11 May 2004

Sasser Virus

PCs at the University were badly affected by the Sasser worm.

On Wednesday, 5 May 2004 at around 3pm Windows PCs on the University network came under attack from the Sasser worm. Many PCs were unusable for several days as the IT groups within the University removed the worm and patched the vulnerability.

The Sasser worm is transmitted machine to machine by exploiting a vulnerability in Windows 2000, XP and 2003 operating systems (Macintosh computers were never vulnerable to this attack, although the network traffic generated by the worm, and subsequent attempts to remove it and patch the Windows computers, caused significant delays for Macintosh users accessing network services like email and Web pages).

The vulnerability exploited by the Sasser worm was recognised by Microsoft, and a patch to prevent the vulnerability being exploited had been issued by Microsoft on 19 April 2004. Windows PCs belonging to Divisional staff on the network are supposed to be configured to download security patches automatically when they become available: this has obviously not been happening consistently throughout the Division, and investigations are underway to determine why patches were not being installed consistently.

All the Division’s Microsoft servers had been patched and were not infected by the worm, but network traffic was such that their performance slowed dramatically, to some users appearing to be down. Macintosh servers were not affected, although again network traffic gave them the appearance of being compromised.

The network port used by the worm to propagate had been closed at the border of the University network for 10 days, so the worm had to have been introduced into the network from inside, either via removable media (floppy disk, Zip disk, or CD) with the worm on it, or from an infected portable computer brought on to campus and connected to the University network.

As a result of this episode, the following things should be done:

  • A communication strategy needs to be developed.
  • As an interim measure, immediately implement an effective strategy to keep security patches and virus definitions current, until systems can be put in place in the University or the Division to maintain Windows PCs.
  • The University, or the Division if ICT Services is unable to manage it, should install and manage Windows Update Services when is it available in late 2004 to ensure an efficient updating system is in place (although the software is free a server will be required, and a licence for the Windows 2003 Server operating system).
  • Serious consideration should be given to expanding the use of alternative platforms in the Division, particularly Macintosh. The Macintosh operating system, OS X, is based on Unix, a mature and largely open-source operating system that is far less vulnerable than Windows to exploitation and not a target for the type of activity plaguing Windows PCs.