MSBlast worm outbreak 'infected 8 million PCs'

New data from Microsoft suggests that at least eight million Windows computers have been infected by the MSBlast, or Blaster, worm since last August - many times more than previously thought.

The latest data comes from the software giant's ability to track the usage of an online tool that its engineers created to clean systems infected with the worm.

Since the January release of the tool, more than 16 million of the systems that connected to Microsoft's Windows Update service were found to be infected with MSBlast and were offered a patch and the use of the disinfecting tool, the software giant told silicon.com's sister site CNET News.com. During the same period, about eight million systems actually called on Update to patch them and prevent reinfection and used the special tool to remove the worm.

Though Microsoft believes the total number of users infected by the worm is likely closer to the higher, 16 million tally, the eight million figure may provide a more solid indication of the minimum number of systems hit. The larger number may include systems counted more than once, as busy computers users declined to deal with the worm immediately, or cancelled the process once it had begun, only to return to Windows Update later. Once those systems were disinfected and patched, however, they would not be re-counted. Microsoft did not track what systems, specifically, used the tool, just that it was used.

Late last year, "we knew we were getting reports from customers saying that they were still seeing symptoms of Blaster," said Stephen Toulouse, security program manager for Microsoft's security response centre. "Our internet service provider partners were seeing a lot of Blaster traffic on their networks as well."

In fact, the worm hit so hard that the company quickly asked some development teams to stop work on the software giant's next version of Windows and create an interim update, known as Service Pack 2, to enhance the security of Windows XP. Moreover, several months of complaints led Microsoft to augment Windows Update with the online tool to detect and clean the MSBlast worm.

The tool has also given Microsoft an invaluable data point to quantify the threat of such internet worms.

Already, the size of the digital epidemic far exceeds the estimates of researchers who have tracked the worm since it first started spreading, on 11 August. Typically, researchers try to estimate the size of a worm epidemic by collecting data from the records of network devices, such as firewalls and intrusion detection systems. By aggregating the information from the devices, researchers can count the number of internet addresses from which a worm, such as MSBlast, is trying to spread.

Most internet security organisations had believed that at most 500,000 systems had been compromised by the self-propagating program.

"I don't doubt [the new] number," said Johannes Ullrich, CTO for the Internet Storm Center, which collects firewall logs from thousands of volunteers in order to gauge which digital threats are spreading on the internet. Using the voluntarily submitted records, the Internet Storm Center had tallied enough Internet addresses to estimate that between 200,000 and 500,000 computers had been infected by the worm.

Another threat tracker, security company Symantec, has agreements with the owners of some 20,000 network devices to use their records for analysis. The company crunches the numbers to keep track of threats on the internet, and though it stopped counting once the MSBlast worm spread to more than 40,000 computers, Symantec estimated that "a couple hundred thousand" systems may have been compromised, said Alfred Huger, senior director of engineering for the company.

"I am surprised by [Microsoft's] number," he said. "However, I can't contest it; they have the best insight. We certainly see Blaster out there in spades."

Robert Lemos writes for CNET News.com