Slammer worm slows, no new reports of problems

More than 48 hours since it first appeared, the spread of a new worm that targets servers running the Microsoft SQL Server database software had slowed and there had been no repeats of the major disruption caused to the Internet on Saturday.

"(Saturday) in our operations centers we were seeing between 200,000 and 300,000 attacks per hour. (Sunday) we're seeing between 9,000 and 10,000 per hour, which is around what we see for the NIMDA virus on an average day," said Chris Rouland, director of Internet Security Systems' X-Force.

The worm, dubbed 'Slammer' or 'Sapphire' by antivirus companies, first appeared at around 5:30 a.m. GMT (12:30 a.m. EST) on Saturday and attacks a vulnerability in Microsoft's SQL Server 2000 database and MSDE 2000 (Microsoft SQL Server 2000 Data Engine) software. The worm, which does not attack the average home computer or appear to harm database contents, results in a large amount of network traffic that slows down legitimate traffic in a similar manner to a denial-of-service attack.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

More than 48 hours since it first appeared, the spread of a new worm that targets servers running the Microsoft SQL Server database software had slowed and there had been no repeats of the major disruption caused to the Internet on Saturday.

"(Saturday) in our operations centers we were seeing between 200,000 and 300,000 attacks per hour. (Sunday) we're seeing between 9,000 and 10,000 per hour, which is around what we see for the NIMDA virus on an average day," said Chris Rouland, director of Internet Security Systems' X-Force.

The worm, dubbed 'Slammer' or 'Sapphire' by antivirus companies, first appeared at around 5:30 a.m. GMT (12:30 a.m. EST) on Saturday and attacks a vulnerability in Microsoft's SQL Server 2000 database and MSDE 2000 (Microsoft SQL Server 2000 Data Engine) software. The worm, which does not attack the average home computer or appear to harm database contents, results in a large amount of network traffic that slows down legitimate traffic in a similar manner to a denial-of-service attack.

The result of the worm was felt perhaps most in South Korea, where most of the nation's Internet users could not access the Internet from around 2:30 p.m. local time to the end of Saturday, and where news of the problems topped the evening television news.

"As of 2 p.m. (Monday), we have not seen any more problems," said Kim Dong Hyuk, a public affairs officer at South Korea's Ministry of Information and Communication. "From Saturday until now, we have been operating an emergency task force to handle the problem. We are monitoring all Internet service provider traffic and we increased the number of (domestic) DNS servers from 10 to 20."

The worm also hit Internet traffic in other nations and affected other areas of everyday life. The Atlanta Journal-Constitution said printing of Sunday's first edition was delayed after the attack hit its computer network and reports also said the Bank of America automated teller machine network and Continental Airlines suffered problems.

The worm's spread was slowed as major ISPs moved to block the port used for the attacks, according to security experts. The application of software patches to affected systems also helped to reduce the severity of problems caused by the worm, although many systems remain vulnerable.

"I think business will be impacted tomorrow. I was surprised by the amount of [User Datagram Protocol]traffic that got into some companies," Rouland said. Once the Slammer worm has penetrated an organization's perimeter defenses, spreading from host to host within the corporate network is comparatively easy, he said.

"We like to think of most corporations as hard candies with a soft chewy center," Rouland said.

Small and midsize businesses that do not monitor their networks around the clock are more likely to feel the effects of Slammer on Monday, especially if IT staff did not address the problem over the weekend, Rouland said.

Before the clean up is complete, companies around the globe will likely be reevaluating their network defenses in light of the success of the Slammer worm. Some of the blame surely lies with users - Microsoft first published details of the vulnerability in July last year and has had a patch available since then. The third service pack for the software, released last week, also plugs the hole.

The IDG News Service is a Network World affiliate.