The worst is over from Saturday's crisis, but problems will keep resurfacing on a smaller scale

January 27, 2003

3 Min Read
Slammer Worm Contained for Now

Most of the online world got back to normal fairly quickly after Saturday morning's worm attack (see 'The Internet Has Broken'), but news services Monday were still abuzz over what caused the incident and what companies could do to prevent a resurgence.

The problem appears to be contained, but experts say this worm, like the Code Red worm and Nimda virus before it, is likely to linger around the Net indefinitely.

The first effects of SQL Slammer -- also called "W32.Slammer" and "Sapphire" -- appear to have hit around 12:30 a.m. U.S. Eastern time. Internet Security Systems Inc. (Nasdaq: ISSX), which claims to have discovered the worm first and named it "SQL Slammer," claims that 80 percent of all Net traffic was slowed or blocked in the wee hours of Saturday morning.

The worm spread via machines running Microsoft Corp.'s (Nasdaq: MSFT) SQL Server 2000, entering through User Datagram Protocol (UDP) port 1434, which is designated as a monitoring port. It then sought new hosts by connecting to random IP addresses.

The worm doesn't appear to do anything else and resides entirely in memory, so affected systems return to normal once they're purged and patched. Of course, the catch lies in getting the medicine to everyone infected.

The buffer-overrun weakness that made SQL Slammer possible was disclosed to Microsoft as early as May by Next Generation Security Software Ltd. Microsoft offered a patch in July, although implementing it was reportedly quite difficult. The hole can more easily be fixed by applying SQL Server 2000 Service Patch 3, which Microsoft posted Jan. 17.

But even with a fix available, it's going to take time for some companies to get patched up. "Large enterprises have thousands of possibly affected machines," an ISS engineer said during a public Web seminar earlier today.

ISS notes that many ISPs and enterprises are protected right now only because they shut off port 1434, and SQL Slammer could resurface here and there as companies are forced to reactivate that port.

That's been the experience at Sonic.net, a boutique service provider in Santa Rosa, Calif. Late Saturday morning, Sonic scrambled to close port 1434 on customers' collocated servers being reactivated, because the customers hadn't patched themselves to stop the worm. SQL mini-slams like that happened all day long, never for more than a few minutes, according to online updates from Sonic's operations team.

More generally, ISS representatives note that worms and viruses flit around the Net indefinitely, as there's always someone out there who's susceptible to infection. SQL Slammer doesn't appear to be particularly dangerous, but chances are it's going to be annoying system administrators for years to come.

Speculation among readers of Slashdot was that the worm's modus operandi helped service providers contain it rather quickly by simply shutting down port 1434. The worm can also be spotted by its telltale 376-byte payload. (If you're hardcore, here's an online dissection of what's believed to be the SQL Slammer. A simpler explanation from McAfee is available here.)

It appears most ISPs in the United States were restored to just about normal by breakfast time Saturday; certainly, things had freed up enough for Light Reading to post its first SQL-worm story by 5:00 a.m. Eastern.

The worm hit South Korea particularly hard, generating suspicion that it originated in Asia, and reports Monday said Hong Kong appeared a likely point of origin. It doesn't appear that the worm enjoyed any major resurgence on Monday morning, as some had speculated (see Internet Suffers Another Tremor).

— Craig Matsumoto, Senior Editor, Light Reading

Subscribe and receive the latest news from the industry.
Join 62,000+ members. Yes it's completely free.

You May Also Like