Major Security News: Internet-Based Worm Seriously Impacts Network Stability

Breaking News

• Starting around midnight EDT Saturday January 25 a worm hit the Internet.
• It used a well-known security hole in MS SQL servers (Microsoft's database server, which runs on Windows systems) to penetrate the systems then attempt to infect other systems.
• Although patches had been released in June or July 2002, many unpatched systems remained. These systems, once infected, became the launchpoint for further attacks.
• The sheer volume of data generated by systems attempting to infect was overwhelming for the Internet, resulting in 20% packet loss or higher on some sections of the backbone.
• The problems were global. The US was hit hard partially because the Internet is more widely available here, but other parts of the world suffered as well.
• The solution was to block the network port at the network firewall level and/or to shut down the infected machines.

News links

• UNC's unc.support newsgroup/mailing list (local copy)
• An ISN story (local copy)
• Analysis and dissassembly, one of several versions (local copy)
• AP wire story from Saturday
• More from AP on the forensics involved in finding out where the worm came from.
• Aftermath Reuters wire story
• Archived reports from the Internet Health Report and Matrix network monitoring, showing spikes in traffic and outages (their live sites are internethealthreport.com and average.matrix.net

For Reflection...

• What simple step(s) could have stopped this worm?
• What impact did the timing of its release have?
• The worm had an essentially non-destructive payload, even though it ran with SYSTEM priveleges. Why was this, do you think? Do you suspect a destructive payload might be released in the future?
• Can you find news stories of how critical infrastructure or activities were threatened or hurt by the worm?
• If you were helping an organization to make IT decisions, what advice would you give about how to avoid future Internet worms?