Using Smart Update and Configuration Groups to Detect and Remove SASSER Worm



The information in this article applies to the following products:

• Prism Deploy 5.0 and above

Summary:

The SASSER worm is infecting Windows 2000, XP and 2003 systems across the world. Microsoft has confirmed that SASSER and its variants exploit the Local Security Authority Subsystem Service (LSASS) issue that was addressed by the security update released on April 13, 2004, in Microsoft Security Bulletin MS04-011.

For more detailed information about this threat, please browse to these relevant links on Microsoft’s web site:

http://www.microsoft.com/security/incident/sasser.asp

http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx

You can use Prism Deploy’s Smart Update technology to determine if systems are infected and if they are patched against SASSER. If you have infected and/or unpatched systems, you can use Command Tasks to patch them and to remove SASSER using free tools provided by the antivirus vendors.

Method:

In your Prism Deploy Channel, create user-defined Configuration Groups to detect systems that are patched/unpatched and infected/not infected against SASSER and its variants. In our example, the Configuration Group rulesets are configured to look for the presence or absence of the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP2\KB835732\Filelist. The presence of this key indicates that an XP system has been patched. The ruleset also checks for variants of the worm’s executable files (avserve.exe, avserve2.exe or skynetave.exe). Here’s the syntax of the ruleset for unpatched, uninfected Windows XP systems:

(OSVersion = OS.Version.WinXP) AND (NOT EXISTS "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP2\KB835732\Filelist") AND (NOT EXISTS "%windir%\avserve.exe") AND (NOT EXISTS "%windir%\avserve2.exe") AND (NOT EXISTS "%windir%\skynetave.exe")

You can download New Boundary’s Sasser rulesets here: SasserRulesets

Next, create and assign Tasks to perform the remediation and patching process on infected systems:

  1. On Windows XP systems, first turn off System Restore.* This can be done with a Prism Package that first checks if the target system is running Windows XP. The Package has a reboot property set; you can choose to make the reboot silent or not. You can download New Boundary’s Packages here: SystemRestorePackages
  2. Run the cleanup utility from your antivirus vendor as a Command Task. Our example uses a free cleanup tool released by Symantec: http://securityresponse.symantec.com/avcenter/venc/data/w32.sasser.removal.tool.html
  3. Turn System Restore back on by assigning a Prism Package to the “not infected” groups. The package is configured to first check that System Restore is off and that the target PC is running Windows XP. It also has a silent reboot property set. Note: If you would like a copy of our packages for System Restore off and on, please contact support@newboundary.com.
  4. Create a Command Task to install the KB835732 patch.

Assign the Tasks to the appropriate Configuration Groups (patching first then remediating). Your target computers will automatically move themselves into and out of Configuration Groups as their status changes, and they will receive the appropriate Tasks for their current status.

Below is a screenshot of a sample Channel.

* Here’s a link discussing System Restore and why it must be turned off before remediation of SASSER: http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039?OpenDocument&src=sec_doc_nam

Please contact New Boundary Technical Support if you’d like further assistance: 612-379-1851.