By Brian Krebs washingtonpost.com Staff Writer
Wednesday, May 12, 2004; 8:55 AM
The Microsoft software tool designed to rid computers of the fast-spreading "Sasser" worm has been downloaded nearly 2 million times since it was made available earlier this month, the company said. But that tool may provide little or no protection against scores of other programs that quietly circulated online for weeks before Sasser garnered widespread attention.
Microsoft first warned users on April 13 about the Windows vulnerability targeted by Sasser -- three weeks before the worm emerged. But during that interim, hackers released an unknown number of sophisticated programs that could enter computers through the same vulnerability and remain undetected until activated later.
Only when the problems caused by the Sasser worm -- slowed computer performance, repeated rebooting by infected PCs and degraded Internet connectivity as the worm consumes bandwidth as it tries to infect other machines -- came to light did millions of users download a Microsoft patch to fix the vulnerability, along with a software tool to remove the worm.
But getting rid of the worm does not mean that other malicious programs that targeted the same Windows flaw were removed as well.
Security experts say many computers infected by the Sasser worm were also hit by a prolific family of programs known variously as "Agobot," "Gaobot" and "Phatbot." They are difficult to detect because some of them shut down or disable antivirus and firewall software running on targeted computers.
"With all the focus on Sasser, many users have this mentality that they're safe if they run the clean-up tools that Microsoft and others have made available for this worm," said Johannes Ullrich, chief technology officer for the SANS Internet Storm Center, which monitors online attack trends. "The problem, of course, is that they're not also scanning for all the other malicious things that are probably on their machine as well."
The various "bot" programs thought to have been released in the days or weeks after the April 13 Microsoft notice are more dangerous than the Sasser worm because hackers can use them to remotely commandeer computers for the purpose of sending spam or stealing sensitive data that people keep in their PCs, such as credit card and Social Security numbers.
The programs can link infected systems into larger networks whose processing power can be used to send large amounts of spam e-mail messages or to attack Web sites with blasts of data in an attempt to throw them offline. The programs also search for stored passwords and other sensitive personal data on infected computers and try to disable antivirus software.
Cybersecurity experts said that it is difficult to track bot infections because most people hit with them do not use firewalls or antivirus software, which can report infection rates to security companies. In addition, new bot variants are released daily, often striking thousands of computers before antivirus companies identify the latest versions.
Alfred Huger, senior director of engineering at Symantec Security Response, said that one bot network included 400,000 PCs. McAfee Security, a unit of Santa Clara, Calif.-based Network Associates, estimated that more than 900 Agobot variants exist, most of them surfacing during the last six months.