A new worm that has slowed or halted Internet traffic worldwide by attacking a known vulnerability in Microsoft SQL 2000 Web servers could prove as tricky a nemesis as security foes Code Red and Nimda, according to firms tracking the outbreak.
Half a dozen security outlets have issued bulletins describing worm W32/SQL Slammer, dubbed Slammer. Using a buffer overflow to take over a server, the worm sends out a flood of packets, an effect similar to a denial-of-service attack.
Network Associates' Anti-Virus Emergency Response Team (AVERT) estimated that 150,000 to 200,000 servers worldwide had already been infected.
When the attack began, packet loss across the Internet approached 20 per cent, monitoring firm, Matrix NetSystems, said. Packet loss rates are usually less than 1 per cent.
One of the countries worst affected was South Korea, where most of the nation's fixed-line and mobile Internet users were unable to access Web sites for nearly half of the day.
Ten hours after the attack began, traffic flow was picking up, with packet loss down to about 5 per cent according to Matrix NetSystems' readings.
Recovering from the worm is easy: installing Microsoft's recently released SQL Server 2000 Service Pack 3 solves the problem. Some security firms also recommended system administrators consider blocking traffic on port 1434 from unknown machines.
Firms disagreed, though, on the severity of the threat posed by Slammer. Trend Micro labelled the worm "destructive" and "high risk," while Symantec assessesd its damage potential as "low." Network Associates and eEye Digital Security, one of the first to spot and dissect the worm, both issued high-risk alerts on the worm.
While the worm may be easy to defend against, a vast number of systems remain unprotected.
"[Slammer] doesn't destroy, remove, hack or extract any data," Matrix NetSystems' vice-president of marketing and business development, Tom Ohlsson, said. "But it's a very, very aggressive worm about self-replication."
Slammer's speed in spreading itself recalls another worm that rampaged through the Net: Code Red, a scourge that appeared in mid-2001 and infected hundreds of thousands of servers.
Despite the availability of a patch, Code Red caused $US2 billion in damage, according to one research firm's estimates. New infections continued spreading more than a year after the worm's discovery as some vulnerable systems remained unprotected.
Slammer was "similar in terms of speed, but nowhere near as destructive" as Code Red, Ohlsson said.
The Microsoft Security Bulletin concerning this vulnerability can be found online at http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS02-039.asp . A CERT advisory concerning the vulnerability is at http://www.cert.org/advisories/CA-2003-04.html .