Clean-up after web attack
2003-01-27 08:22
Elinor Mills Abreu/Kim Miyoung
Los Angeles - Companies cleaned up their computer systems on Sunday after a fast-spreading worm shut down web servers in an attack that slowed the internet for users around the world.
South Korea, the world's most wired country, was believed to be hit the hardest in the attack, which began early on Saturday, spreading through network connections rather than e-mail as many viruses do.
The worm, dubbed "SQL Slammer" ("sequel") because it exploits a weakness in Microsoft's Windows 2000 SQL server database software, did not delete or otherwise touch data.
However, it crashed servers and congested traffic on the global network for a few hours, slowing downloads by as much as 50 percent, according to Internet performance monitoring firm Keynote Systems.
But the most damaging attack on the internet in 18 months was curbed faster than the Code Reds and Nimda worms of September 2001, as internet service providers moved quickly to block traffic from infected machines to others, experts said.
Microsoft re-released a patch for the vulnerability, which was first issued about six months ago, with software to make it easier to install than the original patch was, said Scott Charney, Microsoft's chief security strategist.
Concern also shifted to desktop computers that may have some of the SQL code on them, such as Microsoft Desktop Engine 2000, according to Russ Cooper, a research expert at TruSecure Corp. He said Compaq Insight Manager, Dell Open Manager and HP OpenView also contain "mini SQL servers."
Better shape today
Overall, industry experts said the internet had weathered the attack very well. "The internet is in much better shape today," said Tom Ohlsson, vice president of marketing at Matrix NetSystems, an Internet performance monitoring company.
During the attack, there was a one in five chance that e-mail wouldn't get through or downloading information from a website would take one to two minutes instead of 10 seconds, according to Ohlsson.
"In the final analysis, what we had was a major nuisance that was short-lived," he added.
Infected systems can be cleaned up by just turning the system off and then back on, but companies are encouraged to install the Microsoft patch to prevent further infection or to configure their firewalls to block traffic coming into a specific communications port the worm uses.
While the virus tapered off relatively fast and internet traffic was flowing smoothly, there were signs the worm was not yet dead.
"Right now, there are 120 000 IP (Internet Protocol) addresses out searching for systems to infect," said Alan Paller, research director at the System Administration, Networking and Security Institute (SANS).
By Sunday, most problems had passed but Monday could bring new outbreaks as businesses boot up computers for the week.
Cooper and others said they were expecting to see variants created by copycat hackers, and those could be much worse.
Statistics on companies and computers affected were not easy to obtain, particularly on Super Bowl Sunday in the United States.
The worm affected Bank of America and some of its automatic teller machines, American Express, and more than 300 federal government computers were infected, a source said.
The web's largest retailer, Amazon.com, and internet auctioneer eBay reported no disruption during the attack.
Wired Korea
In Korea, internet companies said they planned to boost spending on security to prevent a repeat of an outage that paralysed broadband and mobile services on Saturday.
"It's not clear why Korea was targeted but the damage was huge - partly because Korea has a huge Internet population and this helped the rapid spread of the worm," said an official at KT Corp, Korea's largest Internet service provider.
"The problem is not completely resolved and we will have to have more of a sense of the importance of security," Information and Communication Minister Lee Sang Chul said.
Almost all KT customers lost their connections during the attack. Some 70 percent of South Korea's 48 million people have Internet access and half of these subscribe to KT.
KT said it had completed repairs but smaller Korean Internet service providers were still experiencing problems. The Seoul Stock Exchange said the country's large number of online stock traders might have to switch to telephone trading on Monday.
"We are repairing affected networks but regardless of the status of the completion of the job, stock markets will open Monday and all systems will operate as usual for stock transactions," the Korea Stock Exchange said.
In China, the websites of China Telecom, the China Science and Technology Network and the Education and Research Network were particularly affected.
Japan Internet firms also reported a slowdown. "Major carriers said they detected a sudden increase in Internet traffic, but they said there weren't any major problems," said Eisaku Yamaji, of the Ministry of Post and Telecommunications.
Samsung Securities tech analyst Choi Young-suk said he did not expect the problems in Korea to hit internet shares.
"The problem is more likely to have an impact on companies that generate revenue from online businesses such as online shopping and travel agencies," Choi said.