lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Tue, 04 May 2004 07:27:04 -0500
From: insecure <insecure@...ritech.net>
To: Javier Fernandez-Sanguino <jfernandez@...minus.com>
Cc: NTBUGTRAQ@...TSERV.NTBUGTRAQ.COM, bugtraq@...urityfocus.com,
   full-disclosure@...ts.netsys.com
Subject: Re: Re: New LSASS-based worm finally here (Sasser)


Microsoft added detection for Blaster and variants to Windows Update, I 
believe in November. About a month ago, they said that 16 million 
computers had been detected as infected. Single computers may be counted 
multiple times, but their cleaning tool was downloaded and run 8 million 
times on unique computers.

I know of a couple hundred computers that were infected with Blaster or 
some variant, that were not cleaned through Windows update, but I'm not 
aware of a single infected computer that used Windows update for 
cleaning. This would indicate that the number of Blaster-infected 
computers was likely to be significantly higher than 8 million. Maybe 
ten times as much (just guessing here).

Over the past month, Windows update detected another 1.5 million 
infected computers. How many were new infections? How many were the 
first time the user went to Windows update? How many other new 
infections were there that didn't visit Windows update? Don't know, but 
it is possible that Blaster is still infecting 100,000 or more new 
victims every day. Close to half a million new computers are put into 
service every day, so there's an ample supply of new victims.

The total number of Blaster victims to date is probably more like 50-100 
million than one million.

One AV company said that by Sunday night Sasser had infected 3 million 
computers. I don't know how they came up with that number, but it seems 
reasonable, if not low. With the start of business Monday (and today, as 
Monday was a holiday in much of the world), the number of systems that 
have been infected with Sasser so far might easily exceed 10 million.

---------

Javier Fernandez-Sanguino wrote:

> 
> You're right. I forgot about witty, I read CAIDA's analysis of the
> worm just yesterday.
> 
> Still, the infected population of witty was pretty small (I believe
> ~12,000 machines in a day?) compared to SQLexp (~200,000 [1]),
> Slammer
> (~75,000-100,000 [2]), CodeRed (~360,000 in 12 hours [3]), Nimda
> (around 1.6 times CodeRed, maybe over 500,000 systems? [4]). I don't
> find data for Blaster, but I presume it infected  many more systems
> than Nimda.  So I believe we might be facing a worm that will infect
> over 1,000,000 systems.
> 
> Probably anti-virus vendors will have more accurate data. But I
> haven't seen it, not even in Symantec's (excellent) Threat Report V
> (December 2003) [5]. In any case, this worm was "predicted" by that
> same report. I would like to suggest everyone to read it thouroughly
> (Disclaimer: I don't work at Symantec).
> 
> Regards
> 
> Javier
> 
> 
> [1] http://securityresponse.symantec.com/avcenter/Analysis-SQLExp.pdf
> [2] http://www.caida.org/analysis/security/sapphire/
> [3] http://www.caida.org/analysis/security/code-red/
> [4] http://www.first.org/events/progconf/2002/d5-02-song-slides.pdf
> [5]
> http://enterprisesecurity.symantec.com/content.cfm?articleid=1539&EID=
> 0
> 
> -----BEGIN PGP SIGNATURE-----
> Version: PGP 8.0.3
> 
> iQA/AwUBQJdUO6O1I0N5hzVfEQI+agCg3bZ9mm3JdKZpb2EL/z7rqRtlYs8AoKT3
> 10ew7+BsihlP//bdpD06yTzJ
> =FCNK
> -----END PGP SIGNATURE-----
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
> 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Powered by blists - more mailing lists