2% is my very conservative estimate and I would agree with you in that its likely much more.
ISPs are not setup for doing user notifications of this magnitude and I doubt they ever could, as the cost would certainly be prohibitive, as their user base would certainly balk at the increased user fees. Most ISPs have been reducing staff and to track down and notify users of infected systems is a labour intensive process, especially if you try to help people fix their systems. I'm sure everyone here has tried to help someone over the phone with a computer problem and found it to be a frustrating experience at best. In short ISP are not going to be able to help much when it comes to mass infections and nor can they be expected to for the price they charge. Can they filter traffic, certainly, but can you really filter ICMP traffic, what about the next attack vector, and filtering for the most part is only a delaying tactic.
When MSBlast was released, it was likely the most anticipated worm ever, as everyone had lots of advanced notice as to what vulnerability it was going to attack and even scan tools were available to located systems vulnerable to the impending attack. I conducted an internet survey and posted my results in the Security Forum »Re: Defcon5? Impact if(when) Dcom worm released?
two days before we captured our first instance of the MSBlast worm »New Capture on TCP port 135
and found that despite all the warnings little was being done to reduce the threat level.
Now we hear about new threats »Hackers crack latest Windows flaw
for example would seem to be an impending mass attack and the question is did we learn anything from MSBlast in that preparations will be better this time? Certainly those who are aware of such things will make preparations (or more likely will check that their normal mode of operations has already installed the required patches etc), but once again the masses will not and we will all share in the results.
I see a foot race coming in that Black hats are going to try to release their worms before Microsoft gets XP SP2 out as enabling ICF by default is certainly going to dampen the success of worm authors (virus authors on the other hand are a different story as social engineering will always be their most effective weapon and can defeat even the best network security).
»www.SonicLogger.com - Logging Software for SonicWall and 3Comhttp://www.LinkLogger.com - Logging Software for Linksys, Netgear and Zyxel