May 6, 2004 3:28 PM PDT

Net watchers wary of Sasser fallout

Although the damage wrought by Sasser failed to reach the levels of MSBlast and other major infections, security experts are warning that there could still be more trouble to come from the worm.

One researcher said Thursday that the group of online vandals suspected of creating both the Sasser worm and several variations of the Netsky virus could combine the two threats.


Get Up to Speed on...
Enterprise security
Get the latest headlines and
company-specific news in our
expanded GUTS section.


The resulting blended threat could dodge security inside corporate systems via e-mail messages and then spread quickly, once inside those networks.

"Sasser is inhibited by gateways, and adding the e-mail aspect would bypass the gateways," said Jimmy Kuo, a researcher and a McAfee fellow at security company Network Associates. The technique is "rather obvious," he said, defending the decision to publicize the strategy in an alert. "I don't think I am giving a clue to the virus authors," he said.

The 6-day-old Sasser worm has begun to spread more slowly, as companies clean up existing infections, according to security researchers. However, as with previous worm programs, it's unlikely that Sasser and its offshoots will ever truly disappear from the Internet. While new versions of a particular worm tend to have a smaller effect than the original, variants that add different ways to disseminate themselves--whether by exploiting other flaws or by fooling users--could have more impact.

After Code Red struck Web servers almost three years ago, an unknown programmer modified the code to allow the worm to spread via network shares and e-mail attachments. The resulting program, called Nimda, caused so much damage that Microsoft had to assuage its customers by embarking on a security initiative, known as Trustworthy Computing.

Security problems are once again becoming an issue for the software giant's customers. This week, business intelligence firm Gartner warned companies that use Microsoft products to consider the money they spend in responding to worms and other threats as part of a product's total cost of ownership. In an online research advisory, Gartner warned that corporate information technology teams will have to apply patches more quickly and buy additional tools to make sure that Windows-based computers are secure.

"Two working weeks is a really short time for an enterprise to get the patch, test the patch and get the patch on its systems," said John Pescatore, vice president of Internet security at Gartner.

It seems, however, that Microsoft has learned from past incidents: It has put its weight into providing an easier way for customers to clean their systems of Sasser.

Within 24 hours of the worm's appearance on the Internet, the company had released instructions on getting rid of the program. On Saturday, it released an ActiveX program that would could remove the worm automatically from a system. By Sunday night, 1.5 million people had downloaded the cleaning tool, according to Debby Fry Wilson, the director of marketing communications at Microsoft's security response unit.

In addition, a significant number of visitors to Microsoft's Sasser information page downloaded the tool, according to Wilson, who declined to be more specific about the amount.

On Wednesday, Microsoft added the Sasser clean-up program to its Windows Update service so that PC users could easily patch and clean their systems automatically. A similar move in January meant that Microsoft was able to give out the best estimate to date--about 10 million--of the number of systems infected by MSBlast, an earlier major worm.

With Sasser, however, the software giant is hesitant to release its numbers. "We want to be careful that we don't give too much visibility to the people that have caused this havoc," Wilson said. "From a policy perspective, it is something we need to be careful about."

Sasser, like previous worms, will likely die off only slowly. Both Code Red and Nimda continue to spread on the Internet.

"People never clean them off fast enough," said Alfred Huger, the senior director of the incident response team at Symantec. "Our worry is: What kind of damage is going to be done, postworm? The problem for us is that these machines being compromised pose a threat."

To date, Symantec has verified that 190,000 computers have been infected by the Sasser worm and its variants. However, for the MSBlast worm, similar methods led the security firm to estimate that 500,000 computers had been infected--an amount 20 times smaller than Microsoft's likely more accurate tally.

That difference could be due to the inability of such network analysis to see past corporate firewalls. Fully accounting for that "dark matter" of the Internet could significantly boost the Sasser infections represented by Symantec's reported numbers, putting the estimate near 4 million.

Other researchers doubt that the number could be so high. "We don't see anything that supports millions," said Jose Nazario, a researcher into Internet attacks at network protection firm Arbor Networks. "The service-level disruptions that we saw with MSBlast--we aren't seeing (them) with Sasser."

Nazario said Arbor researchers believed that tens of thousands of systems are infected.

2 comments

Join the conversation!
Add your comment
Total cost of ownership...
is quite an elusive concept. But there is no doubt that the damages caused by exploiting Microsoft's poorly written and designed OS by the scum bags writing the malware is truly a cost Microsoft should have to pay for. There is not one industry in the world that could sell a product which puts the consumer at great risk and not have to pay for the damages. Microsoft users face a new danger on a regular basis. Over and over and over, users of Microsoft software are put in danger. This has got to be the most dangerous product of all times. And the flaws keep appearing one after another. If Microsoft were held accountable for their product like EVERY other goods and service provider, this crap would stop! There is no reason on Earth that Microsoft should get away with such disregard for consumer saftey. And now we are hearing about their Longhorn. It will be worse than XP. When there is no accountability, you can expect the same attitude and behavior to continue.

It's time for those suffering the damages to sue Microsoft. It's time the Justice department stepped in and proceeded against the fraud Microsoft has committed. And every product MS sells should come with a warning label regarding the dangers of owning and operating software developed by Microsoft. EVERY other industry follows the rules. Microsoft thumbs their nose at the standards everyone else must follow.

It is time to approach our legislators and demand something be done to protect the economic future of IT consumers. While Bill Gates is getting rich, the consumer is paying every day for damages which Microsoft is absolutely responsible for. I doubt that any product ever sold has cost the business world as much as Microsoft's software. And the $$$$ keep rising with no end in sight!
Posted by bjbrock (98 comments )
Reply Link Flag
warning label
<a class="jive-link-external" href="http://www.analogstereo.com/jaguar_xj220_owners_manual.htm" target="_newWindow">http://www.analogstereo.com/jaguar_xj220_owners_manual.htm</a>
Posted by George Cole (314 comments )
Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.