New Worm Slams The Internet – Hard
F-Secure warns the computer users about new Internet worm known as Slammer (or Sapphire). The worm generates massive amounts of network packets, overloading internet servers. This slows down all internet functions such as sending e-mail or surfing the net.
The worm was first detected in the Internet on January 25, 2003 at 05:30 GMT. After this the worm quickly spread worldwide to generate one of the biggest attacks against internet ever. According to reports, several large web sites and mail servers became unavailable, including as many as 5 of the 13 root nameserver.
Slammer infects only Windows 2000 servers running Microsoft SQL Server, and is therefore not a threat to the end user machines. However, its functions are still visible to the end users by the way it blocks the network traffic.
Slammer is not a mass mailer like many other common worms. It does not send any emails, nor writes itself to the hard drive, but spreads as an in-memory process. This functionality makes it similar to Code Red, an Internet worm that was found in July 2001 and infected more than 300 000 web servers.
The worm uses UDP port 1434 to exploit a buffer overflow in MS SQL server. To prevent the worm from infecting the server, this port on the firewall should be closed. The worm is extremely small, only 376 bytes in size. It has no other functionality than to spread further, but the spreading process is so aggressive that the worm generates extreme loads.
As the worm does not infect any files, an infected machine can be cleaned simply by rebooting the machine. However, if the machine is connected to the network without applying SP2 or SP3 patches for MS SQL Server, it will soon get reinfected.
“We’ve never seen such a small virus spreading so fast in the wild and doing so much damage”, comments Mikko Hypponen, Manager of Anti-Virus Research at F-Secure Corporation.
“The virus is so simple yet so aggressive. In fact the massive network load also slows down the virus itself”, he continues.
Technical description and pictures of Slammer are available at
http://www.f-secure.com/v-descs/mssqlm.shtml
About F-Secure
F-Secure Corporation is the leading provider of centrally managed security solutions for the mobile enterprise. The company’s award-winning products include antivirus, file encryption and network security solutions for major platforms from desktops to servers and from laptops to handhelds. Founded in 1988, F-Secure has been listed on the Helsinki Exchanges since November 1999. The company is headquartered in Helsinki, Finland, with the North American headquarters in San Jose, California, as well as offices in Germany, Sweden, Japan and the United Kingdom and regional offices in the USA. F-Secure is supported by a network of value added resellers and distributors in over 90 countries around the globe. Through licensing and distribution agreements, the company’s security applications are available for the products of the leading handheld equipment manufacturers, such as Nokia and HP.