More than 48 hours since it first appeared, the spread of a new worm that targets servers running the Microsoft SQL Server database software has slowed and there has been no repeats of the major disruption caused to the Internet on Saturday.
“(Saturday) in our operations centers we were seeing between 200,000 and 300,000 attacks per hour. (Sunday) we’re seeing between 9,000 and 10,000 per hour, which is around what we see for the NIMDA virus on an average day,” said Chris Rouland, director of Internet Security Systems Inc.’s X-Force.
The worm, dubbed ‘Slammer’ or ‘Sapphire’ by antivirus companies,
first appeared at around 5:30 a.m. GMT (12:30 a.m. EST) on Saturday and attacks a vulnerability in Microsoft Corp.’s SQL Server 2000 database and MSDE 2000 (Microsoft SQL Server 2000 Data Engine) software. The worm, which does not attack the average home computer or appear to harm database contents, results in a large amount of network traffic that slows down legitimate traffic in a similar manner to a denial of service (DOS) attack.
The result of the worm was felt most in South Korea, where most of the nation’s Internet users could not access the Internet from around 2:30 p.m. local time to the end of Saturday, and where news of the problems topped the evening television news.
“As of 2:00 p.m. (Monday), we have not seen any more problems,” said Kim Dong Hyuk, a public affairs officer at South Korea’s Ministry of Information and Communication. “From Saturday until now, we have been operating an emergency task force to handle the problem. We are monitoring all Internet service provider traffic and we increased the number of (domestic) DNS (domain name system) servers from 10 to 20.”
The worm also hit Internet traffic in other nations and affected other areas of everyday life. The Atlanta Journal-Constitution said printing of Sunday’s first edition was delayed after the attack hit its computer network and reports also said the Bank of America automated teller machine network and Continental Airlines suffered problems.
The worm’s spread was slowed as major Internet service providers (ISPs) moved to block the port used for the attacks, according to security experts. The application of software patches to affected systems also helped to reduce the severity of problems caused by the worm, although many systems remain vulnerable.
“I think business will be impacted tomorrow. I was surprised by the amount of UDP (User Datagram Protocol) traffic that got into some companies,” Rouland said. Once the Slammer worm has penetrated an organization’s perimeter defenses, spreading from host to host within the corporate network is comparatively easy, he said.
“We like to think of most corporations as hard candies with a soft chewy center,” Rouland said.
Small and medium-size businesses that do not monitor their networks around the clock are more likely to feel the effects of Slammer on Monday, especially if IT staff did not address the problem over the weekend, Rouland said.
Before the clean up is complete, companies around the globe will likely be re-evaluating their network defenses in light of the success of the Slammer worm. Some of the blame surely lies with users — Microsoft first published details of the vulnerability in July last year and has had a patch available since then. The third service pack for the software, released last week, also plugs the hole.
Despite the availability of a patch, Microsoft will also inevitably come in for some criticism — most likely for the number of security problems with its software and the amount of patches that it releases.
“Microsoft software has a lot of vulnerabilities,” said Kang Jun, an incident handling manager at the Korea Information Security Agency (KISA) in Seoul. “Many people didn’t apply the patches produced by vendors. It can be very confusing.”
The high number of patches released by software companies can make them difficult to keep track of and also make users numb to the security alerts so the message never gets through. For example, the Code Red worm that caused chaos in August 2001 is still hitting computers today because unpatched systems remain.
The weekend attack came less than a day after South Korea’s Ministry of Information and Communication issued an alert over impending denial of service attacks and urged users to ensure their systems are up to date with the latest patches. The alert was prompted by warnings from KISA although Kang said the Slammer attack is unrelated, leaving the possibility of a DOS attack remaining.
Law enforcement agencies are also entering the investigation.
“This is a criminal act and we are working with law enforcement authorities,” said Microsoft in a statement. However, for legal action to be taken, the source of the worm will have to be identified and that might be difficult to determine.
“There are no copyright strings in the body of the worm,” said Denis Zenkin, spokesman for anti-virus software vendor Kaspersky Labs Ltd. in Moscow. “It looks like the author was very conscientious about the size of the worm. It looks like the author tried to make a very small worm, it is only 376 bytes long and any copyright strings would make it bigger.”
“We have no concrete information, the virus has no clues whatsoever, but I have a gut feeling that it is from China,” said Mikko Hyppönen, antivirus research manager at F-Secure Corp. in Helsinki, Finland. “It could be the same guy who wrote the Lion worm for Linux,” he said. The Chinese creator of the Lion worm that attacked Linux had discussed the theory of the Slammer worm in online message boards, according to Hyppönen.
The small size of the worm, just a few hundred bytes, will also make it difficult to trace because it spread so fast, he said.
“This is one of the smallest worms we have ever seen. It is awfully short, that is why it is so fast,” he said. “With a normal worm we would be able to trace it back by looking at the time stamps in those logs. In this case we can not trace it back because many systems were infected within one minute.”
Authorities in Hong Kong spent part of Monday looking into a possible link with China.
“The origin of the worm has yet to be confirmed,” said the Hong Kong Police in a statement issued early Monday.
The Hong Kong Computer Emergency Response Team (HKCERT) had received ten reports of problems associated with the worm, of which seven were infection reports, said S.C. Leung, a senior consultant with the team. Leung said HKCERT has no evidence to support the claim that the worm originated in China, and thus was unable to confirm it.
Kaspersky says it has evidence the worm surfaced as early as a week ago in the Netherlands. While looking back through old log files Monday, the company found instances of copies of the worm being received from two servers in the Netherlands. Still, Kaspersky does not know who created the worm. The servers the worm was launched from were probably hacked, said Zenkin.
Hyppönen agrees that finding the first machine to be infected isn’t necessarily the smoking gun people are looking for. “If we could trace it back, the virus writer would be stupid to launch it from his home computer. Most likely it was sent from some hacked server anyway.”
He said he does not think the Slammer worm was meant to overload the Internet the way it did.
“The overloading slowed down the Internet but also the spread of the worm and makes it so much easier to discover. I don’t think the guy designed it to overload the Internet like this, I think it spread faster than he thought.”