One researcher warned on Thursday that the group of online vandals suspected of creating both the Sasser worm and several variations of the Netsky virus could combine the two threats.
The resulting blended threat could dodge security inside corporate systems via email messages and then spread quickly, once inside those networks.
"Sasser is inhibited by gateways, and adding the email aspect would bypass the gateways," said Jimmy Kuo, a researcher and a McAfee fellow at security company Network Associates. The technique is "rather obvious," he said, defending the decision to publicise the strategy in an alert. "I don't think I am giving a clue to the virus authors," he said.
The six-day-old Sasser worm has begun to spread more slowly, as companies clean up existing infections, according to security researchers. However, as with previous worm programs, it's unlikely that Sasser and its offshoots will ever truly disappear from the Internet. While new versions of a particular worm tend to have a smaller effect than the original, variants that add different ways to disseminate themselves -- whether by exploiting other flaws or by fooling users -- could have more impact.
After Code Red struck Web servers almost three years ago, an unknown programmer modified the code to allow the worm to spread via network shares and email attachments. The resulting program, called Nimda, caused so much damage that Microsoft had to assuage its customers' concerns by embarking on a security initiative, known as Trustworthy Computing.
Security problems are once again becoming an issue for the software giant's customers. This week, business intelligence firm Gartner warned companies that use Microsoft products to consider the money they spend in responding to worms and other threats as part of a product's total cost of ownership. In an online research advisory, Gartner warned that corporate information technology teams will have to apply patches more quickly and buy additional tools to make sure that Windows-based computers are secure.
"Two working weeks is a really short time for an enterprise to get the patch, test the patch and get the patch on its systems," said John Pescatore, vice president of Internet security at Gartner.
It seems, however, that Microsoft has learned from past incidents: it has put its weight into providing an easier way for customers to clean their systems of Sasser.
Within 24 hours of the worm's appearance on the Internet, the company had released instructions on getting rid of the program. On Saturday, it released an ActiveX program that would could remove the worm automatically from a system. By Sunday night, 1.5 million people had downloaded the cleaning tool, according to Debby Fry Wilson, the director of marketing communications at Microsoft's security response unit.
In addition, a significant number of visitors to Microsoft's Sasser information page downloaded the tool, according to Wilson, who declined to be more specific about the amount.
On Wednesday, Microsoft added the Sasser clean-up program to its Windows Update service so that PC users could easily patch and clean their systems automatically. A similar move in January meant that Microsoft was able to give out the best estimate to date -- about 10 million -- of the number of systems infected by MSBlast, an earlier major worm.
With Sasser, however, the software giant is hesitant to release its numbers. "We want to be careful that we don't give too much visibility to the people that have caused this havoc," Wilson said. "From a policy perspective, it is something we need to be careful about."
Sasser, like previous worms, will probably die off only slowly. Both Code Red and Nimda continue to spread on the Internet.
"People never clean them off fast enough," said Alfred Huger, the senior director of the incident response team at Symantec. "Our worry is: what kind of damage is going to be done, post-worm? The problem for us is that these machines being compromised pose a threat."
To date, Symantec has verified that 190,000 computers have been infected by the Sasser worm and its variants. However, for the MSBlast worm, similar methods led the security firm to estimate that 500,000 computers had been infected -- an amount 20 times smaller than Microsoft's likely more accurate tally.
That difference could be due to the inability of such network analysis to see past corporate firewalls. Fully accounting for that "dark matter" of the Internet could significantly boost the Sasser infections represented by Symantec's reported numbers, putting the estimate near 4 million.
Other researchers doubt that the number could be so high. "We don't see anything that supports millions," said Jose Nazario, a researcher into Internet attacks at network protection firm Arbor Networks. "The service-level disruptions that we saw with MSBlast -- we aren't seeing (them) with Sasser."
Arbor said he believed that tens of thousands of systems are infected.
