Internet backbones worldwide were flooded with traffic early Saturday morning by a worm of Code-Red proportions, causing denial-of-service conditions in many locations.
The Slammer worm [W32/SQLSlam-A], also known as Sapphire, New SQL, Worm.SQL, and Helkern, exploits a 6-month-old vulnerability in Microsoft SQL Server. It spreads without the assistance of an e-mail attachment, the vehicle of choice for most worms, security experts said. Instead, it uses Internet port 1434 (the SQL monitor port) to spread to other vulnerable systems. It has either slowed or choked off large national Internet service providers worldwide. End users will notice slower Web browsing and e-mail delivery, but no other damage to systems.
Slammer takes advantage of SQL Servers still vulnerable to the SQL Server Resolution Service buffer overflow flaw, Internet Security Systems said in an alert issued Saturday. Slammer attacks only Windows 2000 systems and generates massive levels of network traffic as it scans random IP addresses looking for other vulnerable servers.
Reports have anywhere from two to five of the Internet's 13 root Domain Name System (DNS) servers were overloaded with traffic and shut down. ISS' XForce team leader Dan Ingevaldson said the root servers were not attacked directly, but were casualties of the traffic spikes created worldwide. The root DNS servers, maintained in several locations, convert domain names into IP addresses. The servers were directly attacked late last October with little impact on the boxes.
Security experts urge enterprises to keep their systems up to date to avoid being infected by Slammer. Microsoft has had a patch for the flaw since July 24, 2002. SQL Servers with Microsoft SQL Server Service Pack 3 already applied are not impacted by Slammer.
"Another worm once again attacking unpatched systems," said Graham Cluley, senior technology consultant at U.K.-based enterprise antivirus vendor Sophos. "And the worst part is that a patch has been available from Microsoft for close to half a year. A lot of servers are not still not protected against it. It was the same story with Code Red where a patch was available and many were not taking advantage of it."
Sophos said in an alert Saturday that Slammer does not infect any files just memory, meaning an infected server can be cleaned just by rebooting. However, Cluley said the Microsoft patch must be applied to avoid re-infection. Cluley suggests system administrators take this time to examine what other patches their vulnerable servers may need.
Internet service providers worldwide reported significant slowdowns throughout the day Saturday as Slammer overwhelmed backbones for hours before administrators were able to block the malicious traffic. Initial reports from the east said large ISPs there were overrun with traffic causing DoS conditions in several locations including South Korea and Slovenia, according to Mikko Hypponen, manager of antivirus research for F-Secure of Finland.
Hypponen added that he believes the author is the same person who wrote the Linux worm, Lion, last year. He added that Slammer is a small program, three lines of text long and 376 bytes.
"This is one of the smallest native, network worms ever, if not the smallest," Hypponen said. "It's simple and aggressive."
Hypponen said the code is not very sophisticated and could eventually choke itself off.
Cluley added that Slammer's author's choice to release the code over the weekend is a smart strategy on his part with many administrators not on call.
"It's like a fire in some ways. This gives it some oxygen," Cluley said. "Where this infects only memory, it is easy to disinfect computers. It's important these SQL servers get patched in order to avoid reinfection. The reversal process is simple, and hopefully we won't see variants of this worm for just this reason."
FOR MORE INFORMATION:
- FEEDBACK: Will the Slammer worm force you to patch your systems more diligently?
Let News Editor Michael S. Mimoso know.