Debby Fry Wilson has more than a few reasons—and sleepless nights—to remember Sasser, the last major network worm to clog Windows systems around the world.
It was on her birthday, a year ago this month, when the first Sasser reports started filtering in and, for Wilson and her colleagues at the MSRC (Microsoft Security Response Center), the outbreak presented an opportunity to test a new emergency-response system that had just been implemented by Microsoft.
Coming off a string of intense worm activity in 2003, when the SQL Slammer and Blaster worms hogged the headlines and caused damage worldwide, Microsoft was better prepared for Sasser, which was squirming through a Windows hole that had been already been patched.
“We did know that this particular vulnerability had the potential to be exploited into a worm,” said Wilson. “We had already done a few things to draw attention to the bulletin and get customers to prioritize and apply the patches.”
“We were aware that proof-of-concept exploits were circulating, and we were working behind the scenes with anti-virus and other partners to keep a close eye on unusual activity,” said Wilson, who is the director at the MSRC responsible for mobilizing Microsofts security response communication.
Between the time Microsoft issued its Sasser patch the day the worm was first detected, at least three proof-of-concept exploits were being widely distributed on security mailing lists.
By April 27, 2004, the proof-of-concepts were compiled into an actual exploit that erupted into Sasser, Wilson recalled.
Within the first three hours, Wilson said the MSRC published a Sasser landing page with detailed protection–and disinfection–instructions.
“After Blaster in 2003, we had revamped our communications to act immediately to mobilize our people around the world.
Within minutes, we knew what needed to be done to protect customers,” Wilson said, recalling that the initial guidance was for customers to enable a firewall and download/deploy the MS04-011 patch.
“Then, we worked on the first version of a click-and-clean worm removal tool for customers who had been infected.”
“We had implemented a pre-defined process for identifying and evaluating a security incident, and it worked very well. We were able to determine the appropriate response and minimize the damages.”
“With Blaster, recovery took 38 days. With Sasser, we brought that down to five days,” Wilson said.
Now, after yearlong lull in network worm activity, Wilson said she believes Microsofts evangelism around software security is beginning to bear fruit.
She points to three significant post-Blaster events: the Windows Firewall turned on by default in XP SP2 (Service Pack 2), the adoption of automatic updates as a major component to PC maintenance, and the industrys increased awareness around the need for updated anti-virus software.
“On the consumer side, 200 million customers are applying patches automatically. When a security update goes out, the period of time a customer is at risk has gotten much smaller. Weve seen a 400 percent increase in the use of Windows Update and a 320 [percent] increase in the user of Automatic Updates since SP2 launched.”
On the Enterprise Side
On the enterprise side, Wilson argued that Microsofts patch management advances were making a “big difference” in the patch deployment cycle.
“Weve done a lot of work to make sure security updates are pre-tested and customers have more confidence to test and deploy patches quickly.”
But even as the MSRC is taking partial credit for the lull in network worm activity, experts warn against claiming victory.
“I think weve seen plenty of disruption over the past year. The fact that we havent seen a worm is coincidental,” said Jon Olstik, senior research analyst for the Enterprise Strategy Group.
“Yes, weve seen a lapse [in worm activity] since Sasser, but that doesnt mean there is a decrease in malicious attacks. Spyware is still painful. The mail-borne attacks are still painful. Were still dealing with a bunch of identity theft issues,” Olstik said in an interview with Ziff Davis Internet News.
Olstik said Microsoft deserved a pat on the back for recognizing the scope of the security problem and making the necessary investments. However, his applause comes with a caution.
“Security problem in general is bigger than Microsoft. There are lots of non-Microsoft vulnerabilities that could lead to worm attacks.”
Microsoft analyst Mike Cherry had very much the same message.
“I dont mind crediting Microsoft for improving their response and communication to security issues. My one nervousness is that while we know how long its been since the last worm, we have no idea when the next one will hit.”
Cherry pointed out that Microsoft continues to issue patches for “wormable” vulnerabilities at a fast clip.
Since Sasser hit in May 2004, the company has released 32 “critical” bulletins to fix flaws that could be exploited without any user interaction.
“Microsoft should avoid gloating about a worm-free year. You just never know when the next ones coming or how bad its going to be. To imply that weve turned some kind of corner is premature. Its been a long time since 9/11; does that mean we should stop inspecting people getting into planes?”
Marc Maiffret, co-founder and chief hacking officer at eEye Digital Security, doesnt think a one-year break from a major worm points to any type of Microsoft victory.
“It hasnt been that long, really. The only reason we havent seen a big attack is because no one has decided to sit and write one.”
“The lack of worms has nothing to do with Microsoft doing a better job. If you think about it, worms are a bad thing for the bad guys capable of writing a big worm,” Maiffret said in an interview.
He pointed out that worms generally only cause disruption and raise the alarm over the need to patch vulnerable systems.
“My prediction is that well see a lot less worms. The critical, wormable vulnerabilities are still going to be there. But the awareness around patching that goes along with worm outbreaks is a bad thing for the bad guys. They dont want you patching.”
“I dont want to downplay Microsofts efforts around security response, because theyre improved a great deal. But I dont think one year is a really a long time in between worms. Over the last five years, weve only seen about five major worms, so thats just about the average,” Maiffret added.
The question was put to Microsofts Wilson: Have we seen the last of the big network worm?
“Id hesitate to speculate on that,” she said after a long pause. “The exploits are becoming more sophisticated everyday. The types of exploits are constantly evolving, so its hard to predict.”
“What I can tell you is that Microsoft would be more responsive and more prepared in the event of any type of attack. Were more prepared today than we were a year ago when Sasser hit, and were constantly evolving our process to keep getting better.”