Slammer worm slows, no new reports of problems

More than 48 hours since it first appeared, the spread of a new worm that targets servers running the Microsoft SQL Server database software had slowed and there had been no repeats of the major disruption caused to the Internet on Saturday.

“(Saturday) in our operations centres we were seeing between 200,000 and 300,000 attacks per hour. (Sunday) we’re seeing between 9,000 and 10,000 per hour, which is around what we see for the NIMDA virus on an average day,” said Chris Rouland, director of Internet Security Systems Inc.’s X-Force.

The worm, dubbed ‘Slammer’ or ‘Sapphire’ by antivirus companies, first appeared at around 5:30 a.m. GMT (12:30 a.m. EST) on Saturday and attacks a vulnerability in Microsoft Corp.’s SQL Server 2000 database and MSDE 2000 (Microsoft SQL Server 2000 Data Engine) software. The worm, which does not attack the average home computer or appear to harm database contents, results in a large amount of network traffic that slows down legitimate traffic in a similar manner to a denial of service (DoS) attack.

The result of the worm was felt perhaps most in South Korea, where most of the nation’s Internet users could not access the Internet from around 2:30 p.m. local time to the end of Saturday, and where news of the problems topped the evening television news.

The worm also hit Internet traffic in other nations and affected other areas of everyday life. The Atlanta Journal-Constitution said printing of Sunday’s first edition was delayed after the attack hit its computer network and reports also said the Bank of America automated teller machine network and Continental Airlines suffered problems.

The worm’s spread was slowed as major Internet service providers (ISPs) moved to block the port used for the attacks, according to security experts. The application of software patches to affected systems also helped to reduce the severity of problems caused by the worm, although many systems remain vulnerable.

“I think business will be impacted…I was surprised by the amount of UDP (User Datagram Protocol) traffic that got into some companies,” Rouland said. Once the Slammer worm has penetrated an organization’s perimeter defences, spreading from host to host within the corporate network is comparatively easy, he said.

“We like to think of most corporations as hard candies with a soft chewy centre,” Rouland said.

Small- and medium-sized businesses that do not monitor their networks around the clock are more likely to feel the effects of Slammer on Monday, especially if IT staff did not address the problem over the weekend, Rouland said.

Before the clean up is complete, companies around the globe will likely be re-evaluating their network defences in light of the success of the Slammer worm. Some of the blame surely lies with users; Microsoft first published details of the vulnerability in July last year and has had a patch available since then. The third service pack for the software, released last week, also plugs the hole.

Despite the availability of a patch, Microsoft will also inevitably come in for some criticism, most likely for the number of security problems with its software and the amount of patches that it releases.

“Microsoft software has a lot of vulnerabilities,” said Kang Jun, an incident handling manager at the Korea Information Security Agency (KISA) in Seoul. “Many people didn’t apply the patches produced by vendors. It can be very confusing.”

The high number of patches released by software companies can make them difficult to keep track of and also make users numb to the security alerts so the message never gets through. For example, the Code Red worm that caused chaos in August 2001 is still hitting computers today because unpatched systems remain.