Sasser infection rate accelerates

Based on its internal virus monitoring, Trend Micro recorded a 43 percent increase in Sasser worm infections between May 3 and May 4 (including instances of variants a, b, c, and d). The biggest increases were seen in the c and d variants.

Early reporting of Sasser's arrival and the availability of a patch for the vulnerability it exploits, seems to have done little to prevent its rapid spread. Security analysts have supposed that the reason for this is the shortened time period between publicising of a vulnerability and its patch, and its exploitation by virus- and worm-writers. ZDNet journalist Robert Vamosi speaks about this in his commentary on what he calls the Eschelbeck Theory.

Another explanation behind the increase in the infection rate is the method by which Sasser spreads. Sasser does not require human intervention to propogate. Exploiting a flaw in Microsoft Windows Local Security Authority Subsystem Service (LSASS) vulnerability, Sasser scans for random IP addresses searching for other vulnerable computers it can infect.

If it finds one it causes a buffer overrun in the vulnerable system to allow remote code execution, enabling attackers to gain full control of the affected system.

Other industry experts have observed a possible reason for the worm's slow start but recent rapid spread. Sasser first appeared on a weekend when fewer corporate computer systems were available to target, compounded by the fact that it was week in which several large commercial centres in Europe and Japan observed public holidays.