Robert Lemos


May 3, 2004, 3:25 PM PT
The unknown team of programmers who created the latest variant of the Netsky virus claim to be the authors of the Sasser worm–and researchers have found evidence that supports that assertion.

The programmers, who have referred to themselves as the Skynet Antivirus Team, may have been responsible for almost 30 variations of mass-mailing computer virus Netsky. Now, within the code of Netsky.AC, the team has claimed credit for creating and releasing the Sasser worm.

The boasts are credible, Joe Stewart, senior security researcher at network protection firm Lurhq, said Monday. Lurhq has found similarities between the code of the Netsky line of viruses and the Sasser worm.

“You can never really tie code back to an author,” he said. “The fact that (the viruses and the worm) carry common code, that I’m sure of. Whether the authors of the two programs are the same, that I can’t say.”

More on Sasser Outbreak

Prevention and cure

Over 500,000 infections

Possibly penned by NetSky author

Microsoft on how to prevent infection

On Monday, a new worm, Sasser.B, started to spread widely. Like the original worm, Sasser.A, the variant takes advantage of a vulnerability in unpatched versions of Windows XP and Windows 2000 systems. The worms infect vulnerable systems by establishing a remote connection to the targeted computer, installing a File Transfer Protocol (FTP) server, and then downloading themselves to the new host.

Stewart said that Netsky and Sasser contain the same code for many functions.

Based on binary analysis, he found that the programs call the same set of functions in the same order, which in some cases might be a coincidence, but with these functions is not.

“To have them in that order would not be that common,” he said. “It suggests there is a private code library that they both draw on.”

Stewart accurately predicted that a worm based on the widespread Local Security Authority Subsystem Service, or LSASS, vulnerability would be released Friday or Saturday.

In the code of the latest Netsky variant, Netsky.AC, the authors boast that they wrote the Sasser worm as well, according to an analysis completed by antivirus firm Trend Micro.

“Hey, av (antivirus) firms, do you know that we have programmed the sasser virus?!? Yeah thats true!” stated the message in the text. “Why do you have named it sasser? A Tip: Compare the FTP-Server code with the one from Skynet.V!!! LooL! We are the Skynet.”

The authors also offer proof by including source code from the Sasser worm that, when compiled, seems to match up to the actual worm.

The ribbing at antivirus firms over the naming of Sasser is the strangest part, Stewart said, because Sasser doesn’t seem to have a name in the code that the authors stood by.

“If it was by the Netsky authors, why didn’t they name it in the code?” Stewart asked. “They are pretty verbal in all their other comments.”

Microsoft may announce another set of rewards for information leading to those who released the Netsky viruses and the Sasser worm.

Already, the software giant has promised three $250,000 rewards for information leading to the arrest and conviction of the authors of MSBlast, Sobig and MyDoom. However, the company wouldn’t comment on the likelihood of a reward for information about Sasser, except to say that the idea is being considered.