More than 48 hours since it first appeared, the spread of a new worm that targets servers running the Microsoft SQL Server
database software had slowed and there had been no repeats of the major disruption caused to the Internet on Saturday.
"[Saturday] in our operations centers we were seeing between 200,000 and 300,000 attacks per hour. [Sunday] we're seeing between
9,000 and 10,000 per hour, which is around what we see for the NIMDA virus on an average day," said Chris Rouland, director of Internet Security Systems' X-Force.
The worm, dubbed 'Slammer' or 'Sapphire' by antivirus companies, first appeared at around 5:30 a.m. GMT (12:30 a.m. EST) on
Saturday and attacks a vulnerability in Microsoft 's SQL Server 2000 database and MSDE 2000 (Microsoft SQL Server 2000 Data
Engine) software. The worm, which does not attack the average home computer or appear to harm database contents, results in
a large amount of network traffic that slows down legitimate traffic in a similar manner to a denial of service (DOS) attack.
The result of the worm was felt perhaps most in
South Korea
, where most of the nation's Internet users could not access the Internet from around
2:30 p.m. local time to the end of Saturday, and where news of the problems topped the evening television news.
"As of
2 p.m. [Monday], we have not seen any more problems," said Kim Dong Hyuk, a public affairs officer at
South Korea
's Ministry of Information and Communication. "From Saturday until now, we have been operating an emergency task force to
handle the problem. We are monitoring all Internet service provider traffic and we increased the number of [domestic] DNS
servers from 10 to 20."
The worm also hit Internet traffic in other nations and affected other areas of everyday life. The Atlanta Journal-Constitution
said printing of Sunday's first edition was delayed after the attack hit its computer network, and reports also said the Bank
of America automated teller machine network and Continental Airlines suffered problems.
The worm's spread was slowed as major Internet service providers (ISPs) moved to block the port used for the attacks, according
to security experts. The application of software patches to affected systems also helped to reduce the severity of problems
caused by the worm, although many systems remain vulnerable.
"I think business will be impacted tomorrow. I was surprised by the amount of UDP (User Datagram Protocol) traffic that got
into some companies," Rouland said. Once the Slammer worm has penetrated an organization's perimeter defenses, spreading from host to host within the corporate
network is comparatively easy, he said.
"We like to think of most corporations as hard candies with a soft chewy center," Rouland said.
Small and medium-size businesses that do not monitor their networks around the clock are more likely to feel the effects of
Slammer on Monday, especially if IT staff did not address the problem over the weekend, Rouland said.
Before the clean up is complete, companies around the globe will likely be re-evaluating their network defenses in light of
the success of the Slammer worm. Some of the blame surely lies with users -- Microsoft first published details of the vulnerability
in July last year and has had a patch available since then. The third service pack for the software, released last week, also
plugs the hole.
Despite the availability of a patch, Microsoft will also inevitably come in for some criticism -- most likely for the number
of security problems with its software and the amount of patches that it releases.
"Microsoft software has a lot of vulnerabilities," said Kang Jun, an incident handling manager at the Korea Information Security
Agency (KISA) in
Seoul
. "Many people didn't apply the patches produced by vendors. It can be very confusing."
The high number of patches released by software companies can make them difficult to keep track of and also make users numb
to the security alerts so the message never gets through. For example, the Code Red worm that caused chaos in August 2001
is still hitting computers today because unpatched systems remain.
The weekend attack came less than a day after
South Korea
's Ministry of Information and Communication issued an alert over impending denial of service attacks and urged users to ensure
their systems are up to date with the latest patches. The alert was prompted by warnings from KISA although Kang said the
Slammer attack is unrelated, leaving the possibility of a DOS attack remaining.
Law enforcement agencies are also entering the investigation.
"This is a criminal act and we are working with law enforcement authorities," said Microsoft in a statement. However, for
legal action to be taken, the source of the worm will have to be identified and that might be difficult to determine.
"There are no copyright strings in the body of the worm," said Denis Zenkin, spokesman for anti-virus software vendor Kaspersky Labs, in
Moscow
. "It looks like the author was very conscientious about the size of the worm. It looks like the author tried to make a very
small worm, it is only 376 bytes long and any copyright strings would make it bigger."
"We have no concrete information, the virus has no clues whatsoever, but I have a gut feeling that it is from
China
," said Mikko
Hyppönen, antivirus research manager at F-Secure Corp. in
Helsinki,
Finland
. "It could be the same guy who wrote the Lion worm for Linux," he said. The Chinese creator of the Lion worm that attacked
Linux had discussed the theory of the Slammer worm in online message boards, according to Hyppönen.
The small size of the worm, just a few hundred bytes, will also make it difficult to trace because it spreads so fast, he
said.
"This is one of the smallest worms we have ever seen. It is awfully short, that is why it is so fast," he said. "With a normal
worm we would be able to trace it back by looking at the time stamps in those logs. In this case we can not trace it back
because many systems were infected within one minute."
Authorities in
Hong Kong spent part of Monday looking into a possible link with
China
.
"The origin of the worm has yet to be confirmed," said the Hong Kong Police in a statement issued early Monday.
The Hong Kong Computer Emergency Response Team (HKCERT) had received ten reports of problems associated with the worm, of
which seven were infection reports, said S.C. Leung, a senior consultant with the team. Leung said HKCERT has no evidence
to support the claim that the worm originated in
China
, and thus was unable to confirm it.
Kaspersky says it has evidence the worm surfaced as early as a week ago in the
Netherlands
. While looking back through old log files Monday, the company found instances of copies of the worm being received from two
servers in the
Netherlands
. Still, Kaspersky does not know who created the worm. The servers the worm was launched from were probably hacked, said Zenkin.
Hyppönen agrees that finding the first machine to be infected isn't necessarily the smoking gun people are looking for. "If we could
trace it back, the virus writer would be stupid to launch it from his home computer. Most likely it was sent from some hacked
server anyway."
He said he does not think the Slammer worm was meant to overload the Internet the way it did.
"The overloading slowed down the Internet but also the spread of the worm and makes it so much easier to discover. I don't
think the guy designed it to overload the Internet like this, I think it spread faster than he thought."
E-mail
Printer Friendly
Reprints
(InfoWorld) - In the litigious world we live in, deploying a unified communications platform in your enterprise could...
