This new worm - why is it called "SASSER?"

(Semi-political; could be GD material, actually)

Who gives names to these viruses? And why is this one called Sasser?

When you think of the word 'Sasser,' what comes to mind? I am reminded of former Senator Jim Sasser of Tennessee, who was defeated in 1994 by Bill Frist.

catcher-brothers who came up through the Giants farm system in the '80s?

Probably not...

in Tennessee who was ousted by Bill Frist with Frist's self-funded campaign that spent more money on the race (by far) than had ever been spent on a Senate race in this region.

Bill Frist's money won, and look where that got us.

The worm uses a buffer overrun exploit against the Local Security Authority Subsystem Service (LSASS) LSASRV.DLL.

Names aren't always so logical though. Usually whichever anti-virus software vendor gets their fix out first names the virus or worm. The others have a sort of gentleman's agreement to use the same name. However, sometimes this doesn't work out (usually because different companies choose a name about the same time) and you end up with different names for the same nasty.

In general, they all follow the virus nameing conventions of the Computer Anti-Virus Research Organization (CARO). For a truly enjoyable Friday evening, you can read in great detail CARO's naming convention here: http://downloads.securityfocus.com/library/naming.txt

Enjoy! :-)

Buffer overrun? Christ, that was the first hole I exploited
in college (1976) to gain "superuser" access to a Honeywell
66/60 (GECOS). After we had fun and crashed the system a few
times (it was one of two mainframes on campus), we were told to
develop a fix for it... So we did, and of course, in the fix was
a new hole for us to exploit. AFAIK, the patch was used by
Honeywell intact for many years.

I would expect better nowadays, it's one of the more obvious
things to check for (allocate space, check lenght of copy, check
boundries of copy, copy user parameters into kernel).

Will M$ ever learn?

"When we face a choice between adding features and resolving security issues, we need to choose security,"

"Our products should emphasize security right out of the box."

"Users should be in control of how their data is used,"

"It should be easy for users to specify appropriate use of their information, including controlling the use of e-mail they send."

-- quotes from memo Bill Gates sent to Microsoft employees in (January I believe) 2002 where he declares security to be Microsoft's top priority, Microsoft's so-called Trustworthy Computing initiative.

Rather ironic considering that 2004 has been the year of the worm (or virus if you prefer). Will Microsoft ever learn? Nah, I don't think so. I don't think they care. To be fair, many of the recent worms were based on exploits that had been discovered months or even years earlier and had patches available. Also, Windows Update is pretty good now, in Win XP.

However, the problem is that these exploits should not be available in the first place and Microsoft's service packs often create as many problems as they patch. The development culture at Microsoft is focused on getting new products out the door as fast as possible and overworked, stressed out programmers are bound to make errors in their code or logic.

I don't know. As I keep seeing more and more of the Longhorn specification falling to the wayside as Microsoft attempts to release its' next behometh sometime this decade, maybe they are learning and are sacrificing "features" for security. Somehow I doubt it.

and then it sasses you.

It's shutting down now.

nt

to deflect blame from his royal highness.

the basketball playing brothers, Jason and Jeryl, come to mind. From TTU and SMU, respectively.

It may mean something else in Europe or may be his girlfriend's name. In any event, we needed to call it something other than "@&%$*@."

Link: http://ap.tbo.com/ap/breaking/MGARNTNOZTD.html

He did actually wonder about it.

This text was included in a version of Netsky:
--snip
Hey, av firms, do you know that we have programmed the sasser virus?!?. Yeah thats true! Why do you have named it sasser? A Tip: Compare the FTP-Server code with the one from Skynet.V!!! LooL! We are the Skynet...


--snap