|
THE OUTBREAK WAS so severe that while it infected only back-end Internet computers, general e-mail use and Web browsing were slowed by its effects. The worst of the attack seems over, experts said, but groggy-eyed Internet workers were spending the day Saturday cleaning up from the effects of the outbreak.
Many compared the outbreak to Code Red, another network-based worm which infected thousands of computers worldwide. Code Red also temporarily stumped Internet traffic.
But even Code Red wasn’t blamed for ATM outages.
Bank of America Corp. said Saturday that customers at a majority of its 13,000 automatic teller machines were unable to process customer transactions after a malicious computer worm nearly froze Internet traffic worldwide.
Bank of America spokeswoman Lisa Gagnon said that many, if not a majority of the No. 3 U.S. bank’s ATMs were back online and that their automated banking network would recover by late Saturday.
“We have been impacted, and for a while customers could not use ATMs and customer services could not access customer information,” Gagnon said.
Gagnon said that the worm, which slows down computer networks by replicating rapidly and spreading to other servers, did not cause any damage to customer information, but slowed down or blocked access to that sensitive information, making transactions difficult.
25,000 MACHINES HIT IN HOURS
The attack began shortly after midnight ET on Saturday. Within a few hours, 25,000 back-end database servers had been infected, said Oliver Friedrichs, senior manager with Symantec Corp.’s security response team. At the height of the outbreak, between 3 and 5 a.m. ET, all those computers were flooding the Internet with traffic, looking for other computers to infect. It was enough traffic to slow down the entire Internet, he said, and certainly enough to completely clog up entire companies.
|
|
|
|
The virus-like attack sought out vulnerable computers on the Internet to infect using a known flaw in popular database software from Microsoft Corp., called ‘SQL Server 2000.’
|
|
“It’s been an all night operation here,” said Matt Pilla, Microsoft Corp. spokesman. Slammer attacks a relatively old flaw in Microsoft’s SQL Server, one found by researchers in July. But many systems were still unpatched when the worm began spreading late Friday night. Adding to Microsoft’s headaches: the clogs in Internet traffic were still limiting access to Microsoft’s Web site on Saturday, preventing some engineers from patching infected systems.
Microsoft on Saturday was still trying to determine the best advice for customers; the company could not confirm that the free patch issued in July was enough to protect systems against Slammer. Instead, the company was recommending a free service pack upgrade instead. Service Packs are far more time consuming to download and install.
Source: Keynote Systems, Inc.
WORST OVER BY MORNING
Still, the worst of the attack was over before most U.S. users awoke Saturday morning, said Mike Bradshaw, spokesman for Symantec Corp. By 4 a.m. ET, traffic generated by the worm had dropped 60 percent, as Internet Service Providers began filtering out traffic generated by the worm.
Also limiting the trouble caused by the worm: it infects only Microsoft SQL Servers, which number far fewer that Microsoft-powered Web servers, which were the target of 2001’s Code Red attacks, when some experts say hundreds of thousands of machines were infected.
“Sometime this morning, it reached saturation point, and there really were no more computer to infect,” Friedrichs said.
Still, Slammer slowed Net traffic even more than Code Red, according to Matrix Systems Inc., which measures Internet outages. The firm’s Web site indicates nearly 20 percent of Internet traffic was lost during the frantic morning attack, compared to about 10 percent during the height of the Code Red attack.
Vincent Gullotto, spokesman for Networks Associates Inc., said impact from the outbreak could have been worse if the worm were released during a business day. And there might be additional problems from the worm on Monday morning, when office employees get back to work.
“There will probably be many, many SQL servers that won’t be cleaned up,” he said.
KOREAN COMPUTERS CUT OFF
Problems caused by Slammer were global; the worm reportedly shut down most Internet services in South Korea. Millions of Internet users were disconnected when computers at Korea Telecom Freetel and SK Telecom failed. Service was restored but remained slow, officials said. In Japan, NHK television reported heavy data traffic swamped some of the country’s Internet connections, and Finnish phone operator TeliaSonera reported some problems.
But Howard Schmidt, President Bush’s No. 2 cyber-security adviser, said impact on U.S. government computers was limited.
“Everybody seems to be getting it under control,” Schmidt said. “They were fighting for bandwidth just like everybody else.
The departments of State, Agriculture, Commerce and some units within the Defense Department appeared hardest hit within the government, according to Matrix NetSystems Inc., a monitoring firm in Austin, Texas.
Schmidt said the FBI’s National Infrastructure Protection Center and private experts at the CERT Coordination Center were monitoring the attacks.
“This reinforces the fact that we just have got to pay attention to these vulnerabilities,” Schmidt said. “Here’s a classic example where there’s a patch out there, but still we see something that causes degradation of the Internet.”
PATCHING NOT SO EASY
While a patch which would have stopped the virus in its tracks has been freely available since July, Microsoft was criticized Saturday because that particular patch was more cumbersome to install than most, said Mikko Hypponen, spokesman for F-secure Corp. Most patches require a simple download and restart of the computer. But this patch required manual editing of critical system files, something many administrators just aren’t comfortable doing.
“It isn’t that easy,” Hypponen said. So many likely waited for the next completely updated version of the software to arrive, what’s called a “service pack” in the industry. The full service pack which would have stopped Slammer just became available Jan. 17. That gave administrators who didn’t want to deal with the patch less than a week to install the full service pack before the Slammer worm hit. That bad timing likely contributed to the worm’s spread.
And the service pack installation isn’t easy either, said Ruben Bybee, general manager of Blue Mountain Internet.
“This process takes between 15 minutes and a couple of hours depending on the speed of your Internet connection and the size of the SQL database,” he said.
Bybee also said there might be additional problem when the Monday workday begins, because some networks use the Microsoft database product to manage logins for all employees. Companies that haven’t addresed the problem by Monday — companies which haven’t managed to install the service pack — won’t be able to let their employees connect to their network.
|
|
Virus-like attack slows Web traffic
