Study: Slammer was fastest-spreading worm yet
IDG News Service - A just-completed study into the Slammer worm, which hit the Internet a week ago, has concluded what many people already suspected: Slammer represented a significant milestone in the evolution of worms and was by far the fastest-spreading worm yet seen.
The study was conducted by a group of experts representing the Cooperative Association for Internet Data Analysis (CAIDA); the International Computer Science Institute; security company Silicon Defense; the University of California, Berkeley's electrical engineering and computer sciences department; and the University of California, San Diego's computer science and engineering department.
Its results provide a look into the first moments of the spread of Slammer and offers some impressive statistics.
During the first three minutes of the worm's spread, the number of infected machines doubled roughly every 8.5 seconds, the study found. This is more than 250 times faster than Code Red, which hit in mid-2001 and had a doubling time of 37 minutes, according to the report. The worm hit its full scanning rate of around 55 million scans per second about three minutes after the attack began at approximately 12:30 a.m. EST on Jan. 25 (see story).
The result was that within 10 minutes of the start of the attack, the majority of the estimated 75,000 machines that were hit had already been infected, said the report.
Slammer's spread was considerably faster for several reasons, said the report. First, it was small. At just 376 bytes in size, the worm and required headers fit inside a 404-byte Universal Datagram Protocol packet. Code Red was 4KB in size, and the Nimda worm was around 37KB.
The worm also worked differently from Code Red. Slammer generated random IP addresses and dispatched itself to those addresses without scanning to find out whether the target machine was running either of the two pieces of software that were vulnerable to attack: Microsoft Corp.'s SQL Server 2000 database and MSDE 2000 (Microsoft SQL Server 2000 Data Engine). Because of its random nature, given enough time, the worm would hit all vulnerable machines.
However, the speed with which it propagated appears to have contributed to its downfall. Spread of the worm eventually began to slow because bandwidth from infected machines to the Internet couldn't support the exponential growth in IP packets being generated, the report said.
Its signature, attacking a specific port on vulnerable systems, was also easy to detect, and network-level blocking of the ports in question was effective in slowing the worm.
In the case of Code Red, the worm probed machines to find vulnerable servers and attacked only the IP addresses of machines judged vulnerable. This led to a much slower rate of infection.
The report also identified at least one implication of the attack.
It said smaller user populations could potentially be more vulnerable to attack. In the past, worms often targeted only software for which there was a large installed base of users. But given the speed with which Slammer-like worms can spread, less popular software now also presents a viable breeding ground for worms, the report said.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts