UK sites hit by SQL worm

Update: Hewlett-Packard is one of several major UK companies and Web sites that have felt the impact of this weekend's attack by the SQL Slammer worm, also known as Sapphire

Several major UK e-commerce Web sites were heavily affected by the so-called "SQL Slammer" worm that struck servers around the world over the weekend, slowing Internet speeds and, in some countries, downing connections entirely.

Some large companies found their internal networks slowed or put out of commission by the worm. Hewlett-Packard said that its systems had been affected, and that all of its security teams had been working since Friday evening to fix the problems. A source close to the company said that some HP staff in the UK had been sent home on Monday because of difficulties using internal networks, although this was not confirmed by HP.

"We are working expeditiously to remedy the situation. We are also working with customers to provide any necessary support," HP said in a statement.

Among the worst-affected in Britain were e-commerce sites Borders.co.uk, Letsbuyit.co.uk and Thorntons.co.uk, according to Keynote Systems, which measures Web performance. Sites that suffered less damage, but were still seriously affected, included whsmith.co.uk, dixons.co.uk, amazon.co.uk and msn.co.uk.

"Interestingly www.bbc.co.uk wasn't affected at all by this attack," noted a Keynote spokesman.

The worm takes advantage of a bug that was discovered last July in Microsoft's SQL Server database software. Although a patch has been available since then, many system administrators have failed to install the patch, leaving their computers vulnerable.

Bank of America said 13,000 of its cash machines refused to operate. In South Korea, the country's largest ISP KT said almost all of its customers lost their connections during the attack. Chinese computer users saw sites freeze and a dramatic slowdown in download speeds, as the worm's effects hit the Internet's nameservers -- the computers that translate Web addresses into numerical Internet Protocol addresses.

In the US and the UK, the worm's impact was noticeable for consumers over the weekend, according to Keynote. The company said that the average site in its index of 40 major US-based home pages was slowed more than 50 percent between 5 a.m. and 6 p.m. GMT on Saturday.

The ability of computers to communicate with the Internet as a whole dropped by about 10 percent in the US at around the same time. Connectivity was back to normal by midnight on Saturday, Keynote said.

Keynote measures the number of page download attempts that succeed in retrieving a complete page without errors or timeouts.

Graham Cluley, senior technical consultant for antivirus firm Sophos, said there had been no reports from the UK comparable with the chaos in South Korea or the US. However, the attack's success highlights the increasingly thorny problem of keeping server security up to date, he said.

"Hopefully, from this Monday people are thinking about security in a new way," he said. "This attack shows that it's no good waiting for a virus to come along before you patch yourself. Hopefully people are not just looking at the SQL patch, but at what other patches they've missed."

SQL Slammer's code instructs the Microsoft SQL Server to go into an endless loop, continually sending out data to other computers, in effect performing a denial of service attack, according to security firm F-Secure, comparing the slowdown to the impact of the Code Red virus, which brought Internet traffic to a halt in the summer of 2001.

The virus is also known as Sapphire, W32.SQLExp.Worm or DDOS_SQLP1434.A by various antivirus companies.

Click here to find out more about how to protect your system from the worm.

ZDNet UK's Matt Loney contributed to this report.


For all security-related news, including updates on the latest viruses, hacking exploits and patches, check out ZDNet UK's Security News Section.

Let the editors know what you think in the Mailroom.