No new reports of problems as Slammer slows

More than 48 hours since it first appeared, the spread of the Slammer worm seems to be slowing down. There have been no repeats...

More than 48 hours since it first appeared, the spread of the Slammer worm seems to be slowing down. There have been no repeats of the major disruption experienced at the weekend as the worm targeted servers running Microsoft SQL Server database software.

Internet Security Systems director Chris Rouland said, "[On Saturday] in our operations centres we were seeing between 200,000 and 300,000 attacks per hour. [On Sunday] we were seeing between 9,000 and 10,000 per hour, which is around what we see for the Nimda virus on an average day."

Anti-virus companies first spotted Slammer - otherwise known as Sapphire - at around 5:30am GMT on Saturday. It attacks a vulnerability in Microsoft's SQL Server 2000 database and MSDE 2000 (Microsoft SQL Server 2000 Data Engine) software.

The worm, which does not attack the average home computer or appear to harm database contents, forces server databases to generate a large amount of network traffic that slows down legitimate traffic in much the same way as a denial of service (DOS) attack

Slammer hit hardest in South Korea, where most internet users could not access the net from around 2:30pm local time to the end of Saturday, and the worm topped television news bulletins.

"As of 2pm [Monday], we have not seen any more problems," said Kim Dong Hyuk, a public affairs officer at South Korea's Ministry of Information and Communication.

"From Saturday until now, we have been operating an emergency task force to handle the problem. We are monitoring all internet service provider traffic and we increased the number of [domestic] DNS [domain name system] servers from 10 to 20."

The worm also hit internet traffic in other countries. In the US, the Atlanta Journal-Constitution said printing of Sunday's first edition was delayed after the attack hit its computer network. Bank of America's automated teller machine network was hit and Continental Airlines suffered problems.

Security experts said the worm's spread was slowed as major internet service providers (ISPs) moved to block the port used for the attacks. The application of software patches to systems that were affected also helped to reduce the severity of problems, although many systems remain vulnerable.

"I was surprised by the amount of UDP [User Datagram Protocol] traffic that got into some companies," ISS's Rouland said. Once the Slammer worm has penetrated an organisation's perimeter defences, spreading from host to host within the corporate network is comparatively easy, he added.

As companies round the globe completed the clean-up, many were re-evaluating their network defences.

Some of the blame lies with users - Microsoft first published details of the vulnerability in July and has had a patch available since then. The third service pack for the software, released only last week, also plugs the hole.

Despite making a patch available, Microsoft will come in for criticism for both the number of security problems with its software and the number of patches that it releases.

The number of patches released by software companies can make them difficult to keep track of and also numb users to repeated security alerts, but there is also plain bad practice within IT departments of organisations. For example, the Code Red worm that caused chaos in August 2001 is still hitting computers today because unpatched systems remain.

The weekend attack came less than a day after South Korea's Ministry of Information and Communication issued an alert over impending denial-of-service attacks and urged users to ensure their systems were up to date with the latest patches.

Microsoft, in a statement on the worm, said, "This is a criminal act and we are working with law enforcement authorities." However, for legal action to be taken the source of the worm will have to be identified and that might be difficult to determine.

"There are no copyright strings in the body of the worm," said Denis Zenkin, spokesman for anti-virus software vendor Kaspersky Labs. "It looks like the author was very conscientious about the size of the worm. It is only 376 bytes long and any copyright strings would make it bigger."

A small worm will travel faster and make it harder to trace.

"We have no concrete information, the virus has no clues whatsoever, but I have a gut feeling that it is from China," said Mikko Hyppönen, anti-virus research manager at F-Secure in Helsinki. "It could be the same guy who wrote the Lion worm for Linux."

Hyppönen added that the Chinese creator of the Lion worm had discussed the theory of the Slammer worm in online message boards.

"With a normal worm we would be able to trace it back by looking at the time stamps in logs. In this case we cannot trace it back because many systems were infected within one minute."

Authorities in Hong Kong spent part of Monday looking into a possible link with China but have found no evidence of the worm's origins.

Kaspersky said it has evidence the worm surfaced as early as a week ago in the Netherlands. While looking back through old log files Monday, the company found instances of copies of the worm being received from two servers in the Netherlands. However, Kaspersky does not know who created the worm. The servers the worm was launched from were probably hacked, said Zenkin.

Hyppönen agreed that finding the first machine to be infected is not necessarily the smoking gun people are looking for. "If we could trace it back, the virus writer would be stupid to launch it from his home computer. Most likely it was sent from some hacked server anyway."

IT departments wrestle with Slammer worm >>

Slammer: To patch or not to patch? >>

Thank heavens for good virus writers >>

Read more on IT strategy