Network security managers who abandoned the patch-as-you-go approach to confronting past worm attacks seem to be having the most success limiting the impact of the Sasser strains. But however good their methods and tools are, they worry Sasser is just the latest symptom of what they've long feared -- that malicious code writers are finding quicker ways to exploit vulnerabilities and overcome the latest mitigation systems.
Dennis Racca, president of Andover, Mass.-based systems security provider Umbra Networks said the scope of the Sasser outbreak has been much broader than past attacks. Of his half-dozen clients, Racca said Windsor, Conn.-based Advo Inc. -- a direct mail marketing company hit by earlier worms like Netsky, Bagle and Welchia -- has had the most trouble with Sasser.
He said security platforms like Mazu Network's Profiler have helped him blunt the impact. But he worries attackers may already be capable of producing something much more destructive.
"These guys only take it to a certain level," Racca said. "They have the means to do full damage, so why haven't they taken that next step?"
Rob Sherman, manager of IT security and network operations for wireless communications provider American Tower Corp. of Boston, shares that concern. Technology like the Profiler -- which he also uses and credits with limiting Sasser's reach to just three laptops in his company -- can only pinpoint suspicious network activity and which computers are infected.
But in the end, he said, "We're still relying on Microsoft to fix it for us, and we can't make them work any faster."
Eric Schultze, chief security architect for Shavlik Technologies of Roseville, Minn., also sees a tough road ahead as information security managers race to stay ahead of malicious code writers.
"The industry line of thought is that the window is closing with each worm on how long it takes for hackers to exploit weaknesses," Schultze said. "There are evil worm kits out there -- Nimda, for example, started with a worm kit that would repeatedly search for ways to break into networks. It's no longer about hackers writing from scratch. Only a small group in the world can write a worm, but there are more out there who can update a worm."
At this point, all agree, the best approach is for companies to stop scrambling to patch systems only after the latest worm has been launched.
Tom Corn, vice president of business development for Mazu Networks of Cambridge, Mass., sees companies slowly coming to that realization. He said 12 to 24 of his clients use the Profiler, and up to three times as many are testing the device. Where Mazu's Enforcer solution keeps track of any suspicious traffic trying to penetrate a network's firewall from the outside, the Profiler keeps watch over activity from within the network. If an employee using a laptop from home unknowingly infects the network, the device immediately pinpoints infected systems that need fixing.
"The race is on between worm makers trying to create something to hit vulnerabilities and techs trying to evaluate which patches they need," Corn said. "Patch evaluation takes time. You need a system in place to detect the problems."
Schultze noted that Shavlik is now offering a free version of its patch management product to deal with Sasser. HFNetChkPro software scans a network to see which machines have the latest patch or are in need of one. While he isn't sure how many of his customers have been hit by the Sasser strains, Schultze said he's heard from people who feel good about not being hit because they had patch detection in place.