetched from the infecting host via a FTP connetion to port 5554 TCP. The worm also opens a backdoor on port 9996 TCP (9995 TCP for Sasser.D).
More information on Sasser:
NAI,
Symantec
It seems the author of Sasser has been arrested in Germany: Slashdot, news.com
Observation
Our observations in the SWITCH show the worm propagation most clearly when observing the random scanning to port 445 TCP.
The graph shows the number of unique hosts that tried to open a connection to port 445 TCP. The green graph is the number of hosts within the SWITCH network (AS559). It is magnified by a factor of 1000. The red graph shows all hosts seen.
Interpretation
Scanning activity to port 445 TCP started to increase slowly from the 29th of April on. The first high peak is at 0:00 UTC on Mai 1st, and levels off immediately. The next peak is around 16:00 UTC on the same day and looks like it is caused by normal daily rythm in America. The peaks the slowly level off over the next few days, clearly following a daily rythm, which seems to be dominated by America.
The initial short peak is puzzeling. It seems that most infected machines crashed after a very short time. The form of second peak seems to indicate that the hosts seen in the first peak have indeed been infected and were just inactive until their owners got to them. Peak infection seems to be around 300.000 hosts, however exact numbers would require a more thourough analysis. The deformed peak on the Mai 2nd is due to an outage on one of the SWITCH routers, during which it stopped to export traffic data.
For AS559, there seems to be no significant infection until late on Sunday, May 3rd, where a sharp increase can be noticed. It looks like hosts in AS559 have not been infected to any significant degree before that time. At the moment it is unclear what the causes for this are. From Monday, May 3rd, on, the scans from AS559 follow the normal daily rythm in Switzerland. Peak infection in AS559 seems to have been around 160 hosts.
Besides the seemingly later infection, the scan activity to port 445 TCP from AS599 has one other significant deviation from the global scanning activity. At around 6:00 UTC on April 28th (8:00 local time in Switzerland), the number of hosts scanning port 445 TCP increaded by around 100 for a few hours. This increase is not visible in the global picture. This could have been a test-deployment of the worm that killed itself after a few generations. It could also have been ordinary scanning, but the number of source hosts seems pretty high for that. It seems there was a smaller such peak already on the day before at about the same time. A more detailed analysis would be needed to dtermine the exact nature of these peaks.
Observational Setup
The graphs are based on Cisco Netflow data exported by all SWITCH border routers. The IP address range of SWITCH is about 2.2 million addresses and corresponds roughly to a /11 network.
Processing an one-hour interval of data to generate these graphs took about 12 minutes on an Athlon XP 2800+. The calculations wered done on the TIK cluster "Scylla".
Limitations in this Observation
- No attempt was made to distinguish Sasser generated traffic to port 445 TCP and traffic caused by other sources.