As the Sasser worm outbreak began to subside on Wednesday, federal authorities stepped up their hunt for the malicious program's author.
"We are working with law enforcement to identify and prosecute whoever's responsible," said Stephen Toulouse, a spokesman for Microsoft Corp. The company's Windows XP and Windows 2000 operating systems were targeted by the worm, which infected hundreds of thousands of computers worldwide earlier this week. (MSNBC is a Microsoft - NBC joint venture.)
"We are pursuing a number of good leads," said Greg Fowler, a spokesman for the Northwest Cyber Crime Task Force, made up of agents from the FBI, U.S. Secret Service, and Seattle are enforcement. "It is a high priority for us."
Neither Toulouse nor Fowler would speculate on suspects, or when any arrests might be made. They also declined to discuss the possibility that the worm was written by the same programmer or group that authored the various Netsky viruses which have been infecting computers for months. Computer code within the newest Netsky variant suggests the authors also claim responsibility for Sasser, according to published reports.
Meanwhile, infections from Sasser are rapidly declining, according to antivirus firm Network Associates Inc. The worm seems to have reached its peak Tuesday, and by Wednesday, infections were down 50 percent, the company said. It now estimates a total of 250,000 computers were infected worldwide -- about 80 percent of them home users.
The software patch needed to protect Windows-based computers from the worm is being downloaded at a furious pace -- 200 million times since its release last month, Toulouse said. Still, millions of consumers have yet to download the patch, antivirus firms said -- and without it, their computers likely aren't protected from the worm, and will almost certainly become infected.
"If you haven't patched, it's going to find you. It's just a matter of of time," said Sharon Ruckman, Senior Director of Security Response at Symantec Corp.
Some indicators show the virus actually impacting the overall performance of the Internet as well. Keynote Systems Inc., which monitors Internet performance, said there was a noticeable downgrade in performance of Internet routers on Tuesday. It wasn't enough to slow down Web page browsers, said Kirsten Husak, consulting manager with Keynote, but it might interfere with streaming video or voice over IP traffic.
The worm's impact early this week was global. In Australia, Westpac Bank said it was hit by the worm, and branches had to use pen and paper to allow them to keep trading, according to Australian newspaper reports. Australia's Daily Telegraph reported that 300,000 train passengers were stranded for a while on Monday, while technicians dealt with a worm infestation that shut down the railway's radio network. Only about 20 percent of trains were running, and many stations were closed temporarily, the newspaper said.
Investment firm Goldman Sachs said some of its systems in Hong Kong were disrupted by the worm. Finnish bank Sampo temporarily closed all of its branch offices, some 130 in all, on Monday as a precaution against Sasser. Some post offices in Taiwan and Germany were shut down by Sasser. And the BBC reported that the European Commission and the UK Coast Guard had been hit.
Unlike other wormsSasser is unlike most worms consumers are familiar with -- it's easy to become infected, simply by connecting the Internet. No e-mail attachment must be opened; in fact, no user interaction is required at all. And making matters worse, traditional consumer desktop antivirus software won't prevent infection, even if it's updated.
There are actually four versions of the worm making their way around the Internet now, most released over the weekend. Only installation of the software patch, or a well-designed firewall, can prevent infection. That's why more home users than corporate users were infected by this worm, said Vincent Gullotto, antivirus expert at Network Associates Inc. -- they are less likely to keep up with software patches or firewalls.
Only computers running Microsoft's Windows XP and Windows 2000 can be infected; the worm exploits a vulnerability in those systems that was revealed last month.
As part of a new class of computer viruses called "network worms," the malicious program is similar to last year's Slammer and Blaster worms. Microsoft said Blaster cost it “millions of dollars of damages,” and has issued a $250,000 bounty for information on the whereabouts of its author.
Blaster and Slammer also hung around the Internet for months, infecting and reinfecting unpatched machines for months, even after the initial outbreak died down. Sasser may continue to cause such "background noise" for a while, experts said.
Worm doesn't delete files
The safest way for home users to protect themselves is to enable their firewalls before they connect to the Internet -- or if they are already connected, to disconnect immediately, and enable the firewall. Both vulnerable Microsoft operating systems, Windows XP and Windows 2000, come with software that can block the worm's traffic, but they are not turned on by default. WindowsXP ships with a firewall, while Windows 2000 includes similar tools. Once traffic to port 445 is blocked -- that's the worm's route into the computer -- users can reconnect to the Net and . As there are variations in the way the firewalls work, Huger recommended users consult their manuals to enable the firewall.
Users who are infected may not won't realize it, Gullotto said. Their machines might slow down some, or they might notice extra traffic on their modems, but generally the virus doesn't announce itself -- except on those occasions when it forces a machine to shut down. If that happens, users will see a dialog box indicating the program LSASS.EXE has been terminated.
The worm gets its name from the vulnerable LSASS program which it's designed to attack.
Since the virus doesn't do anything else malicious to infected machines -- it doesn't delete files, for example -- users can take the risk of heading straight for the Microsoft patch when they log on, Gullotto said. They may become infected while downloading the patch, and during that time, they will become a "host" and spread the virus. But installation of the patch, followed by a scan with an updated antivirus product, will serve to clean an infected system. Still, enabling the firewall before attempting to get the patch is a much better plan, he said.
Reuters contributed to this story.