The Slammer worm, which hit the internet a week ago, was by far the fastest spreading worm yet seen, a study has...
It also represented a significant milestone in the evolution of worms, according to a group of experts representing the Cooperative Association for Internet Data Analysis (CAIDA), International Computer Science Institute, Silicon Defense and University of California academics.
The experts found that during the first three minutes of the worm's spread, the number of infected machines doubled roughly every 8.5 seconds. This is more than 250 times faster than Code Red, which hit in mid-2001 and had a doubling time of 37 minutes.
The worm hit its full scanning rate of around 55 million scans per second at around three minutes after the attack began at roughly 05:30 GMT on Saturday 25 January. <br><br>The result of this fast spread was that within 10 minutes of the start of the attack, most of the estimated 75,000 machines that were hit had been infected.
The report suggested size played a key part in the speed of Slammer's spread. At just 376 bytes in size, the worm and required headers fit inside a 404-byte UDP (Universal Datagram Protocol) packet. Code Red was 4Kbytes in size while the Nimda worm was around 37Kbytes.
The worm also worked differently to Code Red. Slammer generated random IP addresses and dispatched itself to those addresses without scanning to find out whether the target machine was running either of the two pieces of software that were vulnerable to attack -Microsoft's SQL Server 2000 database and MSDE 2000 (Microsoft SQL Server 2000 Data Engine).
Because of its random nature, the worm would hit all vulnerable machines given enough time.<br><br>However, the speed with which it propagated appears to have contributed to its downfall. Spread of the worm eventually began to slow because bandwidth from infected machines to the internet could not support the exponential growth in IP packets being generated.<br><br>Its signature, attacking a specific port on vulnerable systems, was also easy to detect and network-level blocking of the ports in question was effective in slowing the worm.
In the case of Code Red, the worm probed machines to find vulnerable servers and only attacked IP addresses of machines judged vulnerable. This led to a much slower rate of spread.
The report also identified a potential new threat from Slammer-type worms. In the past, worms were generally written to target software for which there was a large installed base of users. But given the speed with which Slammer-like worms can spread, less popular software now also presents a viable breeding ground for worms.
Full details of the study can be found online at www.caida.org/analysis/security/sapphire