Sasser's toll likely stands at 500,000 infections
Estimates based on Internet traffic analysis indicate that the worm and its variations have likely spread to 500,000 computers.
Called a network telescope, the method of analyzing Internet traffic suggests that the worm and its variants have compromised about 500,000 computers in three days, but estimates range from 200,000 to 1 million systems.
While the numbers sound overwhelming, the compromised PCs make up a fraction of a percent of the computers connected to the Internet and fall short of the 10 million computers infected by MSBlast, also called Blaster.
"Overall this is not that big yet," said Andy Champagne, director of network analytics for network service provider Akamai. "It is not trivial, but it is not Blaster scale, either."
CNET Reviews Prevention and cure How the Sasser worms work, and how to avoid and remove them. | ||||
By late Monday, three new versions of the Sasser worm--labeled B, C and D--had begun to spread. The Sasser programs take advantage of a vulnerability in unpatched versions of Windows XP and Windows 2000 systems. The worms infect vulnerable systems by establishing a remote connection to the targeted computer, installing a File Transfer Protocol (FTP) server and then downloading themselves to the new host.
The original version of the Sasser worm spread slowly, but the new versions, in particular Sasser.B released Saturday, is infecting computers much faster.
Other security companies estimated that the worms had spread to hundreds of thousands of computers.
Network protection firm Internet Security Systems captured its own data and estimated that between 500,000 and 1 million computers have been compromised. The firm uses sensors on a class B network, representing about 65,000 addresses or two-thousandths of 1 percent of the Internet, to record data.
"We are trying to find the best estimates we can," said Chris Rouland, vice president for ISS's incident assessment team.
On Saturday, the company's network had seen a peak of almost 400,000 probes in an hour from the worm. At that rate, a computer just attached to the Internet would have an average about 10 minutes before a worm attempted to compromise the system.
Get Up to Speed on... Enterprise security Get the latest headlines and company-specific news in our expanded GUTS section. | ||||
That dark matter of the Internet made up the vast majority of computers compromised by the MSBlast worm. While Symantec and other organizations that rely on network telescope-type analysis found as many as 500,000 computers infected in the first few weeks of the MSBlast attack, Microsoft identified almost 10 million infected computers through its Windows Update technology.
If 20 times more infected computers are hidden away behind corporate firewalls, then the 10,000 compromised systems that the company can see, might mean that 200,000 infected computers are not visible.
The growing spread of the worm may mean that Microsoft will dip into its $5 million fund for rewarding Internet bounty hunters and place a price on the heads of those that released the virus.
Security researchers believe it likely that the unknown team of programmers, who have referred to themselves as the Skynet Antivirus Team, and have been responsible for almost 30 variations of mass-mailing computer virus Netsky, may also have released the Sasser worm.
Similarities in the two programs support the claims of the unknown hackers.