NEWS FROM THE LAB - Saturday, May 1, 2004

Sasser is not out of control Posted by Mikko @ 09:39 GMT

You would expect a new automatic network worm like Sasser to hit even harder than it seems to be hitting right now. Of course, it's weekend time, but most infected machines would be home computers, many of which are turned on and online always.

Sasser could be compared to the Blaster/Lovsan outbreak in last August in many ways. Both are automatic network worms affecting Windows 2000 and XP users, scanning random IP addresses and using FTP (or TFTP) to transfer the actual worm file to infected host.

Also, both worms cause unpatched machines to start to reboot. With Sasser, users typically seem something like this:


Blaster was a massive case, partly because the patch was only available for 32 days before the outbreak started - and that was during best holiday season. With Sasser, the time difference between the patch and the worm was just 18 days.

But the bottom line is that although Sasser starts several threads which constantly scan random addresses with minimal time delay, we aren't seeing massive amounts of infections. Not yet anyway.