Internet-wide, the cleanup operation was slowed due to factors including prevalence of affected systems, the efficiency of the algorithms used to infect new PCs, and the length of time it takes to protect machines against further infection.
The worm had a measurable, but not disastrous, effect on the internet’s performance, in terms of the performance of certain routers, DNS servers, news servers and search engines, according to Keynote Systems Inc, which tracks such things.
The Keynote Internet Performance Average was showing performance degradation – most notably packet loss increases and a decrease in the number of normally reachable internet targets, Keynote said in a statement. Packet loss reached as high as 1%.
Keynote said there were no measurable effects on web traffic, but added: More performance sensitive services that rely on IP traffic such as voice over IP and streaming content may be affected by the degradation of internet performance.
Akamai Technologies Inc estimated that 800,000 hosts were infected globally, based on the number of scans received by its 14,000-server content delivery network. The US, Germany and Ireland were hardest hit, the firm said.
However, a virus expert at Network Associates Inc said the number of infections was likely much smaller. Many individual PCs were likely counted more than once due to the problems of cleaning up, said McAfee fellow Jimmy Kuo
Of the clients of McAfee.com, it appears 3,000 were diagnosed with the virus in the last day, Kuo said. But we had to repair these infections over 48,000 times… because the virus brings the machine up and down, and the user is unable to go to the Microsoft web site to download the patch.
Sasser has a habit of making Windows machines it infects reset themselves, meaning they cannot maintain a network connection long enough to download the 3.1MB patch from Microsoft that will prevent further infection.
Sasser exploits a vulnerability outlined in Microsoft security bulletin MS04-011. The hole is in the Local Security Authority Subsystem Service found in Windows XP, 2000 NT 4.0, Server 2003 and NetMeeting.
Microsoft said that 1.5 million people used its scanning and cleaning tool in the first day it was made available, but it does not necessarily follow that all of them were infected.
Because most residential PCs will acquire a new IP address when they reconnect, Kuo said that if you apply that 16-to-1 ratio to the Akamai numbers, it shows that there were probably more like 40,000 to 50,000 infected hosts.
Kuo said yesterday, and Trend Micro told us Monday, that only a handful of companies have reported infections. Anecdotally, most of the infections were of residential PCs. Akamai’s data shows that 69% of scans were coming from very high speed links
The current thinking in the security community is that one or more Eastern European virus-writing gangs are behind not only Sasser but also other recent pieces of malware, including the prolific NetSky series of email worms.
There are similarities in the code between Sasser and one of the recent variants of the NetSky virus, which were highlighted by the authors in plaintext comments included amid the code of the NetSky.AC, Kuo said.
The original NetSky writer said in comments in mid-March that he would no longer release variants, but that he would release his source code. Kuo said that this code has not been located by the white hats but may be available via underground channels.
All subsequent releases of NetSky have been signed by a group calling itself SkyNet Antivirus, a reference to the malevolent computer in the Terminator movies. The original NetSky author or authors also used this handle.
SkyNet claims to be anti-virus because early NetSky variants removed other infections and had no other damaging payload. The Sasser worm, while it has no directly damaging payload, does not remove other infections.
There are also similarities between Sasser and a recent version of the Trojan series of programs known as Gaobot or Phatbot, according to Kuo. The same exploit code for the LSASS vulnerability is present in both, he said.
Microsoft created a web page at Microsoft.com/sasser to give protection advice. If you’re not already patched, the firm recommends running a firewall and blocking port 445, downloading the patch, and then scanning using antivirus software, in that order.
MS04-011 has been downloaded 150 million times, about half the estimated number of vulnerable PCs. While there are some known compatibility issues (such as with Nortel VPN clients) the vast majority have patched with no problems, according to Microsoft.
This article is based on material originally published by ComputerWire
