Dawn of the Superworm
The attack came swiftly and without warning. At 12:30 a.m. eastern standard time, January 25, a single packet of data containing the Slammer worm began spreading across the Internet. Within 10 minutes the worm reached 90 percent of the Net and infected more than 75,000 machines. At its peak 30 minutes later, it disrupted one out of five data packets. The result: service blackouts, canceled flights, and disabled ATMs.
Next time around, we might not be so lucky.
Slammer (also called Sapphire or SQL Hell) was a piece of code about the length of the first paragraph of this story. It created havoc but destroyed no data, and network managers could easily stop it by blocking a port or turning off an infected server, say security experts.
Like Nimda and Code Red before it, Slammer was probably just an experiment rather than a deliberate attempt to hobble the Internet, says Ryan McGee, product marketing director at McAfee Security in Santa Clara, California.
Nevertheless, all three experiments were "successes." And that success is likely to encourage cyberterrorists to build new "superworms" that blend the most potent features of proven worms, and to then use them against specific targets or even as weapons of cyberwar, analysts say.
"If this new era of worms plays out the same way other eras have, the next phase of development will be to see what they can do to damage computers, delete files, and steal personal information," McGee says. In fact, the U.S. Department of Homeland Security warns that terrorists may launch cyberattacks as well as physical ones.
A Zombie Army
Building such a superworm is not difficult, says Dan Ingevaldson, team leader for X-Force, the research-and-development arm of Internet Security Services in Atlanta.
"All you really need is to take an existing worm and mate it with a new head to create a new method of attack," he says.
Worse, hybrid worms could be stealthier than Slammer and its ilk. One could nest in millions of systems and lie dormant until activated for a distributed denial-of-service attack, bombarding a specified server with requests from those many infected systems, says Stuart Staniford, chief executive of Silicon Defense in Eureka, California.
"A worm can create millions of zombies, because it spreads so fast," Staniford says. "Sapphire made an enormous amount of noise." A worm that spread quickly and then deactivated would be tougher to combat, he notes.
Holey Software, Batman
Like most worms, Slammer attacked a vulnerability known to hackers and security wonks alike: a flaw in Microsoft SQL Server 2000, the database program used by hundreds of thousands of servers. ...(continued)...
