Staff Writer, CNET News.com
The Sasser worms continued to wriggle into computers on Tuesday, hitting home users hard while affecting companies to a lesser degree than previous attacks, security experts said.
Antivirus software maker Network Associates believed that as many as 80 percent of those infected were home users and students. That poses a much greater problem than compromised corporate computers, in terms of Internet safety, said Vincent Gullotto, vice president of Network Associates' McAfee Anti-Virus Emergency Response Team.
"The problem is that most of those infections are not going away any time soon," he said. "Those people (home users) don't generally know what to do."
The Sasser worm, which started spreading Friday, has infected an estimated 500,000 to a million systems, according to security experts. Nearly 1.5 million customers visited Microsoft.com and used the Sasser scanning and cleaning tool in the first 48 hours of its availability, the software giant said Tuesday. The number is not a reliable measure of infection, because many of those users may not have been compromised by Sasser, a company representative said.
The worm does little damage and, unlike previous fast-spreading worms, has not caused overwhelming network disruptions. However, in many cases, the worm does cause infected Windows XP and Windows 2000 computers to repeatedly reboot.
Two new variations of Sasser—Sasser.C and Sasser.D—started spreading Monday. Like the original and the Sasser.B variant, the new worms take advantage of a vulnerability in unpatched versions of Windows XP and Windows 2000 systems. The worms infect vulnerable systems by establishing a remote connection to the targeted computer, installing an FTP (File Transfer Protocol) server and then downloading themselves to the new host. Unlike mass-mailing computer viruses—such as MyDoom and Sobig—Sasser does not spread from computer to computer through e-mail.
The original version of the Sasser worm spread slowly, but on Saturday, online vandals released Sasser.B, which infected computers much faster. By Monday, two new variants had appeared, and the worm had spread to hundreds of thousands of systems.
On Tuesday, security company Symantec updated the number of infections it had confirmed to 100,000, 10 times higher than the company's Monday figure. Most of that increase is due to the security software maker aggressively scanning for compromised computers, meaning that the rise doesn't necessarily represent how fast the program is spreading, said Alfred Huger, senior director of Symantec Security Response.
Many compromised systems may not be visible to external security surveys and detection, so the actual number of infected systems could be higher. Although Symantec and others that monitor Internet security believed that the recent MSBlast worm had spread to perhaps 500,000 computers, Microsoft later discovered that almost 10 million computers had so far been infected.
In another measure of the effects of the worm, Symantec had received almost 8,000 reports of the virus from customers. Like those logged by rival Network Associates, the overwhelming majority of the reports were from home users, Huger said, but he added that the number of submissions from home users is typically higher, because each generally represents a single PC.
"Ten home users are going to give 10 different submissions, but each corporate report represents many infections," he said.
Huger also stressed that the damage—in terms of productivity lost—will largely result from corporations cleaning up the worm.
This time around, telephone company and Internet service provider SBC Communications tried to minimize the problem for its Net customers. The company warned them by e-mail this weekend about the worm and urged them to patch their systems.
"It is extremely important you (patch your systems) now, because it's likely you will not be able to take these measures, if your computer becomes infected," the company told customers.
"We saw an initial increase in network traffic, and we have seen that stabilize since taking some actions," said Larry Meyer, spokesman for SBC.
Many home users still connect their computers directly to their broadband Internet line and don't use security software. SBC warned those users to patch their systems, turn on the firewall and install antivirus software to protect against Sasser and Gaobot, also known as Agobot, which the company considered to be a greater threat.
"Sasser is the more rapidly spreading of the two, but Gaobot is potentially much more dangerous, because it gives access to the infected computer," Meyer said.
The original worm did not spread very quickly on Friday and Saturday, according to security experts. But some Windows XP users asked for help by way of a support list when, as a side effect of infection, their computers displayed an error message and restarted.
Still, "the number of home users seeking help on cleaning the Sasser worm in the MS Windows XP Technical Support newsgroup is far less than last year, when the MSBlast worm was released," said Yan Kei "Kenrick" Fu, a Hong Kong college student and a frequent adviser to users of Microsoft's support lists.
At the University of Massachusetts at Amherst, 1,100 computers were compromised with Sasser, after students connected their already infected computers to the campus networks Monday.
Delta Air Lines encountered problems in Atlanta with its computers for more than six hours, resulting in delays. Although the carrier said it has solved the problems, it wouldn't comment on what caused the issues, spokesman Anthony Black said on Tuesday.
In August, airline Air Canada canceled flights due to its network being infected with a variant of the MSBlast worm. The MSBlast.B worm, also called Welchia and Nachi, spread so aggressively that it inundated many companies' networks with data. Air Canada said its network couldn't deal with the amount of traffic generated by the hostile program.
Other reports, including several mentions of a German company that had 300,000 compromised computers, have turned out to be erroneous.
Network Associates' Gullotto said that overall, companies have not had a high percentage of infections. Corporations of 50,000 or more users may have had hundreds of compromised computers, but in general, less than 1 percent of systems are being affected, he said.
"When we see Sobig, Blaster, we—my antivirus group—get hammered," he said. "We aren't seeing that this time. We aren't seeing the pain."