SQL Server Worm Slows Internet Traffic To A Crawl

By Mitch Wagner

A new worm attacking Microsoft SQL Server 2000 systems slowed Internet traffic to a crawl early Saturday.

Security companies are warning about the worm, named W32/SQL Slammer or Sapphire, which uses a buffer overflow in SQL Server to take over the system and send out a flood of packets. The flaw has been known, and a patch has been available, since the summer.

South Korea was hit particularly hard, with most of the nation's Internet users unable to access Web sites for nearly half the day, according to reports. Japan and other high-technology Asian areas were also hard-hit.

Security experts say that SQL Server 2000 users should install the SQL Server 2000 Service Pack 3, and consider blocking traffic on port 1434 for unknown machines. The worm only affects Windows 2000 servers running SQL Server, according to security firm F-Secure.

The patch, and further details about the vulnerability, are available in a Microsoft security bulletin posted July 24. CERT posted an advisory on Saturday.

Like the Code Red worm, which spread in July 2001, the worm is memory-resident, it never writes to disk. An infected system can be cleaned by simple rebooting, but it will soon get reinfected if it is connected to the network without patching SQL Server, F-Secure said.

The worm was detected at about 12:30 am Eastern time, according to F-Secure. It took down five of the 13 Internet root nameservers.

Symantec said the worm had infected at least 22,000 systems by 9 am Eastern time. But the attack abated quickly; Symantec reported a 60 percent reduction in worm-related traffic by about 3 AM Eastern time. Symantec attributed the decline to Internet service providers filtering for the attack.

"Waking up at 2AM after falling asleep at work on a Friday evening, to be greeted by a wall full of router racks lit up like a wall-shaped Christmas Tree is a sobering experience indeed," wrote one participant in a discussion about the attack on Slashdot.