April 2, 2004 5:02 PM PST

MSBlast epidemic far larger than believed

Related Stories

Microsoft publishes program to blast MSBlast

January 6, 2004

A 20-year plague

November 25, 2003

Worms double the trouble

August 22, 2003

Network operators: Worm still squirming

August 15, 2003
New data from Microsoft suggests that at least 8 million Windows computers have been infected by the MSBlast, or Blaster, worm since last August--many times more than previously thought.

The latest data comes from the software giant's ability to track the usage of an online tool that its engineers created to clean systems infected with the worm. Since the January release of the tool, more than 16 million of the systems that


Get Up to Speed on...
Enterprise security
Get the latest headlines and
company-specific news in our
expanded GUTS section.


connected to Microsoft's Windows Update service were found to be infected with MSBlast and were offered a patch and the use of the disinfecting tool, the software giant told CNET News.com. During the same period, about 8 million systems actually called on Update to patch them and prevent reinfection and used the special tool to remove the worm.

Though Microsoft believes the total number of users infected by the worm is likely closer to the higher, 16 million, tally, the 8 million figure may provide a more solid indication of the minimum number of systems hit. The larger number may include systems counted more than once, as busy computers users declined to deal with the worm immediately, or canceled the process once it had begun, only to return to Windows Update later. Once those systems were disinfected and patched, however, they would not be re-counted. Microsoft did not track what systems, specifically, used the tool, just that it was used.

Late last year, "we knew we were getting reports from customers saying that they were still seeing symptoms of Blaster," said Stephen Toulouse, security program manager for Microsoft's security response center. "Our Internet service provider partners were seeing a lot of Blaster traffic on their networks as well."

In fact, the worm hit so hard that the company quickly asked some development teams to stop work on the software giant's next version of Windows and create an interim update, known as Service Pack 2, to enhance the security of Windows XP. Moreover, several months of complaints led Microsoft to augment Windows Update with the online tool to detect and clean the MSBlast worm.

The tool has also given Microsoft an invaluable data point to quantify the threat of such Internet worms.

Already, the size of the digital epidemic far exceeds the estimates of researchers who have tracked the worm since it first started spreading, on Aug. 11. Typically, researchers try to estimate the size of a worm epidemic by collecting data from the records of network devices, such as firewalls and intrusion detection systems. By aggregating the information from the devices, researchers can count the number of Internet addresses from which a worm, such as MSBlast, is trying to spread.

Most Internet security organizations had believed that at most 500,000 systems had been compromised by the self-propagating program.

"I don't doubt (the new) number," said Johannes Ullrich, chief technology officer for the Internet Storm Center, which collects firewall logs from thousands of volunteers in order to gauge which digital threats are spreading on the Internet. Using the voluntarily submitted records, the Internet Storm Center had tallied enough Internet addresses to estimate that between 200,000 and 500,000 computers had been infected by the worm.

Another threat tracker, security company Symantec, has agreements with the owners of some 20,000 network devices to use their records for analysis. The company crunches the numbers to keep track of threats on the Internet, and though it stopped counting once the MSBlast worm spread to more than 40,000 computers, Symantec estimated that "a couple hundred thousand" systems may have been compromised, said Alfred Huger, senior director of engineering for the company.

"I am surprised by (Microsoft's) number," he said. "However, I can't contest it; they have the best insight. We certainly see Blaster out there in spades."

A survey of 2,000 computers completed by Symantec found that, on average, a system will receive a network packet from a MSBlast-infected computer within one second of connecting to the Internet. Such tenacious spreading is part of the reason Symantec waited until February, five months after MSBlast started spreading, to reduce its threat rating of the worm from a three to a two on its five-point scale.

The wide gap between previous estimates and the latest data calls into question Internet researchers' ability to accurately gauge the spread of computer worms.

The Internet Storm Center's Ullrich stressed that counts based on network sensors only see the data that goes outside a company's firewall. Many companies block the data that the MSBlast worm uses to spread. Moreover, many Internet service providers also blocked the data, further reducing the apparent number of infected systems on the Internet.

"Sure we missed some of them," Ullrich said. "The biggest discrepancy is likely in the large corporate networks."

Microsoft's Toulouse has confidence that the software giant's data is correct. Windows Update patches the vulnerability that allows the MSBlast to spread, but before January, it didn't eradicate the worm from the compromised system. That behavior resulted in many users having their systems patched after the worm successfully infected their computers. That prompted Microsoft to create the tool to clean those Windows systems.

"They were protected from being re-infected, but they had already been infected," he said. "The tool doesn't even get offered to (users), unless they had (the patches) installed and we detected the existence of Blaster on their computer."

Security researchers still weren't ready on Friday to put complete faith in the new numbers. They seemingly needed time to acclimate to a new reality where a single worm or virus could threaten millions of computers.

"It's a very large number," said Symantec's Huger.

1 comment

Join the conversation!
Add your comment
even up to now
the blaster worm indeed is still alive and kicking, and created a catch 22 situation.

some, including me, every now and then clean up our hard disks and install windows from scratch. so the first thing you do once windows is installed is update your virus scanner or apply patches from windowsupdate. either which way, the blaster is definitely going to bite you in less than ten minutes after you have connected to the internet. so you can't download something in order to protect yourself and for users who can't find the blaster patch from a friend or someone, the only way to get it is from the net, which...ahh...it is a vicious circle indeed!

i believe it would be best if everyone download the installer for the blaster rpc patch for winxp and keep it in a safe place such a cdrom or something. and make sure you apply that patch before going on line.

and i had to laugh at myself for being infected by a worm after having been virus-free for more than ten years.
Posted by (2 comments )
Reply Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.