Slammer: The first 'Warhol' worm?

A study has found that Slammer hit most of its victims within 10 minutes, setting a new milestone in worm evolution

Last week's Sapphire worm, widely known as SQL Slammer, infected more than 90 percent of vulnerable computers within 10 minutes, opening a new era of fast-spreading viruses on the Internet, according to a US think tank.

The findings come from the Cooperative Association for Internet Data Analysis (CAIDA), a US body largely funded by government agencies such as the National Science Foundation, and devoted to developing tools and standards for measuring Internet traffic. According to a CAIDA report issued late last week, the worm doubled in size every 8.5 seconds when it first appeared, and reached the full rate at which it was scanning for vulnerable computers -- a rate of more than 55 million scans per second -- after about three minutes.

This rapidity puts Slammer into the realm of what is known as a Warhol worm, or one that could infect the entire Internet in 15 minutes. Researchers have theorised about such worms for some time, and a paper presented at last year's Usenix Security Symposium by security experts Vern Paxson, Stuart Staniford, and Nicholas Weaver also predicted the emergence of a "flash worm", which could scan the entire Internet in a matter of seconds. Until now, however, no examples have been released into the wild.

The authors of the CAIDA report, David Moore, Vern Paxson, Stefan Savage, Colleen Shannon, Stuart Staniford and Nicholas Weaver, noted that the worm paves the way for future versions that could spread even more quickly and create more chaos. "If the worm had carried a malicious payload, had attacked a more widespread vulnerability, or had targeted a more popular service, the effects would likely have been far more severe," they wrote.

Slammer's spread was two orders of magnitude faster than Code Red, which infected 359,000 computers in the summer of 2001, and doubled in size only about every 37 minutes, CAIDA said.

Slammer infected fewer computers than Code Red, but significantly was limited by flaws in its design. For example, a faulty random-number generator meant that the worm was not able to scan all possible Internet addresses. Also, its method of random scanning was so aggressive that it quickly bogged down networks and was unable to continue operating at full throttle, according to CAIDA.

The researchers noted that although the nature of the SQL bug exploited by Slammer helped it to spread quickly -- the bug was exploitable by sending a single packet to a particular UDP port -- other types of worms could spread just as quickly: "Any worm with a reasonably small payload can be crafted into a bandwidth-limited worm of a similar nature."

Traditional virus-blocking methods are now practically useless for stopping the new breed of worm, the report noted. "Since high-speed worms are no longer simply a theoretical threat, worm defences need to be automatic; there is no conceivable way for system administrators to respond to threats of this speed," it said.

On Friday, Stuart Okin, Microsoft UK's chief security officer, warned that morphs of Slammer could cause more problems than the original, which because it had no payload did not do any direct damage aside from the effects of its denial-of-service nature, and systems could be cleaned by being switched off and on again.


For all security-related news, including updates on the latest viruses, hacking exploits and patches, check out ZDNet UK's Security News Section.

Let the editors know what you think in the Mailroom.

Newsletters

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
See All
See All