Aggressive net bug makes history
Date 3-Feb-2003 23:58:55
Topic: Miscellaneous News
|The Slammer worm that recently crippled the internet was the fastest spreading computer bug in history, say security experts. |
An analysis of the attack has shown that the worm took just 10 minutes to spread across the world.
At its peak on 25 January, the malicious code caused scattered slowdowns in net traffic and effectively shut down the internet in South Korea, the world's most wired country.
The experts said the attack marked a "significant milestone in the evolution of computer worms," warning that these sorts of bugs "should be considered a standard tool in the arsenal of an attacker".
The analysis published by the Cooperative Association for Internet Data Analysis (CAIDA) provides an insight into how fast the Slammer worm, also called Sapphire, spread across the internet.
The malicious code first appeared on the net around 0530 GMT on Saturday 25 January.
The bug targeted a known flaw in Microsoft's SQL database software affecting servers rather than home computers and clogged up internet pipelines.
As it began spreading, it doubled in size every 8.5 seconds. Within 10 minutes it had infected more than 90% of vulnerable hosts, said the experts.
At its peak, achieved approximately three minutes after it was released, Slammer was carrying out 55 million scans per second across the internet.
Fortunately the bug did not contain a malicious payload - a set of computer commands designed to harm a machine.
Instead once the worm infected a server, it would send out multiple data requests in a random manner to other internet addresses, looking for more computers to infect.
Slammer infected at least 75,000 hosts, perhaps considerably more said the experts, and caused network outages and such unforeseen consequences as cancelled airline flights and problems with cash machines.
The worm spread twice as fast as the Code Red virus that affected 300,000 computers in July 2001.
The speed of infection was part of the reason why the bug had such a major impact in such a short time.
This was because Slammer contained a simple, fast scanner to find vulnerable machines in a small worm with a total size of only 376 bytes.
By using an internet protocol called UDP, it was able to aggressively send these scans without requiring an answer from the potential victim.
"Though very simple, Sapphire represents a significant milestone in the evolution of computer worms," said the report.
"Although it did not contain a destructive payload, Sapphire spread worldwide in roughly 10 minutes causing significant disruption of financial, transportation, and government institutions.
"It clearly demonstrates that fast worms are not just a theoretical threat, but a reality - one that should be considered a standard tool in the arsenal of an attacker," said the experts.
The report was put together by David Moore and Stefan Savage of the University of San Diego Department of Computer Science and Engineering, Vern Paxson of the ICSI Center for Internet Research in California, Colleen Shannon of CAIDA, and Stuart Staniford and Nicholas Weaver of computer security firm Silicon Defense.