Microsoft has claimed that almost 1.5 million Windows customers downloaded a cleanup tool for the Sasser internet worm in the first two days after it began offering the tool on Sunday.
The number of downloads is one indication of the number of Windows computers infected with Sasser and it is bigger than most estimates from computer security companies. Still, the total number of infected Windows systems could be even higher, especially when infections on computer networks are taken into account.
After appearing last Friday, the worm spread quickly around the world. Early estimates by the Sans Institute's Internet Storm Center (ISC) put the total number of infected system in the "hundreds of thousands", based on reports to ISC, said Johannes Ullrich, chief technology officer at the ISC, which monitors malicious activity on the internet.
Different figures for the number of infections emerged in the days that followed, most of them extrapolated from snapshots of the internet. Those included statistics gathered by managed security services companies from intrusion detection sensors running on customer networks, as well as tallies of the unique Internet addresses that exhibit worm-like behavior, such as scanning for vulnerable host systems on a particular communications port.
Published reports cited executives from Akamai Technologies,, which runs its own global network of servers, saying 500,000 to 700,000 Windows machines were infected. Antivirus company Symantec said it knew of 10,000 infections but put the likely total in the hundreds of thousands.
The question of how many computers actually catch worms and viruses is hotly contested as security companies try to gauge the impact of malicious code outbreaks on the internet.
The Microsoft numbers correspond to recent scans of the Internet by the ISC, Ullrich said yesterday. ISC identified about 500,000 unique Internet Protocol addresses scanning port 445, the port used by Sasser, on Saturday, and 700,000 scans on Sunday.
Those numbers are similar to ones collected during the Blaster worm attack, but Blaster scanned for vulnerable computers more voraciously, causing bigger disruptions in internet and network traffic, he said.
As it did with the Blaster worm, Microsoft began offering the Sasser removal tool from its website shortly after the worm appeared. The tool, which can be downloaded or run from a web browser, scans computers for telltale signs of Sasser and then allows the user to remove the worm. (See: http://www.microsoft.com/security/incident/sasser.asp.)
In addition to the Sasser tool, Microsoft customers have rushed to download a software patch that prevents Windows systems from being infected with Sasser.
That rush for the patch caused a spike in traffic to the Windows Update site and might have caused temporary slowdowns. The site was functioning properly late yesterday, according to a Microsoft spokeswoman.
Sasser appeared on Friday and exploits a recently disclosed hole in a component of Windows called the Local Security Authority Subsystem Service, or LSASS. Microsoft released a software patch, MS04-011, on 13 April that plugs the LSASS hole. (See: www.microsoft.com./technet/security/bulletin/ms04-011.mspx)
Sasser has spawned at least four variants, labelled A, B, C and D, as of Tuesday. The worm is similar to an earlier worm, Blaster, because users do not need to receive an e-mail message or open a file to be infected. Instead, just having a vulnerable Windows machine connected to the Internet via communications port number 445 is enough to catch Sasser.
Paul Roberts writes for IDG News Service