Dabber loves Sasser
p2pnet.net News:- Here’s an interesting development in the virus world.
Many, if not most, e-bugs have a marked taste for security holes and nine-point-nine times out of ten, the vulnerabilities are Microsoft Windows specific.
But the latest worm, it would appear, instead looks for vulnerabilities in Sven Jaschan’s Sasser, the most recent e-crittur to fang the Net.
‘Threat management’ specialists LURHQ say they’ve found a new worm that exploits a ‘vulnerability’ in Sasser’s ftp server component.
“This worm will only infect users already infected by Sasser,” states LURHQ here. “Even though we have seen worms utilize backdoors left behind by other worms, this is the first time we have seen a worm using a vulnerability in another worm in order to propagate. We have named this worm ‘Dabber’.”
“Third party analysis” suggests Dabber is related to Doomran discovered in March. It had a similar method of operation, infecting hosts through the backdoor left by the Mydoom email virus, says LURHQ, going on:
“However it merely utilized the Mydoom backdoor protocol instead of exploiting a vulnerability. It is likely that much of the worm code was reused by the author to create Dabber, substituting the Sasser-FTP exploit for the Mydoom backdoor upload code and adding the ability to remove Sasser.
“Correlations between scans on port 3127 (Mydoom backdoor) and port 9898 (Dabber/Doomran backdoor) were made as early as February, but due to no complete analyses of Doomran being available, the connection between the port 9898 activity and Doomran was not established until now.”
Dabber probes a network for computers infected with Sasser, says New Scientists here, and after deleting all trace of Sasser, “it then installs a backdoor that could be used to upload other programs to an infected machine. This might give a hacker complete control over that system. Dabber then sets about scanning for further Sasser-infected computers to infect.”
