RealTime IT News

Internet Recovering From Slammer Attack

The Internet was recovering Monday from a virulent worm attack that slowed or halted Web traffic around the world this weekend.

The new worm, dubbed SQL Slammer, hit the Internet on Saturday, taking advantage of a known vulnerability in Microsoft Corp.'s SQL 2000 Web servers. The worm, which doesn't damage the infected machine or delete or change files, generates massive amounts of network packets, overloading servers and routers, slowing down network traffic -- sometimes bringing it to a complete stop under the weight of the attack.

F-Secure, an anti-virus company, reports that as many as 200,000 computers have been infected so far, and the worm brought down as many as five out of the 13 Internet root name servers.

The Slammer worm disrupted business around the world. Bank of America Corp. reported that customers were unable to withdraw money from its 13,000 ATM machines here in the United States. Finnish telephone service was down. And in South Korea, where three-quarters of the population have Internet access, services were shut down nationwide for hours on Saturday. Outages or slow downs were reported in Thailand, Japan, the Philippines, India and Malaysia.

But security analysts say network administrators stepped up to the plate around the world and kept the start of the business week from bringing on even more Slammer-related problems. Mikko Hypponen, manager of anti-virus research in F-Secure's Helsinki office, says administrators worked through the weekend installing the needed patch, which has been available for months.

Hypponen, speaking to Datamation at what was the end of the business day in Helsinki, says Europe experienced some network slowdowns today but they are definitely on the mend. Email was slow across a widespread area and Voice over IP telephone calls were hindered but the worst of the attack seems to be over.

"It's one of the smallest network worms we've ever seen," says Hypponen, who adds that initial signs point to the worm originating in China. "That's why it's so fast. It's only 376 bytes and that makes it so aggressive in spreading that it slows down network traffic."

Chris Wraight, a technology consultant with anti-virus company Sophos, explains that part of the reason the worm acts so aggressively is because of the indiscriminate way it attacks. Slammer spreads entirely in memory and affects the process space of SQL Server 2000 by exploiting a buffer overflow. That allows it to start running as part of SQL server itself and then the worm sends itself from SQL to as many other IP addresses as it can.

"It's not discriminating," says Wraight. "It probes everything. It causes a lot of traffic and runs as an infinite loop."

Security experts agree that while network traffic was slowed and some major businesses were affected around the world, it would have been much worse if the worm had carried a more damaging payload. Files weren't changed or deleted. That would have made the worm much more devastating.

But F-Secure's Hypponen says he suspects the "success" of the Slammer worm will lead to similar attacks in the future.

"We've never seen such a small worm spread so fast and cause so many problems," he says. "That means this could be the beginning of something. Now they see that making it small and making it fast really pays off."