Tech

Government largely spared in latest cyberattack

January 27, 2003

By Shane Harris

The federal government appears to have escaped largely unscathed from one of the most virulent computer worms ever seen.

On Saturday, the worm (a breed of computer virus) dubbed Slammer or Sapphire by some analysts, began infecting Microsoft database software with a well-known hole that makes it vulnerable to infection. Slammer infected at least 100,000 computer servers in the U.S., Europe and Asia and perhaps as many as 250,000, according to some estimates.

The worm replicates inside its victims, and sends out probes for new victims at the rate of thousands per second. The barrage of probes Saturday snarled Internet traffic and shut down more than 13,000 Bank of America automatic cash machines.

The White House has said the full severity and nature of the worm may not be known for several days, but initial reports indicate Slammer is probably one of the fastest spreading worms in history. The speed with which worms spread can be measured by how quickly they probe for more victims. Slammer reached its probing peak four minutes after being activated, said Stuart Staniford, president of Silicon Defense, a security firm in Eureka, Calif. By comparison, the Code Red worm of July 2001, one of the most destructive, took 16 hours to reach its peak, Staniford said.

Slammer only replicates itself and doesn't download any commands to erase data or commandeer the controls of its hosts. Had the worm contained that destructive payload, it could have caused far more damage, according to experts.

Agencies were also spared disruptions because Slammer was let loose over the weekend, when most offices were closed. At least one exception occurred Saturday when 200 National Science Foundation employees working on grant proposal evaluations were knocked offline by the Internet traffic jam.

Slammer affected less than 10 percent of Defense Department computer systems, according to a spokesman for the department's Joint Task Force-Computer Network Operations, which monitors threats to the department. As a precaution, the specific Internet port the worm was using as a conduit was shut down, the spokesman said. Defense employees still had access to their computers over the weekend, he said.

Less is known about how many civilian systems were affected, but indications are that the damage was not widespread, said Alan Paller, the director of research for the nonprofit SANS Institute in Bethesda, Md., a security research group that is helping agencies analyze the Slammer attack. Paller said SANS had found only 360 federal Internet protocol addresses that were hit by the worm, out of more than 120,000 addresses. But he added that the analysis isn't finished, and many more addresses could have been affected.

Security experts believe, though, that the worst of the worm's rampage is over. Kevin Haley, a group manager with Symantec Security Response in Santa Monica, Calif., said the number of reported infections has fallen steadily since Saturday.

Slammer wreaked the most havoc abroad, analysts say. Seven out of 10 customers of the largest Internet service provider in South Korea were denied online access, said Chris Thompson, vice president of marketing for Network Associates, a security firm in Santa Clara, Calif.

What country the worm came from is still not known.

A spokeswoman for the General Services Administration said the agency's Computer Incident Response Center (FedCIRC) is working with civilian agencies to help them clean up and patch their systems. FedCIRC posted an advisory about Slammer to its Web site shortly after 8:00 a.m. Saturday.

FedCIRC last week launched a major security initiative to protect civilian agency computer systems. The Patch Authentication and Dissemination Capability (PADC) is a free service that verifies the authenticity and safety of programs that repair vulnerabilities in systems. The White House cybersecurity czar, Richard Clarke, implored agencies to use the patch service.

Another White House official Monday noted that about 98 percent of all online attacks are against vulnerabilities that are well known and for which patches exist. If patches were applied early, many attacks could be prevented, Marcus Sachs, the director of communication infrastructure protection for the White House Office of Cyberspace Security, said at an online briefing.

The motive for the Slammer attack is unknown, but Sachs raised two provocative theories mentioned Sunday in a series of e-mail exchanges among security experts. The first was that some company launched Slammer to attack its competition. Sachs described that theory as a "wild card."

The second idea was that some group of cyber vigilantes might have released Slammer without a destructive payload in order to show the world that the Microsoft vulnerability existed. That would compel users of the weak systems to fix them.

NEXT STORY: Senate slashes $40 million from e-government fund