Sasser: The Last Big Network Worm?

One year after the last major Windows worm, Microsoft talks up its security response improvements, but analysts warn against being lulled into a state of complacency.

Debby Fry Wilson has more than a few reasons—and sleepless nights—to remember Sasser, the last major network worm to clog Windows systems around the world.

It was on her birthday, a year ago this month, when the first Sasser reports started filtering in and, for Wilson and her colleagues at the MSRC (Microsoft Security Response Center), the outbreak presented an opportunity to test a new emergency-response system that had just been implemented by Microsoft.

Coming off a string of intense worm activity in 2003, when the SQL Slammer and Blaster worms hogged the headlines and caused damage worldwide, Microsoft was better prepared for Sasser, which was squirming through a Windows hole that had been already been patched.

"We did know that this particular vulnerability had the potential to be exploited into a worm," said Wilson. "We had already done a few things to draw attention to the bulletin and get customers to prioritize and apply the patches."

"We were aware that proof-of-concept exploits were circulating, and we were working behind the scenes with anti-virus and other partners to keep a close eye on unusual activity," said Wilson, who is the director at the MSRC responsible for mobilizing Microsofts security response communication.

Between the time Microsoft issued its Sasser patch the day the worm was first detected, at least three proof-of-concept exploits were being widely distributed on security mailing lists.

By April 27, 2004, the proof-of-concepts were compiled into an actual exploit that erupted into Sasser, Wilson recalled.

Within the first three hours, Wilson said the MSRC published a Sasser landing page with detailed protection–and disinfection–instructions.

"After Blaster in 2003, we had revamped our communications to act immediately to mobilize our people around the world.

Within minutes, we knew what needed to be done to protect customers," Wilson said, recalling that the initial guidance was for customers to enable a firewall and download/deploy the MS04-011 patch.

"Then, we worked on the first version of a click-and-clean worm removal tool for customers who had been infected."

"We had implemented a pre-defined process for identifying and evaluating a security incident, and it worked very well. We were able to determine the appropriate response and minimize the damages."

"With Blaster, recovery took 38 days. With Sasser, we brought that down to five days," Wilson said.

/zimages/1/28571.gifRead more here about the damage caused by Blaster.

Now, after yearlong lull in network worm activity, Wilson said she believes Microsofts evangelism around software security is beginning to bear fruit.

She points to three significant post-Blaster events: the Windows Firewall turned on by default in XP SP2 (Service Pack 2), the adoption of automatic updates as a major component to PC maintenance, and the industrys increased awareness around the need for updated anti-virus software.

"On the consumer side, 200 million customers are applying patches automatically. When a security update goes out, the period of time a customer is at risk has gotten much smaller. Weve seen a 400 percent increase in the use of Windows Update and a 320 [percent] increase in the user of Automatic Updates since SP2 launched."

Next Page: On the enterprise side.