May 3, 2004, 5:45 PM PT
Like astronomers looking at a small portion of the universe to learn about the whole, security researchers have used the Sasser worm's impact on their local networks to extrapolate how far the worm has spread throughout the Internet.
Called a network telescope, the method of analyzing Internet traffic suggests that the worm and its variants have compromised about 500,000 computers in three days, but estimates range from 200,000 to 1 million systems.
While the numbers sound overwhelming, the compromised PCs make up a fraction of a percent of the computers connected to the Internet and fall short of the 10 million computers infected by MSBlast, also called Blaster.
"Overall this is not that big yet," said Andy Champagne, director of network analytics for network service provider Akamai. "It is not trivial, but it is not Blaster scale, either."
Akamai used the data from its 15,000 network nodes scattered around the Internet to get a picture of how the Sasser worms were spreading. The company's best estimate is that from 500,000 to 700,000 computers have been infected with a copy of the malicious program. While Akamai had estimated a similar range of 300,000 to 1 million for the MSBlast worm, Champagne said that Sasser did not cause as much havoc as its predecessor.
By late Monday, three new versions of the Sasser worm—labeled B, C and D—had begun to spread. The Sasser programs take advantage of a vulnerability in unpatched versions of Windows XP and Windows 2000 systems. The worms infect vulnerable systems by establishing a remote connection to the targeted computer, installing a File Transfer Protocol (FTP) server and then downloading themselves to the new host.
Other security companies estimated that the worms had spread to hundreds of thousands of computers.
Network protection firm Internet Security Systems captured its own data and estimated that between 500,000 and 1 million computers have been compromised. The firm uses sensors on a class B network, representing about 65,000 addresses or two-thousandths of 1 percent of the Internet, to record data.
"We are trying to find the best estimates we can," said Chris Rouland, vice president for ISS's incident assessment team.
On Saturday, the company's network had seen a peak of almost 400,000 probes in an hour from the worm. At that rate, a computer just attached to the Internet would have an average about 10 minutes before a worm attempted to compromise the system.
Symantec, which relies on more empirical data, confirmed that at least 10,000 computers had been infected by checking for file server software on computers that attempted to send data to the network sensors used by the company to detect threats. However, the company acknowledges that the large collections of computers behind firewalls using network address translation cannot be counted.
That dark matter of the Internet made up the vast majority of computers compromised by the MSBlast worm. While Symantec and other organizations that rely on network telescope-type analysis found as many as 500,000 computers infected in the first few weeks of the MSBlast attack, Microsoft identified almost 10 million infected computers through its Windows Update technology.
If 20 times more infected computers are hidden away behind corporate firewalls, then the 10,000 compromised systems that the company can see, might mean that 200,000 infected computers are not visible.
The growing spread of the worm may mean that Microsoft will dip into its $5 million fund for rewarding Internet bounty hunters and place a price on the heads of those that released the virus.
Security researchers believe it likely that the unknown team of programmers, who have referred to themselves as the Skynet Antivirus Team, and have been responsible for almost 30 variations of mass-mailing computer virus Netsky, may also have released the Sasser worm.
Similarities in the two programs support the claims of the unknown hackers.