Virus-Like Attack Slows Web Traffic

Associated Press | 25 Jan 03 | Ted Bridis, Associated Press

[Lancey Howard]

WASHINGTON (Jan. 25) - Traffic on the Internet slowed dramatically for hours early Saturday, the effects of a fast-spreading, virus-like infection that overwhelmed the world's digital pipelines and broadly interfered with Web browsing and delivery of e-mail.

Sites monitoring the health of the Internet reported significant slowdowns globally. Experts said the electronic attack bore remarkable similarities to the ''Code Red'' virus during the summer of 2001 which also ground online traffic to a halt.

''It's not debilitating,'' said Howard Schmidt, President Bush's No. 2 cyber-security adviser. ''Everybody seems to be getting it under control.'' Schmidt said the FBI's National Infrastructure Protection Center and private experts at the CERT Coordination Center were monitoring the attack and offering technical advice to computer administrators on how to protect against it.

Most home users did not need to take any protective measures.

The virus-like attack, which began about 12:30 a.m. EST, sought out vulnerable computers on the Internet to infect using a known flaw in popular database software from Microsoft Corp., called ''SQL Server 2000.'' But the attacking software code was scanning for victim computers so randomly and so aggressively - sending out thousands of probes each second - that it saturated many Internet data pipelines.

Schmidt said disruption within the U.S. government was minimal, partly because the attack occurred early on a Saturday morning.

''This is like Code Red all over again,'' said Marc Maiffret, an executive with eEye Digital Security, whose engineers were among the earliest to study samples of the attack software. ''The sheer number of attacks is eating up so much bandwidth that normal operations can't take place.''

''The impact of this worm was huge,'' agreed Ben Koshy of W3 International Media Ltd., which operates thousands of Web sites from its computers in Vancouver. ''It's a very significant attack.''

Koshy added that, about six hours after the attack started, commercial Web sites that had been overwhelmed were starting to come back online as engineers began effectively blocking the malicious data traffic. At the height of the attack, another company reported that computers were flooded with more than 125 megabytes of data every second.

''People are recovering from it,'' Koshy said.

Symantec Corp., an antivirus vendor, estimated that at least 22,000 systems were affected worldwide.

''Traffic itself seems to have leveled off a little bit, so likely only so many systems are exposed out there,'' said Oliver Friedrichs, senior manager with Symantec Security Response. The attacking software, technically known as a worm, was overwhelming Internet traffic-directing devices known as routers.

''The Internet is still usable, but we're definitely receiving reports from some of our customers who have had it affect their routers specifically,'' Friedrichs said.

The attack sought to exploit a software flaw discovered by researchers in July 2002 that permits hackers to seize control of corporate database servers. Microsoft deemed the problem ''critical'' and offered a free repairing patch, but it was impossible to know how many computer administrators applied the fix.

''People need to do a better job about fixing vulnerabilities,'' Schmidt said.

The latest attack was likely to revive debate within the technology industry about the need for an Internet-wide monitoring center, which the Bush administration has proposed. Some Internet industry executives and lawyers said they would raise serious civil liberties concerns if the U.S. government, not an industry consortium, operated such a powerful monitoring center.

''No where do you see everything that has happened in cyber-space, no one has that synoptic view,'' said Dick Clarke, Bush's top cyber-security adviser, during a speech earlier this month to U.S. intelligence officials. ''What we're talking about is seeing something in time to stop it, a major cyber attack.''

During the ''Code Red'' attack in July 2001, about 300,000 mostly corporate server computers were infected and programmed to launch a simultaneous attack against the Web site for the White House, which U.S. officials were able to defend successfully.

Unlike that episode, the malicious software used in this latest attack did not appear to do anything other than try to spread its own infection, experts said.

On the Net:

Technical details: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/s ecurity/ http://www.eeye.com/html/Research/Flash/AL20030125.html

Microsoft fix: bulletin/MS02-039.asp

AP-NY-01-25-03 0820EST

Copyright 2003 The Associated Press. The information contained in the AP news report may not be published, broadcast, rewritten or otherwise distributed without the prior written authority of The Associated Press. All active hyperlinks have been inserted by AOL.

[Lancey Howard]

Imagine you are George Washington, just rolling out of bed in the morning and reading this in the newspaper. I figure that a full 75% of the words used in this article would have no meaning or context for George. In fact, they would have no meaning or context for somebody from the 1950s.

[G.Mason]

"Imagine you are George Washington......."

Doesn't mean much to me either, except I would have to find my pencil and paper and wait a while for the reply. ;)

[billorites]

Check it out Here.

[Cicero]

At some point, they are going to have to start holding businesses and host companies liable for not bothering to install security updates on their servers. This kind of DDS attack wouldn't be possible if so many people just can't be bothered to install free security updates.

The main culprit is presumably some hacker or group of hackers, but the operators of improperly maintained servers share some of the responsibility. It doesn't take a rocket scientist to install these updates.

[fight_truth_decay]

"The virus-like attack, which began about 12:30 a.m. EST, sought out vulnerable computers on the Internet to infect using a known flaw in popular database software from Microsoft Corp., called "SQL Server 2000." But the attacking software was scanning for victim computers so randomly and so aggressively — sending out thousands of probes a second — that it saturated many Internet data pipelines..."

The departments of State, Agriculture, Commerce and some units within the Defense Department appeared hardest hit within the government, according to Matrix NetSystems Inc., a monitoring firm in Austin, Texas.

Most home users did not need to take any protective measures. Experts said the attack bore remarkable similarities to the "Code Red" virus that struck the Internet during the summer of 2001.

http://news.yahoo.com/news?tmpl=story2&ncid=716&e=3&u=/ap/20030125/ap_on_hi_te/internet_attack

Pays to Practice Safe Anti-Virus Softwear Updates.

[fight_truth_decay]

Once again this worm is taking advantage of a known vulnerability that has had a patch available for many months. Microsoft has also released a recent service pack for SQL (Service Pack 3) that includes a fix for this vulnerability.

SQL Sapphire Worm Analysis

http://www.eeye.com/html/Research/Flash/AL20030125.html

[fight_truth_decay]

This Name designation I found funny..We have provided brief information here as we are currently working to understand more of the worm's internal behavior. We will provide updates as they become available. This worm has been dubbed the "Sapphire Worm" by eEye due to the fact that several engineers had to be pulled away from local bars to begin the investigation/dissection process.

Source

[Lancey Howard]

I don't understand any of this.
I just like to move my mouse around and click click click.

[ErnBatavia]

I don't understand any of this. I just like to move my mouse around and click click click.

Ditto! This sort of stuff is why I refuse to download (again) Window's XP "Service Pack 1" with it's supposed 'critical updates'.....I have an HP, and it took me several hours on the help line to find out that there were "Issues" between HP and Microsoft, that caused this nice new computer to drop dead, literally, after installing it. Had the thrill of obtaining 6 restore disks with minimal instruction on how to use them......wiped out everything, but got me up and running again.

[null and void]

vulnerable computers on the Internet to infect using a known flaw in popular database software from Microsoft Corp., called ''SQL Server 2000.''

No further comment needed...

[Dutchy]

Bump!! An El Qaida/Iraqi cyber attack??

[Anti-Bolshevik]

As of 12:30 PM EST all cell phone providers are down as a result of this virus. So if you were thinking of activating a new cell phone today -- don't.

[GRRRRR]

Time to rewrap the PC in aluminium foil again!!

[latrans]

It is more important than ever to keep current with your anti-virus program. Every time I try running without one I get a virus. There are hundreds of them out there. Thank you
Norton!

[Lancey Howard]

As of 12:30 PM EST all cell phone providers are down as a result of this virus. So if you were thinking of activating a new cell phone today -- don't.

You know, that's some pretty serious disruption. I wonder if disruption of cell phone communication was the goal of this virus all along?

[Lancey Howard]

As of 12:30 PM EST all cell phone providers are down as a result of this virus. So if you were thinking of activating a new cell phone today -- don't.

I just now used my cell phone and it worked fine.

[Jonah Johansen]

If a gang of punks set fire to a thousand warehouses full of merchandise, costing honest people billions of dollars, they would not be given suspended sentences or treated as some kind of super intelligent anti-heroes. It often appears, that the parents of those teenagers busted for computer crimes, are proud of the intelligence of their sons.

Why do the various tech news services cover hackers conventions with a kind of reverence. How would they cover an arsonists convention.

Blaming software companies is a little like blaming the gun manufactures for gun related murders.

I am furious with these punks for all the crap I have to go through at home and with the network I support at work.

If I had my way, they would cut off both hands of these vandals and post the picture of the bloody things on a web site.

[LADYAK]

I try to always acknowledge my updates for the XP. For an anti-virus program...I wanted on that had a firewall and sent out updates automatically....I originally tried Panda but the support sucked....got my money back and not I use PC-cillin but after my experience with Panda I phoned these folks and just wanted to know how their support was...and asked other questions. I now get my updates just like for XP and install...no hassel..I also think it will automatically check my system...anyway..I wish there had been a site out their that was useful esp. on receiving assistance...so many anti-virus outfits have a phone number but no one ever answers like Panda.

[Anti-Bolshevik]

I just meant the activations department. If you call up customer service they probably won't be able to access your account.

All cell phone service is fine.