Sasser Activity Slows

The Sasser outbreak is the first true worm attack this year, and some security vendors, including Internet Security Systems Inc. and Network Associates Technology Inc., have pegged potential infections at 1 million systems. Unlike viruses, worms don't require users to click on a file or an E-mail attachment to get infected; they typically propagate through software vulnerabilities. Worm attacks similar to Sasser include the July 2001 Code Red outbreak, the January 2002 SQL Slammer attack, and the Blaster worm that infected millions of systems last August.

While the worm has infected up to 1 million systems, it has yet to significantly hamper Internet performance. As of Tuesday afternoon, Keynote Systems Inc.'s Internet Health Report said the status for most Internet performance was healthy to stable.

Andy Champagne, director of network analytics and federal engineering at Akamai Technologies Inc., says the Sasser activity the Web-performance company witnessed Tuesday fell from Monday, when the worm may have peaked. "It looks like activity today is going to be down substantially from where it was yesterday. Given this we may have already seen the peak for this worm," he says.

Akamai estimates that the number of Sasser infections reached nearly 700,000 late Monday and was down to just under 400,000 on Tuesday. Some security experts say Akamai's estimates could be high, because Sasser causes systems to repeatedly reboot.

"We don't see this as a real issue. There may be some slight variation in the results due to this, but overall it should be minimal," Champagne says. "Even across reboots, most [high-speed] Internet providers assign out the same IP address to the computer via DHCP."

Alfred Huger, senior director of engineering at Symantec Corp.'s security response unit, says it's difficult to estimate the total number of infected systems. Symantec has spotted 100,000 Sasser-infected systems connected to the Internet, "but that number could easily be extrapolated to several hundred thousand systems," he says.

While he wouldn't say how many of Symantec's business customers reported getting infected with the Sasser worm, he says the worm's infection rate into companies closely resembles Blaster.

Jimmy Kue, research fellow with McAfee's Avert research team, says the bulk of Sasser infections hit home users and that only a handful of its business customers reported Sasser infections.

About 3,000 of the company's McAfee.com antivirus customers got infected, Kue says, and because of system reboots, those users had to have their systems cleaned 48,000 times.

As for companies that did get hit, Huger says, the worm has caused performance troubles and has made it difficult for business partners to connect to each other's networks.

More Sasser variants are sure to follow, but Huger says that the rush to patch, by both business and home users, should mean future variants won't pack as hefty a punch. "It'll hit a saturation point," Huger says.

The software vulnerability that the Sasser worm targets in Windows 2000, XP, and Windows 2003 server was revealed on April 13, along with patches to fix the security hole. However, many Windows 2000 customers have cited problems installing the patch.

Detection and removal tools for Sasser worms can be found here.