Full Disclosure mailing list archives
Re: Re: New LSASS-based worm finally here (Sasser)
From: insecure <insecure () ameritech net>
Date: Tue, 04 May 2004 07:27:04 -0500
Microsoft added detection for Blaster and variants to Windows Update, I believe in November. About a month ago, they said that 16 million computers had been detected as infected. Single computers may be counted multiple times, but their cleaning tool was downloaded and run 8 million times on unique computers.
I know of a couple hundred computers that were infected with Blaster or some variant, that were not cleaned through Windows update, but I'm not aware of a single infected computer that used Windows update for cleaning. This would indicate that the number of Blaster-infected computers was likely to be significantly higher than 8 million. Maybe ten times as much (just guessing here).
Over the past month, Windows update detected another 1.5 million infected computers. How many were new infections? How many were the first time the user went to Windows update? How many other new infections were there that didn't visit Windows update? Don't know, but it is possible that Blaster is still infecting 100,000 or more new victims every day. Close to half a million new computers are put into service every day, so there's an ample supply of new victims.
The total number of Blaster victims to date is probably more like 50-100 million than one million.
One AV company said that by Sunday night Sasser had infected 3 million computers. I don't know how they came up with that number, but it seems reasonable, if not low. With the start of business Monday (and today, as Monday was a holiday in much of the world), the number of systems that have been infected with Sasser so far might easily exceed 10 million.
--------- Javier Fernandez-Sanguino wrote:
You're right. I forgot about witty, I read CAIDA's analysis of the worm just yesterday. Still, the infected population of witty was pretty small (I believe ~12,000 machines in a day?) compared to SQLexp (~200,000 [1]), Slammer (~75,000-100,000 [2]), CodeRed (~360,000 in 12 hours [3]), Nimda (around 1.6 times CodeRed, maybe over 500,000 systems? [4]). I don't find data for Blaster, but I presume it infected many more systems than Nimda. So I believe we might be facing a worm that will infect over 1,000,000 systems. Probably anti-virus vendors will have more accurate data. But I haven't seen it, not even in Symantec's (excellent) Threat Report V (December 2003) [5]. In any case, this worm was "predicted" by that same report. I would like to suggest everyone to read it thouroughly (Disclaimer: I don't work at Symantec). Regards Javier [1] http://securityresponse.symantec.com/avcenter/Analysis-SQLExp.pdf [2] http://www.caida.org/analysis/security/sapphire/ [3] http://www.caida.org/analysis/security/code-red/ [4] http://www.first.org/events/progconf/2002/d5-02-song-slides.pdf [5] http://enterprisesecurity.symantec.com/content.cfm?articleid=1539&EID= 0 -----BEGIN PGP SIGNATURE----- Version: PGP 8.0.3 iQA/AwUBQJdUO6O1I0N5hzVfEQI+agCg3bZ9mm3JdKZpb2EL/z7rqRtlYs8AoKT3 10ew7+BsihlP//bdpD06yTzJ =FCNK -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- RE: Sasser skips 10.x.x.x Why?, (continued)
- RE: Sasser skips 10.x.x.x Why? Warnich Rust (May 03)
- Re: Sasser skips 10.x.x.x Why? Matt Wagenknecht (May 03)
- Re: Sasser skips 10.x.x.x Why? Shawn Cox (May 03)
- Re: Sasser skips 10.x.x.x Why? Eric Chien (May 03)
- Re: Sasser skips 10.x.x.x Why? Frank Knobbe (May 03)
- Re: Sasser skips 10.x.x.x Why? Eric Chien (May 03)
- Re: Sasser skips 10.x.x.x Why? Rodrigo Barbosa (May 03)
- Re: Sasser skips 10.x.x.x Why? Joe Stewart (May 03)
- Re: Re: New LSASS-based worm finally here (Sasser) Javier Fernandez-Sanguino (May 04)
- Re: Re: New LSASS-based worm finally here (Sasser) insecure (May 04)
- Re: New LSASS-based worm finally here (Sasser) Gadi Evron (May 04)
- Re: New LSASS-based worm finally here (Sasser) Javier Fernandez-Sanguino (May 05)