Slammer worm slows; no new reports of problems

More than 48 hours after a new worm first appeared, its spread had slowed and there were no repeats of the major disruption that hit the Internet on Saturday (see story).

"[On Saturday] in our operations centers, we were seeing between 200,000 and 300,000 attacks per hour. [On Sunday] we're seeing between 9,000 and 10,000 per hour, which is around what we see for the Nimda virus on an average day," said Chris Rouland, director of Internet Security Systems Inc.'s X-Force.

The worm, dubbed "Slammer" or "Sapphire" by antivirus companies, first appeared at around 12:30 a.m. EST on Saturday. It attacks a vulnerability in Microsoft Corp.'s SQL Server 2000 database and MSDE 2000 (Microsoft SQL Server 2000 Data Engine) software. The worm, which doesn't attack the average home computer or appear to harm database contents, results in a large amount of network traffic that slows down legitimate traffic in a manner similar to that of a denial-of-service (DOS) attack.

The worm was felt perhaps most in South Korea, where most of the nation's Internet users couldn't access the Internet from around 2:30 p.m. local time to the end of Saturday.

"As of 2 p.m. [local time today], we have not seen any more problems," said Kim Dong Hyuk, a public affairs officer at South Korea's Ministry of Information and Communication. "From Saturday until now, we have been operating an emergency task force to handle the problem. We are monitoring all Internet service provider traffic and we increased the number of [domestic] DNS [Domain Name System] servers from 10 to 20."

The worm also hit Internet traffic in other nations, including the U.S. The Atlanta Journal-Constitution said printing of yesterday's first edition was delayed by the attack, and Bank of America Corp.'s automated teller machine network reportedly suffered problems, as did Continental Airlines Inc.'s computer systems.

The worm's spread was slowed as major Internet service providers moved to block the port used for the attacks, according to security experts. Applying software patches to affected systems also helped reduce the severity of problems, although many systems remain vulnerable.

"I think business will be impacted tomorrow. I was surprised by the amount of UDP [User Datagram Protocol] traffic that got into some companies," Rouland said. Once the Slammer worm has penetrated an organization's perimeter defenses, spreading from host to host within the corporate network is comparatively easy, he said.

"We like to think of most corporations as hard candies with a soft chewy center," Rouland said.

Small and medium-size businesses that don't monitor their networks around the clock are more likely to feel the effects of Slammer, especially if their IT staffs didn't address the problem over the weekend, Rouland said.

Microsoft first published details of the vulnerability last July and has had a patch available since then. The third service pack for the software, released last week, also plugs the hole.

"Microsoft software has a lot of vulnerabilities," said Kang Jun, an incident handling manager at the Korea Information Security Agency (KISA) in Seoul. "Many people didn't apply the patches produced by vendors. It can be very confusing."

The weekend attack came less than a day after South Korea's Ministry of Information and Communication issued an alert over impending denial-of-service attacks and urged users to ensure that their systems are up to date with the latest patches. The alert was prompted by warnings from the KISA, although Kang said the Slammer attack is unrelated, leaving the possibility of a denial-of-service attack remaining.

Law enforcement agencies are also entering the investigation.

"This is a criminal act, and we are working with law enforcement authorities," Microsoft said in a statement. However, for legal action to be taken, the source of the worm would have to be identified, and that might be difficult to determine.

"There are no copyright strings in the body of the worm," said Denis Zenkin, spokesman for antivirus software vendor Kaspersky Labs Ltd. in Moscow. "It looks like the author was very conscientious about the size of the worm. It looks like the author tried to make a very small worm. It is only 376 bytes long and any copyright strings would make it bigger."

"We have no concrete information, the virus has no clues whatsoever, but I have a gut feeling that it is from China," said Mikko Hypponen, antivirus research manager at F-Secure Corp. in Helsinki, Finland. "It could be the same guy who wrote the Lion worm for Linux," he said. The Chinese creator of the Lion worm that attacked Linux had discussed the theory of the Slammer worm in online message boards, according to Hypponen.

The small size of the worm, just a few hundred bytes, will also make it difficult to trace because it spread so fast, he said.

"This is one of the smallest worms we have ever seen. It is awfully short; that is why it is so fast," he said. "With a normal worm, we would be able to trace it back by looking at the time stamps in those logs. In this case, we cannot trace it back because many systems were infected within one minute."

Authorities in Hong Kong spent part of today looking into a possible link with China.

"The origin of the worm has yet to be confirmed," said the Hong Kong police in a statement.

The Hong Kong Computer Emergency Response Team (HKCERT) received 10 reports of problems associated with the worm, of which seven were infection reports, said S.C. Leung, a senior consultant with the team. Leung said HKCERT has no evidence to support the claim that the worm originated in China.

Kaspersky said it has evidence the worm surfaced as early as a week ago in the Netherlands. While looking back through old log files today, the company found instances of copies of the worm being received from two servers in the Netherlands. Still, Kaspersky doesn't know who created it. The servers from which the worm was launched were probably hacked, said Zenkin.

Hypponen agreed that finding the first machine to be infected isn't necessarily a smoking gun. "If we could trace it back, the virus writer would be stupid to launch it from his home computer. Most likely it was sent from some hacked server anyway."

He said he doesn't think the Slammer worm was meant to overload the Internet the way it did. "I don't think the guy designed it to overload the Internet like this. I think it spread faster than he thought."


Copyright © 2003 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon