[ISN] [Vmyths.com ALERT] Hysteria over ''Sasser'' worm

InfoSec News isn at c4i.org
Thu May 6 06:07:55 EDT 2004

Forwarded from: Vmyths.com Virus Hysteria Alert <vmyths_news at vmyths.com>

Vmyths.com Virus Hysteria Alert
{5 May 2004, 00:20 CT}

Want to unsubscribe from this mailing list?  No sweat!  You'll find
easy instructions at the bottom of this email...

Headlines around the world warn of the spread of multiple variants of
the "Sasser" worm.  "Sasser's toll likely stands at 500,000
infections," a typical headline reads.  Vmyths notes security experts
have tended to make guesses in the same ballpark -- ranging from
200,000 to one million infected computers.

News stories at first identified those who made guesstimates, but the
current batch of stories no longer directly cites sources for these
figures.  "500,000 to one million infected PCs" is now widely accepted
by the media as if it were a fact rather than a conjecture.

A News.com story penned by Rob Lemos pointed out that "while [these]
numbers sound overwhelming, the compromised PCs make up a fraction of
a percent of the computers connected to the Internet."  Vmyths agrees
with Lemos' assessment.

Security experts FAILED to predict the Sasser worm would focus more on
home computers than business PCs.  The reasons for it are obvious in
hindsight to these experts, so Vmyths must ask a rhetorical question
-- "why didn't security experts predict the obvious?"  And speaking of

Security experts didn't agree on what day they thought the Sasser worm
would achieve "peak activity."  American experts predicted it would
peak on Monday "as millions of workers bring their laptops back to
their offices, after using them over the weekend to access the
Internet from relatively unsecured home locations."  On the other
hand, experts who live outside the U.S. predicted Sasser would peak on
Tuesday due to long holiday weekends in some parts of the world.

(Conflicting accounts of the worm's spread make it difficult to gauge
the accuracy of these predictions.)

Panicky firms have damaged themselves over the years in a trend known
as "precautionary disconnects."  (See
http://Vmyths.com/rant.cfm?id=241&page=4 for details.)  In the latest
example, an AFP newswire revealed "Sampo, Finland's third largest
bank, closed its 130 branch offices across the country to prevent the
Sasser Internet worm from infecting its systems...  'We decided to
close our offices as a precaution, since we knew that our virus
protection hadn't been updated,' Sampo spokesman Hannu Vuola [said]."  
In other words, Finland's third-largest bank voluntarily made itself
Finland's SMALLEST bank -- because they didn't trust their "antivirus
solution" to protect them in a time of crisis.

Contrary to widespread reports, Australia's "RailCorp" railway system
may NOT have been hampered by the Sasser worm.  CEO Vince Graham was
quoted as saying their most recent woes "could very well be a matter
related to a virus getting into [RailCorp's] system."  Graham did NOT
confirm anything, and this is an important distinction.  Vmyths
readers may recall security experts incorrectly blamed a computer worm
for the U.S. electrical blackout of 2003.

Vmyths has observed new buzz phrases in the media's coverage of the
Sasser worm.  For example, did you know there is now a "network
telescope" which can peer into "the dark matter of the Internet"?  
See http://news.com.com/2100-7349_3-5205107.html for details.

Normally, Vmyths would expect to see "global damage estimates" for the
Sasser worm, courtesy of a company known as mi2g.  (See
http://Vmyths.com/resource.cfm?id=64&page=1 for details on this firm's
antics.)  However, mi2g has remained oddly silent since mid-April.  
Still, Vmyths will watch for mi2g to add Sasser's costs to their
astronomical tally for virus damages.

Stay calm.  Stay reasoned.  And stay tuned to Vmyths.

Rob Rosenberger, editor
(319) 646-2800

--------------- Useful links ------------------

Remember this when virus hysteria strikes

Common clichés in the antivirus world

False Authority Syndrome

More information about the ISN mailing list