Internet Recovering From Slammer Attack

The Internet was recovering Monday from a virulent worm attack that slowed or halted Web traffic around the world this weekend.

The new worm, dubbed SQL Slammer, hit the Internet on Saturday, taking
advantage of a known vulnerability in Microsoft Corp.’s SQL 2000 Web
servers. The worm, which doesn’t damage the infected machine or delete or
change files, generates massive amounts of network packets, overloading
servers and routers, slowing down network traffic — sometimes bringing it
to a complete stop under the weight of the attack.

F-Secure, an anti-virus company, reports that as many as 200,000 computers
have been infected so far, and the worm brought down as many as five out of
the 13 Internet root name servers.

The Slammer worm disrupted business around the world. Bank of America Corp.
reported that customers were unable to withdraw money from its 13,000 ATM
machines here in the United States. Finnish telephone service was down. And
in South Korea, where three-quarters of the population have Internet access,
services were shut down nationwide for hours on Saturday. Outages or slow
downs were reported in Thailand, Japan, the Philippines, India and Malaysia.

But security analysts say network administrators stepped up to the plate
around the world and kept the start of the business week from bringing on
even more Slammer-related problems. Mikko Hypponen, manager of anti-virus
research in F-Secure’s Helsinki office, says administrators worked through
the weekend installing the needed patch, which has been available for
months.

Hypponen, speaking to Datamation at what was the end of the business day in
Helsinki, says Europe experienced some network slowdowns today but they are
definitely on the mend. Email was slow across a widespread area and Voice
over IP telephone calls were hindered but the worst of the attack seems to
be over.

“It’s one of the smallest network worms we’ve ever seen,” says Hypponen,
who adds that initial signs point to the worm originating in China. “That’s why
it’s so fast. It’s only 376 bytes and that makes it so aggressive in
spreading that it slows down network traffic.”

Chris Wraight, a technology consultant with anti-virus company Sophos,
explains that part of the reason the worm acts so aggressively is because of
the indiscriminate way it attacks. Slammer spreads entirely in memory and
affects the process space of SQL Server 2000 by exploiting a buffer
overflow. That allows it to start running as part of SQL server itself and
then the worm sends itself from SQL to as many other IP addresses as it can.

“It’s not discriminating,” says Wraight. “It probes everything. It causes
a lot of traffic and runs as an infinite loop.”

Security experts agree that while network traffic was slowed and some major
businesses were affected around the world, it would have been much worse if
the worm had carried a more damaging payload. Files weren’t changed or
deleted. That would have made the worm much more devastating.

But F-Secure’s Hypponen says he suspects the “success” of the Slammer worm
will lead to similar attacks in the future.

“We’ve never seen such a small worm spread so fast and cause so many
problems,” he says. “That means this could be the beginning of something.
Now they see that making it small and making it fast really pays off.”

News Around the Web