BBC NEWS Americas Africa Europe Middle East South Asia Asia Pacific

BBC News World Edition
 You are in: Technology  
News Front Page
Middle East
South Asia
Talking Point
Country Profiles
In Depth
BBC Sport
BBC Weather
Monday, 27 January, 2003, 16:59 GMT
Net recovers from cyber attack
Internet cafe in South Korea
Some net cafes in South Korea were knocked offline
The internet is recovering after a virulent computer worm crippled online traffic over the weekend.

Technicians have been racing to repair infected computers and patch up holes in systems that allowed the malicious code to shut down powerful servers and clog net pipelines.

In what experts called the most damaging attack on the internet in 18 months, the worm known as SQL Slammer targeted a known weakness in Microsoft's database software.

At its peak, experts said the worm affected around a quarter of a million computers worldwide, with the world's most wired country, South Korea, being one of the worst affected.

It is still infecting some servers, causing scattered slowdowns in internet traffic.

"At the moment the internet is recovering from its sticky cheese fondue state and becoming the rapidly moving liquid we all expect it to be," said Graham Cluley, Senior Technology Consultant at anti-virus firm Sophos.

"It would be very optimistic to think we could eradicate this 100%," he added. "In isolated pockets, this will continue for days."

Traffic crippled

The Slammer worm takes advantage of a six-month old security loophole in Microsoft SQL server software. It does not infect desktop computers and does not spread via e-mail.

Computer technician in South Korea
Technicians worked to repair infected systems
Once the worm infects a server, it sends out multiple data requests in a random manner to other internet addresses, looking for more computers to infect.

The effect is a flood of traffic that bogs down networks and can knock websites offline.

The malicious code appeared around 0530 GMT on Saturday, slowing down internet traffic for several hours.

Internet surfing in Asia was particularly slow. In South Korea, where almost three-quarters of the population have internet access, online services were crippled for nearly eight hours on Saturday.

Officials said the cyber attack caused millions of dollars in losses to internet-related businesses.

There were also outages or slowdowns in China and other parts of Asia, while cash machines in the US were also affected.

Back to normal

Over the weekend, computer technicians have been cleaning up computer systems and updating software to stop the malicious code

There are no reports of major disruptions to the internet, despite concerns that the worm would reappear on Monday morning as people returned to work.

In South Korea, officials said the country's major internet services appeared to be almost free of the Slammer worm.

The weekend attack was similar to the Code Red virus that affected 300,000 computers in July 2001.

It was the largest assault on the internet since the Nimda virus struck in September last year.

The FBI is looking into the incident but it said it had no indication who created the program.

Were you affected by the Slammer worm? How can attacks like these be stopped in the future? This is what you said:

I work as an IT technician at a university. Many of our core systems are still down at this time, since the admin team ordered all SQL servers to be shut down while they patch them up. Still it isn't all bad news. Our job database has a SQL backend server. No server = no jobs and one very quiet Monday morning.
Chris McKeown, UK

Attacks of this particular nature could be prevented if people took more effort to secure their networks. Our network was blocking the port in question in both directions at the edge and while we may have seen a number of attempted attacks, none of them were successful.
Andrew, UK

How about putting penalties in place for software manufactures who allow known security holes to for more than three months without a fix being available. How much has this attack cost? Perhaps Microsoft should be made to pay?
Alex, UK

Although I don`t condone the creation or distribution of malicious code, the administrators of these servers are partly responsible. They have had six months to patch there servers! What`s wrong with these people, none of our servers are left open to any known malicious code as part of our procedures are to actively search for and apply any patches as needed.
Woolfy, UK

Instead of sending hackers to jail why not sue Microsoft? After all if the air bag in my car fails to open in a crash and the car manufacturer knew about it for six months, wouldn't I be able to sue the car manufacturer?
Mark Curtis, London, UK

The companies have to pay their people a reasonable amount of money, they have to have enough people working in IT departments so that their people are not over worked and the network administrators have to apply patches as soon as they come out. Microsoft should be held legally liable for the security of its software.
Vish, UK

Since early morning of the 26 January I have not been able to to send or receive e-mails through Outlook Express. A message on my screen appears to say "password not recognised". My access to the internet is not affected and is working normally. My server on the telephone tells me that the problem is nothing to do with my equipment and they were hoping that the situation would normalise shortly.
Robert Symington, Portugal

Although many people (including myself) tend to put the blame on Microsoft for producing software without regard to security, in this case it is clear that negligence on the part of certain sysadmins is to blame. The vulnerability has been known for over six months and is easy to fix. The only reason this worm has been able to cause such damage is because people who don't know how to run a proper server can't be bothered to install the fixes when they become available.

A sobering thought is that the damage could have been much worse. The worm could quite easily have been made to delete data stored on the server, or even send the data somewhere. It is time that companies really looked hard at keeping their data secure, and time consumers asked awkward questions about what is being done to secure their private information.
Daniel Hulme, UK

Such attacks became possible because the fundamental principles of secure operating systems and design were simply not employed in the server system even though the underlying Intel hardware enabled them to be established. A secure system, just like the design parameters for Multics many years ago,is simply one that can withstand such attacks and limit damage. Buffer overflow problems were solved with the Intel 286 chip of the PC-AT 20 years ago but the segmentation, isolation and ring structure for security that were in that chip ( and still are in the Pentium) were never "turned on".

The endless attempts to put in yet another patch is a hopeless approach for the future. The real opportunity lies in a new generation of fault / attack tolerant systems, such as the NSA's Secure Linux project, Trusted BSD, etc. Buffer overflow should have been a "thing of the past" problem - and it could have been - and still could be - if commodity operating systems start using the Intel chips in the way they were originally designed to be used.
Prof Bill Caelli, Australia

Our network successfully withstood this attack as the SQL patch was applied several months ago when initially launched. IT professionals who fail to keep their servers up to date with the latest security patches are knowingly playing a game of Russian roulette and need their heads felt.
Chris Silk, UK

Found on Saturday that my ISP's main page would not load. Also several pages of my favourites also would not load. But the BBC website was fine!
JB Pickard, United Kingdom

The best way to prevent these sorts of events happening on a large scale is for companies and people to keep their software up to date. The bug which allowed this worm to propagate was fixed over six months ago, but required people to download a patch for their software system. If people don't keep their systems secure and up to date then we will continue to see these kind of disruptions in the future
Toby Proctor, UK

Some of the comments, about blaming Microsoft are absurd, at least in this instance a patch was available, and has been since July 2002, Also having the latest Service Packs helps, and paying attention to detail, and keeping ports and services installed/open to a minimum. This means there is less chance of being caught up in such attacks. But the only real way to stop it, is to stop living in a networked world. No network, no paths for such worms.
Martin Limburn, UK

I am a network administrator for a small software company in London. Anyone who got caught out in this attack is plainly not doing their job. All you need to do is sign up to Microsoft's security bulletin and you'll get an e-mail with instructions as soon as a security patch is release. There are quite simply no excuses administrators!
Stephen White, UK

To blame Microsoft or not? Prof Bill Caelli's explanation is correct. The patch may have been available for months, but people are stupid and this isn't going to change. If the world's most popular toaster periodically burnt your bread, and an upgrade was available to solve the problem, toast would continue to be burnt because people don't want to have to start meddling with the insides of their toasters. Whilst system administrators who fail to apply patches are directly to blame for their own systems going down, the Microsoft approach to providing an answer to the security problem - that of endless patches - is fundamentally flawed. The Computer of Tomorrow will not only have a secure foundation, but will be as easy to use, reliable and foolproof as toasters and televisions of today - you press a button, and they work.
Darren Grant, UK

Not only should lazy admins have patched their servers months back, but their SQL servers should not be directly accessible to the internet, if they weren't then the servers cannot be infected even if they are not patched up to date. Any admin who's network was compromised should be fired for incompetence!
Matt Elkington, UK

Yes, let's all blame Microsoft for our own internal IT failures. The people toting this sad and sorry excuse, are obviously the idiots that have no idea on how to manage a production environment. We can only hope no one has put them in charge. Even the biggest opponent of Microsoft know that they can sign up for automatic security bulletins from MS.
David, Sweden

When will people learn? If these sysadmins secured their networks correctly then worms like this just wouldn't happen! Sure, blame Microsoft for writing insecure products, but also blame the admins for not installing it correctly.
Stuart, UK

I take the points about the patches being readily available. I am also signed up to Microsoft's e-mail security bulletins. However, we are a small start-up company, we do not employ a full-time sysadmin. If I was to implement every patch that MS released, I would do little else. Do BMW, Volvo and the like expect us to implement their fixes upon recall? Microsoft software is a serious investment for a small company, and I think they have a duty to test it more thoroughly than they do at present, rather then releasing newer and newer "versions" of still buggy software.
Tom Buckland, UK

In agreement with Stephen White above, keeping systems secure and up to date is the tech/admins' responsibility. Granted that it was a malicious programmer who caused the damage - it was this neglect that allowed it to effect the consumer - when it didn't have to.
Steven, Scotland, UK

Microsoft did release a patch for this security hole many months ago - something it is not obligated to do but does so to further consumer confidence. If businesses do not install these patches, it is there own fault - it is only a couple of clicks to do once a month to update the operating system. Although Microsoft are at fault, the businesses really do have the bigger slice of the cake when it comes down to finger pointing!
Matthew Walster, UK

I was unable to log in to my PC and do any work this morning. My machine had been removed from the network over the weekend as a security precaution because I happen to have a file called SQLSERVR.EXE on my C: drive. Over 200 desktop machines like mine were affected in the company and it took the helpdesk nearly three hours to reconnect me because of the backlog of calls they were dealing with.
Matt Daniels, England

Jack Clarke, internet security expert
"This particular worm... is constantly trying to discover new hosts to infect"
See also:

27 Jan 03 | Technology
25 Jan 03 | Technology
25 Jan 03 | Technology
26 Nov 02 | Technology
09 May 02 | Science/Nature
26 Dec 02 | Technology
Links to more Technology stories are at the foot of the page.

 E-mail this story to a friend

Links to more Technology stories

© BBC ^^ Back to top

News Front Page | Africa | Americas | Asia-Pacific | Europe | Middle East |
South Asia | UK | Business | Entertainment | Science/Nature |
Technology | Health | Talking Point | Country Profiles | In Depth |