The Slammer Worm Attack: The worst attack to date, probably not the last February 14, 2003 By Peter Abraham Almost everyone who works with or on the Internet – consumer and provider – had their eyes opened wide on Saturday, January 25, 2003 as an Internet Worm attacked at least 247,000 systems world wide. Ted Bridis from the Associated Press wrote on January 28, "Disruptions from the weekend attack on the Internet are shaking popular perceptions that vital national services, including banking operations and 911 centers, are largely immune to such attacks.  Damage in some of these areas was worse than many experts had believed possible." The Damage The nation's largest residential mortgage firm, Countrywide Financial Corp., told customers who called Monday, January 27, that its systems were still suffering. Its Web site, where customers can make payments and check their loans, was closed most of the day. Police and fire dispatchers outside Seattle resorted to paper and pencil for hours after the virus-like attack on the weekend disrupted operations for the 911 center that serves two suburban police departments and at least 14 fire departments. American Express Co. confirmed that customers couldn't reach its Web site to check credit statements and account balances during parts of the weekend. The attack prevented many customers of Bank of America Corp., one of the largest U.S. banks, and some large Canadian banks from withdrawing money from automatic teller machines Saturday. President Bush's No. 2 cyber-security adviser, Howard Schmidt, acknowledged that what he called "collateral damage" stunned even the experts who have warned about uncertain effects on the nation's most important electronic systems from mass-scale Internet disruptions. The attacking software scanned for victim computers so randomly and aggressively that it saturated many of the Internet largest data pipelines, slowing e-mail and Web surfing globally. Collateral damage was also caused to all systems on the Internet because those systems that were impacted continually tried to infect other systems.  This massive usage of system resources accounted for much of the slow down. While the worm did not contain any malicious code, it caused considerable harm simply by overloading networks and taking database servers out of operation. Many individual sites lost connectivity as their access bandwidth was saturated by local copies of the worm and there were several reports of Internet backbone disruption. Velocity of the Attack According to a publicly available report from CAIDA, the Cooperative Association for Internet Data Analysis, the Sapphire (AKA Slammer) Worm was the fastest computer worm in history. As it began spreading throughout the Internet, it doubled in size every 8.5 seconds. It infected more than 90 percent of vulnerable hosts within 10 minutes. The worm achieved its full scanning rate (over 55 million scans per second) after approximately three minutes. The FBI Investigation – Hunting for Patient Zero The worm's author could face up to life in prison under new U.S. anti-terror legislation passed two months ago, some legal experts said. The Washington Post reported that experts who studied the worm have found references in its coding to Honker, a Chinese hacker group believed to operate in mainland China and possibly in Hong Kong. The FBI have a challenging time ahead of them as they hunt for the computer equivalent of patient zero (the first system infected) which could lead them to the actual attacker. Could damage have been prevented or minimized? Microsoft released the patch for the vulnerability that was exploited by the worm in July 2002. If this free patch had been installed on all of the 247,000 systems that were infected, there would have been little for the worm to infect.  Thus, the spread of it would be contained and the damage limited. Again proving that an ounce of prevention . . . . . Dynamic Net, Inc. can offer you that ounce of prevention though our security patch program.  We will proactive install patches within three business days of their release on your servers. Please call our business development department toll free at 1-888-887-6727 to find out how we can save you a ton of money and headaches by taking this concern out of your hands.