SQL worm slams Internet

By Alastair Otter, Journalist, Tectonic
Johannesburg, 27 Jan 2003

Internet servers worldwide were hit this weekend by a new worm, Slammer.

The worm, which takes advantage of a six-month-old vulnerability in the Microsoft SQL server application, ground much of the Internet to a halt for two days and affected local and international servers equally hard.

The worm exploits a buffer overflow flaw in the database server. It brought local Internet service providers (ISPs) to their knees, with many being forced to shut down.

Service provider UUNet is reported to have shut down its Johannesburg and Cape Town servers for 24 hours to avoid the attack. Standard Bank reported that merchants were unable to process transactions for much of Saturday morning.

"While Standard Bank card merchants were unable to obtain electronic authorisation for transactions from about 10.10am to 1pm on Saturday and sporadically throughout the afternoon, emergency measures were put in place to grant manual authorisations during this period," the bank said.

It says it was affected because the SQL worm struck EDS, its processing contractor.

Internationally, ISP UUNet reported experiencing critical latency on its servers as the Slammer worm chewed up bandwidth.

Although the Slammer worm does not damage the computers it infects, it generates damaging levels of network traffic as it scans for new targets. The worm continuously sends 367 bytes of code to port 1 434 (the SQL server monitor) until the server shuts down.

Zubeir Shah, public relations manager for Symantec Middle East and Africa, says the worm is similar to the Code Red worm in that it is memory-resident and has no specific files associated with it.

"While the SQL worm is a significant threat, Symantec Security Response believes activity will not rise to the level of the Code Red worm since this threat only targets SQL servers."

Shah says the worm appears to have reached its peak at the weekend and is showing signs of tapering off, although it is "still very active".

Security company Y3K says the worm was first detected on the Internet at 5.30am GMT on Saturday. "The worm quickly spread worldwide to generate one of the biggest attacks against the Internet."

According to Y3K, several large Web sites and mail servers became unavailable, including as many as five of the 13 root name servers.

System administrators are advised to apply the relevant patches and restart their servers to prevent further infections and traffic, say security companies.