Worldwide Internet traffic slowed dramatically for hours on Saturday, after a fast-spreading computer worm clogged pipelines of the global network, officials said.
Experts called it the most damaging attack on the Internet in 18 months as networks across Asia, Europe and America were effectively shut down.
Even though the worst of the disruptions appeared to have passed by Saturday afternoon US time, more isolated network problems were likely to continue until Monday when businesses return to work and more damaging variants could emerge, experts said.
The explosive spread of the malicious program, whose origin was a mystery, nearly cut off Internet providers in South Korea, disrupted automated bank teller machines in the United States and made online surfing and e-mail access difficult.
Known as "SQL ("sequel") Slammer," the malicious program targets a previously identified weakness in Microsoft Corp.'s software to shut down powerful server computers.
"It's very fast and very effective," said Alfred Huger, Senior Director of Engineering at Web security company Symantec Corp. in Cupertino, California.
About 150,000 to 200,000 servers have been compromised so far, said Vincent Gullotto, who heads up an anti-virus response Team at Network Associates Inc. in Beaverton, Oregon.
The worm is a small program that quickly copies itself and sends rapid data requests in search of other server computers that manage computer networks.
Unlike an e-mail virus, the worm did not infect desktop computers, experts said. Instead, the brunt of the attack was felt in exceptionally slow Web download speeds, they said.
The damage caused by the worm came from the way it overwhelmed networks by quickly cloning itself and spreading to other computer servers, experts said.
"Basically what it does is flood the pipeline, and that's what we're seeing," said Bill Murray a spokesman for the US government-run National Infrastructure Protection Center.
The current version of the worm does not erase or steal data but more malign variants by copycat hackers could appear and cause even more damage, said Joe Hartmann, Director of North American anti-virus research for Trend Micro Inc.
"Someone could add a destructive payload to this one," Hartmann said.
Because the attack started at around midnight Eastern Time (0500 GMT) on Saturday, Russ Cooper, a computer security expert at TruSecure Corp. said the worm might have been "seeded" in a number of machines by someone in the United States, while other experts said they suspected that it originated in Asia.
The FBI said it was looking into the incident but had no indication that created the program.
At the height of the attack on Saturday morning in the United States, about 20 percent of the data traffic being sent across the Internet was being lost in transit, a rate at least 10 times higher than normal.
The SQL Slammer attack drew comparison to the Code Red worm, one of the most costly security threats to the Internet that struck in the summer of 2001.
'All-out Attack'
The worm crashed almost all Internet services in South Korea, where 7 out of every 10 people are online. South Korea's largest Web access provider KT Corp. was brought down and other Web sites were taken offline. The government called it an "all-out attack on the country's Internet system."
In the United States, Bank of America Corp. said customers at a majority of its 13,000 automated teller machines were unable to process transactions as a result of the worm.
Top Internet shopping sites Amazon.com Inc. and auctioneer eBay Inc. reported no disruptions.
At the US National Infrastructure Protection Center at FBI headquarters in Washington, investigators had captured the virus and were studying its make-up.
The SQL Slammer worm targets servers that run Microsoft's SQL Server 2000 database software and exploits a component used to access data that is also integrated into other programs used for developing software.
The security hole was apparently known since last July, and patches, or fixes, for programs using MSDN as well as for SQL are available on Microsoft's TechNet support Web site (http^ "It was a vulnerability, we knew about it, but someone is exploiting it," Microsoft Chief Security Strategist Scott Charney told Reuters. "We want our customers to be as secure as possible and install the patches."
(China Daily January 27, 2003)
