The Sasser worm which began in Europe last Friday is now well and truly global, with the current rate of infection being highest in the Asia Pacific, according to local antivirus companies.
Trend Micro has received 39 confirmed reports of infections within Australia, and 5772 infections abroad.
“The numbers of multiple infections have led us to issue a red alert,” said Trend Micro’s product marketing manager Clive Wainstein, “which is not something we do lightly. I have been with Trend Micro for about four years and I’ve seen three red alerts in that time. The last one was issued for Blaster.”
Sasser is technically similar to Blaster in that it exploits an operating system vulnerability. Users do not need to receive an e-mail message or open a file to be infected. Instead, just having a vulnerable Windows machine connected to the Internet with communications port number 445 is enough to get infected.
Sasser exploits a recently disclosed hole in a component of Windows called the Local Security Authority Subsystem Service, or LSASS. Microsoft released a software patch, MS04-011, on 13 April that plugs the LSASS hole. (See: www.microsoft.com./technet/security/bulletin/ms04-011.mspx.)
Daniel Zatz from Computer Associates said the Sasser worm has definitely made its presence known in Australia.
“We have had a huge increase in traffic and we’ve had over twice the amount of support calls to our call centre in the last 24 hours. There is no doubt there have been hundreds of people in Australia infected or affected by the virus, home and business users alike,” said Zatz. “I would rate it up there with Blaster in terms of scale.”
Zatz makes a distinction between those that are infected by Sasser and those that are affected as a result.
“For every 100 machines infected there will be hundreds more affected as a result of increased traffic because of how the worm propagates, scanning random IP addresses for vulnerable systems and causing a general increase in traffic.”
Zatz explains that any reported incidences of Sasser infections will be a proportion of the total number.
“Because Sasser is not an e-mail based worm, it is harder for people to know whether they have been infected.”
Craig Middleton from Telstra said there had been over 71 million attempts by the virus to enter the BigPond network. “However, Telstra had blocked port 445 over the weekend, preventing any infections as far as we know.”
Middleton said there had not been a noticeable increase in network traffic.
“We believe that the experience many people had with the Blaster worm previously has prompted them to be more diligent with Microsoft security patches and this might have reduced the impact this time around.”