Computerworld
Print Article
Close Window

Microsoft: Almost 1.5M download Sasser cleanup tool

It began offering the tool on Sunday, two days after the worm appeared

Paul Roberts
 

May 5, 2004 (IDG News Service)

Almost 1.5 million Windows customers downloaded a cleanup tool for the Sasser Internet worm in the first two days after Microsoft Corp. began offering the tool on Sunday, according to a Microsoft spokeswoman.
The number of downloads is one indication of the number of Windows computers infected with Sasser, and it's bigger than most estimates from computer security companies. Still, the total number of infected systems could be even higher, especially when infections on computer networks are taken into account, the spokeswoman said.
Sasser, which appeared on Friday, exploits a recently disclosed hole in a component of Windows called the Local Security Authority Subsystem Service, or LSASS. Microsoft released a software patch, MS04-011, on April 13 that plugs the LSASS hole (see story).
Sasser had spawned at least four variants, labeled A, B, C and D, as of yesterday. The worm is similar to an earlier one -- Blaster -- in that users don't need to receive an e-mail message or open a file to be infected. Instead, just having a vulnerable Windows machine connected to the Internet via communications Port 445 is enough to catch Sasser.
After appearing Friday, the worm spread quickly around the world (see story). Early estimates by the SANS Institute's Internet Storm Center put the total number of infected system in the "hundreds of thousands," based on reports to the ISC, said Johannes Ullrich, chief technology officer at the center, which monitors malicious activity on the Internet.
Different figures for the number of infections emerged in the days that followed, most of them extrapolated from snapshots of the Internet. Those included statistics gathered by managed security services companies from intrusion-detection sensors running on customer networks, as well as tallies of the unique Internet addresses that exhibit wormlike behavior, such as scanning for vulnerable host systems on a particular communications port.
Published reports cited executives from Akamai Technologies Inc., which runs its own global network of servers, as saying that 500,000 to 700,000 Windows machines were infected. Antivirus company Symantec Corp. said it knew of 10,000 infections but put the likely total in the hundreds of thousands.
The question of how many computers actually catch worms and viruses is hotly contested as security companies try to gauge the impact of malicious code outbreaks on the Internet.
The Microsoft numbers correspond to recent scans of the Internet by the ISC, Ullrich said yesterday. The ISC identified about 500,000 unique IP addresses scanning Port 445, the port used by Sasser, on Saturday and 700,000 scans on Sunday, he said.
Those numbers are similar to ones collected during the Blaster worm attack, but Blaster scanned for vulnerable computers more voraciously, causing bigger disruptions in Internet and network traffic, Ullrich said.
As it did with the Blaster worm, Microsoft began offering the Sasser removal tool from its Web site shortly after the worm appeared. The tool, which can be downloaded or run from a Web browser, scans computers for telltale signs of Sasser and then allows the user to remove the worm.
Microsoft customers have rushed to download the software patch that prevents Windows systems from being infected with Sasser, in addition to the Sasser cleanup tool.
That rush for the patch caused a spike in traffic to the Windows Update site and might have caused temporary slowdowns. The site was functioning properly late yesterday, the Microsoft spokeswoman said.