COLUMBIA, S.C. – The Sasser worm is racing across the Internet, slowing down systems and shutting some down automatically as it takes advantage of yet another vulnerability in Microsoft's XP and Windows 2000 operating systems. But it doesn't have to be that way. "As long as the end users properly patch their systems, the worm poses little threat," says Rick Fleming, chief technology officer at Digital Defense Inc. in San Antonio, Texas. "With that being said, poorly firewalled and unpatched hosts could fall victim to the worm in rapid order," says Fleming, whose company protects security at more than 120 institutions, including the NCUA. The worm appeared last week, about two weeks after Microsoft announced a patch for a vulnerability that allows the attack to take place through a hole in a Windows security system. This one is particularly insidious because it doesn't require clicking on an attachment or opening an e-mail for the worm to enter the system. While a check with several major providers of security services to credit unions found no reports of infection among their clients, the Sasser worm could be a sign of worse to come. "The danger in this worm lies in greatly increased network traffic, leading to congestion and possibly overloading network devices," says Jeff Marshall, vice president of technology for Minnesota-based Cavion Plus, provider of Internet services to more than 1,000 credit unions. He adds: "There is a large threat of this worm becoming increasingly malicious in the near future. In less than four days, four variants have surfaced, each more optimized than the others." Reports from Europe indicate that some financial institutions are among big organizations affected by the outbreak, but here credit unions should not have too much to worry about, if they installed the patch that followed the April 13 announcement about the new vulnerability. And make no mistake, attacks are likely. "We have witnessed Internet-scale propagation of the Sasser worm," says Jon Ramsey, director of Internet security at Atlanta-based SecureWorks. "To date, 75% of our credit union clients have been attacked, but 100% have been protected," says Ramsey, whose company serves more than 300 credit unions, including six of the 20 largest. If it does invade, the Sasser bug can be particularly buggy. "Once a computer or server is infected it can constantly shut itself down automatically or won't let you shut it down. There are removal tools out there for the worm but if your system is constantly shutting itself off you can't run the tool," said Rick Woehler of CU Defense, an IT security division of PM Systems in Chapin, S.C. "A lot of folks are having to completely rebuild their systems. One of our largest hardware suppliers was completely shut down yesterday and wasn't able to process any orders due to the worm. They probably lost a lot of money and had a late night last night," he said. Another concern is that the worm could eventually find a way to invade the Windows XP Embedded system that serves ATM networks and the like. It's a complicated proposition. "Windows XP Embedded takes a modularized approach to the computing platform. While it's more difficult, if not impossible, to patch embedded systems, the chances are much greater that the system lacks the vulnerable component and would therefore be unaffected," says Marshall at Cavion Plus. "On the other hand, if the embedded system did have the component in question, the cost of recovering from a virus infection would be much higher," he says, including probably having to send equipment to vendors or manufacturers for repair. As for fighting the latest outbreak, more than 1.5 million personal and business users have taken matters into their own hands by going to www.microsoft.com/security/incident/ sasser.asp. There one can find downloads for cleaning up infections as well as patches to prevent them from happening. And while all the vendors say they routinely make patches every time one is announced, that sometimes is not enough, says Woehler at CU Defense, which provides IT security for more than 30 credit unions. "There are a lot of third-party vendors that install servers in credit unions and specifically tell the staff that they cannot put on security patches because they interfere with their software," he says. "There are also credit unions out there that either don't know how or are not permitted to verify their own firewall rules by their firewall vendors. If you don't know the rules on your own firewall, then it's not really your firewall," Woehler says. "Luckily, the Sasser worm uses ports that most credit unions wouldn't allow through their firewall and I'm certain that most are unaffected by the worm," he says. [email protected]