Microsoft has claimed that almost 1.5 million Windows
customers downloaded a cleanup tool for the Sasser internet worm in
the first two days after it began offering the tool on
Sunday.
The number of downloads is one indication of the number of
Windows computers infected with Sasser and it is bigger than most
estimates from computer security companies. Still, the total number
of infected Windows systems could be even higher, especially when
infections on computer networks are taken into account.
After appearing last Friday, the worm spread quickly around the
world. Early estimates by the Sans Institute's Internet Storm
Center (ISC) put the total number of infected system in the
"hundreds of thousands", based on reports to ISC, said Johannes
Ullrich, chief technology officer at the ISC, which monitors
malicious activity on the internet.
Different figures for the number of infections emerged in the
days that followed, most of them extrapolated from snapshots of the
internet. Those included statistics gathered by managed security
services companies from intrusion detection sensors running on
customer networks, as well as tallies of the unique Internet
addresses that exhibit worm-like behavior, such as scanning for
vulnerable host systems on a particular communications port.
Published reports cited executives from Akamai Technologies,,
which runs its own global network of servers, saying 500,000 to
700,000 Windows machines were infected. Antivirus company Symantec
said it knew of 10,000 infections but put the likely total in the
hundreds of thousands.
The question of how many computers actually catch worms and
viruses is hotly contested as security companies try to gauge the
impact of malicious code outbreaks on the internet.
The Microsoft numbers correspond to recent scans of the Internet
by the ISC, Ullrich said yesterday. ISC identified about 500,000
unique Internet Protocol addresses scanning port 445, the port used
by Sasser, on Saturday, and 700,000 scans on Sunday.
Those numbers are similar to ones collected during the Blaster
worm attack, but Blaster scanned for vulnerable computers more
voraciously, causing bigger disruptions in internet and network
traffic, he said.
As it did with the Blaster worm, Microsoft began offering the
Sasser removal tool from its website shortly after the worm
appeared. The tool, which can be downloaded or run from a web
browser, scans computers for telltale signs of Sasser and then
allows the user to remove the worm. (See:
http://www.microsoft.com/security/incident/sasser.asp.)
In addition to the Sasser tool, Microsoft customers have rushed
to download a software patch that prevents Windows systems from
being infected with Sasser.
That rush for the patch caused a spike in traffic to the Windows
Update site and might have caused temporary slowdowns. The site was
functioning properly late yesterday, according to a Microsoft
spokeswoman.
Sasser appeared on Friday and exploits a recently disclosed hole
in a component of Windows called the Local Security Authority
Subsystem Service, or LSASS. Microsoft released a software patch,
MS04-011, on 13 April that plugs the LSASS hole. (See:
www.microsoft.com./technet/security/bulletin/ms04-011.mspx)
Sasser has spawned at least four variants, labelled A, B, C and
D, as of Tuesday. The worm is similar to an earlier worm, Blaster,
because users do not need to receive an e-mail message or open a
file to be infected. Instead, just having a vulnerable Windows
machine connected to the Internet via communications port number
445 is enough to catch Sasser.
Paul Roberts writes for IDG News
Service