April 2, 2004 5:02 PM PST
MSBlast epidemic far larger than believed
The latest data comes from the software giant's ability to track the
usage of an online tool that its engineers created to clean systems infected with the worm. Since the January release of the tool, more than 16 million of the systems that
Get Up to Speed on...
Get the latest headlines and
company-specific news in our
expanded GUTS section.
Though Microsoft believes the total number of users infected by the worm is likely closer to the higher, 16 million, tally, the 8 million figure may provide a more solid indication of the minimum number of systems hit. The larger number may include systems counted more than once, as busy computers users declined to deal with the worm immediately, or canceled the process once it had begun, only to return to Windows Update later. Once those systems were disinfected and patched, however, they would not be re-counted. Microsoft did not track what systems, specifically, used the tool, just that it was used.
Late last year, "we knew we were getting reports from customers saying that they were still seeing symptoms of Blaster," said Stephen Toulouse, security program manager for Microsoft's security response center. "Our Internet service provider partners were seeing a lot of Blaster traffic on their networks as well."
In fact, the worm hit so hard that the company quickly asked some development teams to stop work on the software giant's next version of Windows and create an interim update, known as Service Pack 2, to enhance the security of Windows XP. Moreover, several months of complaints led Microsoft to augment Windows Update with the online tool to detect and clean the MSBlast worm.
The tool has also given Microsoft an invaluable data point to quantify the threat of such Internet worms.
Already, the size of the digital epidemic far exceeds the estimates of researchers who have tracked the worm since it first started spreading, on Aug. 11. Typically, researchers try to estimate the size of a worm epidemic by collecting data from the records of network devices, such as firewalls and intrusion detection systems. By aggregating the information from the devices, researchers can count the number of Internet addresses from which a worm, such as MSBlast, is trying to spread.
Most Internet security organizations had believed that at most 500,000 systems had been compromised by the self-propagating program.
"I don't doubt (the new) number," said Johannes Ullrich, chief technology officer for the Internet Storm Center, which collects firewall logs from thousands of volunteers in order to gauge which digital threats are spreading on the Internet. Using the voluntarily submitted records, the Internet Storm Center had tallied enough Internet addresses to estimate that between 200,000 and 500,000 computers had been infected by the worm.
Another threat tracker, security company Symantec, has agreements with the owners of some 20,000 network devices to use their records for analysis. The company crunches the numbers to keep track of threats on the Internet, and though it stopped counting once the MSBlast worm spread to more than 40,000 computers, Symantec estimated that "a couple hundred thousand" systems may have been compromised, said Alfred Huger, senior director of engineering for the company.
"I am surprised by (Microsoft's) number," he said. "However, I can't contest it; they have the best insight. We certainly see Blaster out there in spades."
A survey of 2,000 computers completed by Symantec found that, on average, a system will receive a network packet from a MSBlast-infected computer within one second of connecting to the Internet. Such tenacious spreading is part of the reason Symantec waited until February, five months after MSBlast started spreading, to reduce its threat rating of the worm from a three to a two on its five-point scale.
The wide gap between previous estimates and the latest data calls into question Internet researchers' ability to accurately gauge the spread of computer worms.
The Internet Storm Center's Ullrich stressed that counts based on network sensors only see the data that goes outside a company's firewall. Many companies block the data that the MSBlast worm uses to spread. Moreover, many Internet service providers also blocked the data, further reducing the apparent number of infected systems on the Internet.
"Sure we missed some of them," Ullrich said. "The biggest discrepancy is likely in the large corporate networks."
Microsoft's Toulouse has confidence that the software giant's data is correct. Windows Update patches the vulnerability that allows the MSBlast to spread, but before January, it didn't eradicate the worm from the compromised system. That behavior resulted in many users having their systems patched after the worm successfully infected their computers. That prompted Microsoft to create the tool to clean those Windows systems.
"They were protected from being re-infected, but they had already been infected," he said. "The tool doesn't even get offered to (users), unless they had (the patches) installed and we detected the existence of Blaster on their computer."
Security researchers still weren't ready on Friday to put complete faith in the new numbers. They seemingly needed time to acclimate to a new reality where a single worm or virus could threaten millions of computers.
"It's a very large number," said Symantec's Huger.
1 commentJoin the conversation! Add your comment