“It’s pretty aggressive, and it’s replicating very quickly.” That reads like the words of stressed system administrator affected by last week’s WannaCry (Wanna Decryptor) ransomware – but actually, that’s the reaction of a security expert from 13 years ago to a new variant of the Sasser worm.
WannaCry’s ransomware high jinks apart, the echoes with last Friday’s events are intriguing.
Just as WannaCry targets an oft-unpatched Windows SMB flaw, so in 2004 Sasser picked on the scab of unpatched Windows exploit in Local Security Authority Subsystem Service (LSASS – hence “Sasser”), which is – ironically – a bit of the OS used to manage security settings.
If you think WannaCry’s victim count is impressive, Sasser’s included not-to-be-sniffed-at names such as Deutsche Post, the European Commission and Delta Airlines, to name only a selection.
Curiously, Sasser was seen as more pesky than existential, coming as it did after a sequence of mega-worms such as, ILOVEYOU, Nimda, Welchia, Netsky, SoBig, Blaster, and SQL Slammer. Some of these exploited Microsoft software vulnerabilities and found plenty of victims who swore a collective “never again”.
This turned out to be hollow: in 2008 another big worm, Conficker, put in its first appearance in a world tour of networks that was still running at 1.7m infections per quarter three years later.
What kind of world was it that saw the Sasser worm hitting tens or hundreds of thousands of networks as a mere nuisance? Most likely, one in which worms were common, an era we might now describe as the “golden dark age” of malware designed to spread its badness at high speed.
Experts know why worms were so successful in the early 2000s: the internet made rapid infection possible. Patching was also in its infancy. When something becomes possible, eventually someone will try it. Not long after that, someone will copy them and so the cycle continues.
Worms have become infrequent in recent years, probably because malware writers embraced stealth as a better attack plan, worms being anything but.
And yet, defending against worms remains inconvenient. Admins can block services or ports at firewall level but not often indefinitely. Suspending email is another tactic that works until everyone complains.
WannaCry’s worm is a reminder that people not only forget, they forget that they forget. The world has a habit of being surprised at new malware that is thematically old.
Next time, it could be worse. In 2012, the Saudi Aramco oil company was attacked by something called Shamoon, which rapidly nixed the Master Boot Record (MBR) of 35,000 PC hard drives. There have been other examples of disk-trashing attacks since then, which are incredibly time-consuming and expensive to mitigate if the PC is put into a boot loop.
Something that trashes disks combined with a worm could cause not days but weeks of disruption for an organisation like Britain’s NHS, as well costing a great deal of money to fix – and that’s not even taking into account the effects on staff, patients and their loved ones. Those human costs are still being counted in the UK’s NHS.
The history is there for everyone to learn from.