LLMpediaThe first transparent, open encyclopedia generated by LLMs

Sasser (computer worm)

Generated by DeepSeek V3.2
Note: This article was automatically generated by a large language model (LLM) from purely parametric knowledge (no retrieval). It may contain inaccuracies or hallucinations. This encyclopedia is part of a research project currently under review.
Article Genealogy
Parent: McAfee Hop 4
Expansion Funnel Raw 52 → Dedup 0 → NER 0 → Enqueued 0
1. Extracted52
2. After dedup0 (None)
3. After NER0 ()
4. Enqueued0 ()
Sasser (computer worm)
NameSasser
TypeComputer worm
AuthorSven Jaschan
PlatformsMicrosoft Windows
Date discoveredApril 2004

Sasser (computer worm). Sasser is a computer worm that exploits a vulnerability in the Local Security Authority Subsystem Service (LSASS) on Microsoft Windows operating systems, primarily affecting Windows XP and Windows 2000. First identified in April 2004, it caused widespread system instability and network congestion by forcing infected computers to repeatedly crash and reboot. Unlike many contemporaneous threats, Sasser did not spread via email or require user interaction, instead propagating automatically across networks and the internet.

Overview

The worm specifically targeted a buffer overflow vulnerability, documented in Microsoft Security Bulletin MS04-011, within the LSASS process. This security flaw was part of a larger set of patches released by Microsoft on Patch Tuesday earlier that same month. Sasser's operation was relatively simple: it scanned random IP addresses on TCP port 445, attempting to exploit the vulnerability on vulnerable systems to execute its own code. Upon successful infection, it would then open FTP ports to download the worm's main file and begin scanning for new targets, creating a self-sustaining cycle of infection that could overwhelm networks.

Development and propagation

Sasser was created by then 17-year-old German computer science student Sven Jaschan from the village of Waffensen in Lower Saxony. Jaschan, who also authored the Netsky worm, reportedly wrote Sasser to exploit the recently disclosed LSASS flaw, which affected unpatched systems worldwide. The worm's propagation mechanism relied on the widespread use of vulnerable Windows systems connected to always-on broadband internet connections, which were becoming increasingly common. Its scanning activity generated massive amounts of network traffic, leading to congestion and slowdowns even on systems that were not directly infected.

Impact and damage

The impact of Sasser was global and severe, affecting millions of computers and causing significant operational disruptions. Major institutions were hit hard; Delta Air Lines was forced to cancel numerous transatlantic flights, Goldman Sachs reported extensive internal network issues, and the British Coastguard had its electronic mapping systems disabled. In Asia, the Xinhua News Agency and several Hong Kong government departments were paralyzed, while in Europe, institutions like Finnair and the European Commission experienced critical outages. The University of Florida also reported severe network problems. The economic damage was estimated to be in the hundreds of millions of dollars due to lost productivity and recovery costs.

Mitigation and removal

Mitigation required applying the official Microsoft security patch and disabling vulnerable services. Network administrators and home users were urged to update their systems via Windows Update and to use firewall software to block port 445. Antivirus software vendors, including Symantec and McAfee, quickly released signature updates and dedicated removal tools. The CERT Coordination Center and other national computer emergency response teams issued widespread alerts detailing steps for containment and eradication. Manual removal involved terminating specific processes and deleting created files from the Windows system directory.

An intensive international investigation led by Microsoft and involving the FBI and German police traced the worm's origin. Sven Jaschan was arrested in May 2004 after associates, motivated by a Microsoft bounty offer, provided information to authorities. He was tried in a German juvenile court due to his age at the time of the offenses. In July 2005, Jaschan received a suspended sentence and was ordered to perform community service. The case highlighted the growing role of law enforcement agencies like the FBI and Europol in combating cybercrime and the use of substantial financial rewards by corporations like Microsoft to facilitate arrests.

Legacy and influence

The Sasser outbreak underscored critical weaknesses in global cybersecurity practices, particularly the slow rate of patch adoption by organizations and individuals. It demonstrated how a single, unpatched vulnerability could be leveraged to cause international infrastructure disruption. The incident accelerated the adoption of automated patch management systems and heightened the profile of coordinated Patch Tuesday responses. Furthermore, Sasser's success influenced the tactics of later malware families and cemented the importance of proactive network defense in the evolving landscape of internet threats. The worm remains a canonical case study in computer security education regarding worm propagation and vulnerability management.

Category:Computer worms Category:2004 software Category:Microsoft Windows security