Slammer Worm – Worst Virus in Over a Year

January, 2003

On Saturday Jan 25th a new computer worm rocketed around the world disrupting hundreds of thousands of systems and slowing Internet traffic to a crawl. The latest virus called the Slammer or Sapphire worm transmitted thousands of packets (large bundled amounts of information) from infected systems, taking advantage of a known software flaw in Microsoft SQL Server.

On Monday, Jan 27th, Bank of America announced that many customers were unable to withdraw money from its 13,000 ATM machines because of technical problems caused by the Slammer worm. Service was fully restored within 48 hours. The nation’s largest residential mortgage firm, Countrywide Financial Corp., stated that customers were unable to make payments or check loan information through Tuesday morning. American Express also reported that customers experienced outages as well.

The worm sought out vulnerable computers using Microsoft’s SQL Server 2000 software. Like the earlier Code Red worm, which spread in July 2001, the Slammer is a memory-resident worm and does not write to disk storage. Also, like the Code Red, computers can be protected from the worm by installing a patch provided by Microsoft. Microsoft detected the flaw in July 2002 and soon afterward began offering a free patch to protect systems running SQL Server.

In an ironic twist, the New York Times reported that Microsoft admitted that some of the company’s machines had gone unpatched and that its MSN Internet service also had significant slowdowns due to the Slammer worm.

FBI and security experts believe the worm originated in China, as many Asian countries were the earliest to report problems and experienced the most severe outages. The attacking software scanned for victim computers so randomly and aggressively that it quickly congested many of the Internet’s largest data pipelines, slowing email and web surfing around the globe.

As of Jan 30th, security experts report that the congestion from the Internet attack had almost completely cleared. Now the job of investigating its source is in full swing. However, the attack spread so quickly and used such small packets that it may be impossible for researchers to isolate the actual point of origin.

Even though the Slammer was not designed to infect data, or damage system software, or applications resident on desktops and servers, it did represent a severe denial of service attack that cost millions of dollars to companies heavily dependent on Internet traffic. It also underscored the fact that most companies are still extremely vulnerable to malicious or terrorist attacks via the Internet.

Computer Economics estimates that the damages caused by the Slammer worm worldwide will exceed $750 million.

January 2003