Slammer worm claims victim Down Under

Macquarie Telecom has admitted that a variant of the Slammer worm was responsible for a serious disruption to its co-location customers last week.

Following an upgrade to its firewall and intrusion detection systems, many of Macquarie's Sydney-based co-location customers found their Web sites and intranet systems either completely inaccessible or painfully slow.

At the time, Macquarie admitted that the problem was caused by an avalanche of malicious traffic.

Subsequently Macquarie has admitted that it was forced to roll back to the old security system in order to find the problem. Engineers eventually discovered that the traffic was being generated by some of its customers that had been infected by a variant of the Slammer worm.

"The massive traffic loads were caused by virus-related broadcasts from Macquarie Telecom customers. As part of our troubleshooting process we rolled back to the old firewall to eliminate the new firewall architecture and policies as being a variable".

Slammer, which exploits a vulnerability in un-patched versions of Microsoft SQL Server 2000, was first detected almost two years ago. According to antivirus firm Symantec, Slammer has the "unintended payload of performing a denial of service attack due to the large number of packets it sends".

Neil Campbell, national security manager of IT services company Dimension Data, said that there is no excuse for a company to become infected with the Slammer worm – almost two years after it first appeared.

"If you are in any way vigilant with security there is no excuse and no reason to get infected by Slammer. It has been out for more than a year and there has been enough visibility and there are enough tools out there [to avoid infection]," said Campbell.

Although Campbell would not comment specifically on Macquarie, he explained that with co-location services, the provider is unlikely to be responsible for any virus outbreak.

"My understanding in a co-location scenario is that the provider does not have any control over the machines. There is nothing the hosting provider can do to ensure that the customers are managing their systems,"

However, Campbell did say that co-location providers should protect customers from each other.

"Co-location providers should protect each customer from the others so you can minimise the disruption to one customer caused by another customer not being up to date with patching," said Campbell.