This worm, a very small piece of computer code first reportedly showed up in Hong Kong, about 11 p.m. Central time, Friday, January 24. This malicious code attacked Microsoft’s SQL Server 2000 software, which is a part of Microsoft Desktop Engine 2000, also found in Visual Studio Net, ASP.NET Web Matrix Tool, Office XP, MSDN, Access 2002, Visual FoxPro 7.0/8.0, Visio, Mail Max 5, ISS RealSecure, Site Protector, IceCap, and possibly other server software.

Within 30 minutes, the worm had spread around the world, shutting down much of the Internet and government and corporate networks dependent on the net. The worm, referred to variously as 'Sapphire', 'SQL-Hell', ‘Helkern’ and 'MS-SQL Slammer', is now most commonly referred to as the “MS-SQL Worm”. A very tiny program, only 376 bytes in size when loaded into memory, also fails to show up as a filename, becoming one of a small but growing list of "fileless" worms. This type of malicious program infects and spreads only in the computer's memory without being written to a hard drive. Again, according to Kaspersky, “These features seriously complicate the detection and disinfection of such worms using contemporary anti-virus technologies.” To give a comparison of how tiny this worm is, it is about one-one hundredth the size of this article (34K) in MS Word format.

According to the federally funded Computer Emergency Response Team (CERT) at Carnegie Mellon University, at its peak on Saturday, January 25, just hours after its appearance, about 200,000 internet servers were infected, most of which were effectively shut down by the worm. The Internet performance monitoring organization, Keynote, reported that the denial of service attack was caused by the worm sending out massive amounts of data between Internet servers such that they could not handle the load, effectively shutting down huge numbers of servers. Keynote reported that five of the thirteen U. S. military root name servers, a crucial part of the network were shut down, and much of the remainder of the military network suffered a massive packet loss, meaning that data was having great difficulty getting through the system. The worm infected every major Internet backbone provider. Keynote reported data loss to be up to 35 percent for many of the smaller providers, 22 percent for MCI WorldCom, 24 percent for Global Crossing, and 26 percent for UUNet.

Most of the major antivirus companies, as well as computer security organizations, immediately rated the threat as “high”, as they developed ways to deal with the attack. Sadly, much of the attack may have failed if users of Microsoft’s SQL Server 2000 had installed a security patch, which Microsoft released on January 17. This again indicates the utter necessity of downloading and installing the critical security patches that Microsoft and other vendors make available on a regular basis.

According to media reports, an indication of some of the damage included a statement from Bank of America that at the height of the attack Saturday, most if not all of its 13,000 ATM machines wouldn't work. Many popular websites were unavailable, and many email servers were shut down. Personally, I have received some calls indicating that users of some of the large email services, such as Hotmail, could not access their accounts. It is not clear if the disruption was on Hotmail’s servers, or local users could not connect to Hotmail because servers on the network between them and Hotmail were down.

This worm did not attack personal computers. The worm attacked servers using SQL 2000, and once detected, was easily removed. The worm overloaded servers by sending out so many copies of it so fast, that the systems could simply not handle the load and shut down. The problems local users suffered were not on their own machines, but on the networks they may have been connected to.

What is especially frightening is that on Sunday, January 26, the much respected SANS Institute, a computer security training and monitoring center, speculated that this attack was “…but a shot over the bows by someone testing a vulnerability with the intent of sending out something with a more malicious payload next time, possibly within a few days or weeks.”

This incident is just another example of our collective vulnerability to cyber-attack. It is not yet known as I write this if this attack was simply some highly successful cyber vandalism, or a precursor to some more sinister plan. It does clearly indicate that we, as computer users, absolutely must take seriously the threats to our vital cyber infrastructure. While this particular worm was not a threat to our personal computers, it is only a matter of time until a successor becomes such a threat. This again shows the imperative need to protect our computers with up-to-date antivirus software, as well as the critical security patches our software publishers frequently make available to us. And, if the worst should happen, there is also no substitute for a current backup of our critical data.

For more information on the Tulsa Computer Society click here