A highly contagious computer worm infected over a quarter of a million computers over the weekend, choking many internet and telecommunications networks as it spread.
The worm, known as 鈥淪QL Slammer鈥, is thought to have surfaced in Asia on Saturday morning. By Sunday, an estimated 250,000 computers had been infected worldwide, according to the US anti-virus company McAfee.
Slammer installs itself on computers running a faulty version of a Microsoft database package called SQL Server 2000. Most desktop computers remained untouched, as the package is used primarily by system administrators.
Advertisement
In an effort locate other hosts to infect, the worm bombards computers chosen at random with small packets of information. The volume of messages originating from the worm increased exponentially as the worm spread from Saturday.
Some experts warned that the worm could start spreading more aggressively on Monday, as more computers were switched on and connected to the internet.
Bandwidth choker
Graham Cluley, chief researcher at UK anti-virus company Sophos, says the initial rapid spread of the worm may have been due to machines being unattended over the weekend. 鈥淢ost system administrators weren鈥檛 around to patch their systems over, which gave Slammer time to breathe,鈥 he told 麻豆传媒.
South Korean authorities initially suspected a coordinated attack on the country鈥檚 national telecommunications infrastructure, before Slammer was identified as the culprit. On Sunday, the country鈥檚 Information and Communication Minister, Lee Sang-Chul, said the worm had caused a 鈥渢otal internet breakdown鈥.
In the US, the worm disrupted the Bank of America鈥檚 computer systems rendering most of its 13,000 ATM cash point machines unusable.
Phil Huggins, managing security architect at the security firm @Stake in the UK, says the worm was able to rapidly churn out huge amounts of traffic because it used a less common communication protocol called UDP. This does not require it to wait for a return 鈥渉andshake鈥 from a targeted machine.
Escalation exploit
An alert issued by the US government鈥檚 Computer Emergency Response Team (CERT) on Sunday warned that the worm could be used to gain control of a machine, although there is no evidence of this happening: 鈥淚t may be possible for an attacker to subsequently leverage a local privilege escalation exploit in order to gain Administrator access to the victim system.鈥
A software patch to fix the problem with SQL Server 2000 was released by Microsoft鈥檚 in July 2002. Some security experts have suggested that installing the patch is complex and may have contributed to the number of unprotected machines. But Cluley says its up to administrators to rethink their policy on applying patches: 鈥淒on鈥檛 wait six months for a worm to arrive.鈥
The worm infects any machine running an un-patched version of Microsoft鈥檚 SQL Server 2000, as well as applications created using add-on software called Microsoft鈥檚 SQL Server 2000 Desktop Engine.
Microsoft launched an initiative to improve the security of its software in January 2002. Slammer is the most widespread worm to hit the internet since Code Red, which stuck in July 2001.