From: "Brenton" 
Reply-To: Brenton , Fidonet AVtech Echo
	

BL> BTW, what's this new Sasser worm that exploits a "flaw" in
BL> WinXP?

DD> An unused port that reponds to inbound traffic and actions it.
DD> Not an issue if one has a firewall ..[]..

Since no-one replied properly, here is what the Sasser Worm is about.  BTW, this
sort of stuff won't get any better in the future either....

Okay, M$ have a "glitch", "bug", whatever in Windows. 
Actually they have lots
of them :) although we won't go into that now.  Basically, what they stuffed up
is the serial communications, although since it now comes in via an Ethernet
Port, they have a high-tech name for it   ( It's all the same thing Bob,
same shit, different wrapper  )

What they've done is basically this... They've said we shouldn't get any packets
over X bytes long, so we will put aside a buffer of X bytes and read the
incoming data into that and then process it.  Being kids who learnt all about
computers at Uni last week, they thought this was a great idea.  So, they setup
their buffer and start receiving data.  There could be a few ways they've
stuffed it up. They either don't keep track of how much data is actually coming
in and they end up getting more data than they allowed for, or the first few
bytes tell them how big the packet is going to be, so they allocate a chunk or
memory for it and just start streaming the data into it.  Either way, they end
up getting a shit-load more data than they were expecting and they don't know
it, coz they aren't checking as it arrives.  The end result is that they end up
overwriting the data reception buffer and just keep writing the crap that they
are getting, into memory.  They have a high-tech name for this now, it is called
a "buffer overflow".  Anyway, some clever cookie discovered that
if you send the
right amount of data and create this "buffer overflow", Windoze
will crash.  But
where it gets really exciting is that Windoze will crash in such a manner that
it will start executing code from a specific part of the buffer.  Now, I think
you know where this is going :)  Yep, they put a small piece of executable code
in the data-stream they send and they know where it will end up, right where
Windoze starts executing code from.  Bingo, instant Worm.

As this is coming in via the Ethernet Port, you don't even have to run their
program.  If your computer is on and connected to the Net while you are running
Windoze-XP ( Windows eXtra Profitable ), you can get hit.  I know a bloke who
bought a new computer the day this thing hit the net.  He took the machine to
his office, set it up, configured his dial-up networking to get mail and WHAM ..
Sasser got him.  He was only on the net for 5 minutes.  One of the first things
this does is to try to replicate itself by generating random IP addresses and
seeing if it can find another machine to hit.

There is a little more to it than that, but it basically works as I've explained
it.

Cheers, Brenton


--- ifmail v.2.15