Computer Worm Slows Global Internet Traffic
Updated 12:11 PM ET January 25, 2003
By Jane Macartney and Bernhard Warner
SEOUL/LONDON (Reuters) - A rapidly spreading computer worm infested networks and bogged down Internet traffic across the globe on Saturday, crippling online services in one of the world's most wired countries, South Korea.
Called "Sapphire" or "SQL Slammer," the worm carries a self-regenerating mechanism that enables it to multiply quickly across the web, said Mikko Hypponen, manager of anti-virus research at F-Secure, a Helsinki-based computer security firm.
"It is so good at replicating that it generates massive amounts of traffic that will slow down networks," Hypponen said. "The end user never sees it. They only experience the slowdown on the Net."
Security experts blamed the worm for crashing almost all Internet services in South Korea.
It was the first time South Korea's broadband and mobile Internet services have been shut down on such a scale, although hackers are fairly active in the country where 70 percent of households have Internet access.
"It is highly likely hackers have launched an all-out attack on the country's Internet system," Yonhap news agency quoted an official of the Ministry of Information and Communication as saying.
CODE RED SIMILARITIES
The problem was not limited to South Korea, with systems slowing from Japan to Europe to the United States, officials said.
In Washington, the FBI said it was aware of the situation. "I know there is a worm out there. I don't know the name of it. It's something we are monitoring," spokesman Ed Cogswell said.
He said he did not know when the problem had started or who was responsible for it.
The worm has been likened to the "Code Red" bug of July 2001, which slowed traffic dramatically on the Internet. The authors of that malicious code remain a mystery.
"Sapphire" or "SQL Slammer" infects computer servers that run on Microsoft Windows 2000 SQL software. Once it attaches to a server, it transmits multiple data requests in a random manner to other IP addresses seeking more vulnerable servers to infect.
The effect is a flood of traffic that bogs down ISP networks and can even knock Web sites off-line, Hypponen said. He added the worm was probably installed on a faulty server by a virus writer or hacker within the past few days.
A patch is available on Microsoft Corp's Web site, www.microsoft.com, he added.
Left unchecked, the worm could continue to create large network disruptions for ISP customers, plus knock out some Web sites over the coming days, he warned.
Hypponen said it had disabled the email server of a corporate client in Slovenia. Meanwhile, ISP customers in the United States and Britain lodged distress notes on Internet message boards Saturday complaining about slowdowns in Internet traffic.
TARGET: SOUTH KOREA
The biggest impact appeared to be in South Korea, however, where police were called in to investigate.
The infestation brought down the entire Internet service of the country's largest ISP, KT Corp, a company spokesman said.
He said services were down for several hours in the afternoon but were recovering. However, the networks of number two operator Hanaro Telecom Inc and number three Thrunet Co were still experiencing trouble.
The crash was triggered by a huge volume of transmissions flowing into KT's Hyehwa service in Seoul, officials said.
All of South Korea's major high-speed Internet services use the KT server, so all suffered the same interruption.
Graham Cluley of Sophos Anti-Virus, a British virus detection firm, said its first reports came from companies in Asia. A number in Europe have also contacted Sophos reporting a degradation in Internet speed, he added.
AOL, the world's largest ISP with over 35 million subscribers, appeared to survive unscathed. A spokesman for the Time Warner Internet unit said the worm had had no impact on its service.
Updated 12:11 PM ET January 25, 2003
By Jane Macartney and Bernhard Warner
SEOUL/LONDON (Reuters) - A rapidly spreading computer worm infested networks and bogged down Internet traffic across the globe on Saturday, crippling online services in one of the world's most wired countries, South Korea.
Called "Sapphire" or "SQL Slammer," the worm carries a self-regenerating mechanism that enables it to multiply quickly across the web, said Mikko Hypponen, manager of anti-virus research at F-Secure, a Helsinki-based computer security firm.
"It is so good at replicating that it generates massive amounts of traffic that will slow down networks," Hypponen said. "The end user never sees it. They only experience the slowdown on the Net."
Security experts blamed the worm for crashing almost all Internet services in South Korea.
It was the first time South Korea's broadband and mobile Internet services have been shut down on such a scale, although hackers are fairly active in the country where 70 percent of households have Internet access.
"It is highly likely hackers have launched an all-out attack on the country's Internet system," Yonhap news agency quoted an official of the Ministry of Information and Communication as saying.
CODE RED SIMILARITIES
The problem was not limited to South Korea, with systems slowing from Japan to Europe to the United States, officials said.
In Washington, the FBI said it was aware of the situation. "I know there is a worm out there. I don't know the name of it. It's something we are monitoring," spokesman Ed Cogswell said.
He said he did not know when the problem had started or who was responsible for it.
The worm has been likened to the "Code Red" bug of July 2001, which slowed traffic dramatically on the Internet. The authors of that malicious code remain a mystery.
"Sapphire" or "SQL Slammer" infects computer servers that run on Microsoft Windows 2000 SQL software. Once it attaches to a server, it transmits multiple data requests in a random manner to other IP addresses seeking more vulnerable servers to infect.
The effect is a flood of traffic that bogs down ISP networks and can even knock Web sites off-line, Hypponen said. He added the worm was probably installed on a faulty server by a virus writer or hacker within the past few days.
A patch is available on Microsoft Corp's Web site, www.microsoft.com, he added.
Left unchecked, the worm could continue to create large network disruptions for ISP customers, plus knock out some Web sites over the coming days, he warned.
Hypponen said it had disabled the email server of a corporate client in Slovenia. Meanwhile, ISP customers in the United States and Britain lodged distress notes on Internet message boards Saturday complaining about slowdowns in Internet traffic.
TARGET: SOUTH KOREA
The biggest impact appeared to be in South Korea, however, where police were called in to investigate.
The infestation brought down the entire Internet service of the country's largest ISP, KT Corp, a company spokesman said.
He said services were down for several hours in the afternoon but were recovering. However, the networks of number two operator Hanaro Telecom Inc and number three Thrunet Co were still experiencing trouble.
The crash was triggered by a huge volume of transmissions flowing into KT's Hyehwa service in Seoul, officials said.
All of South Korea's major high-speed Internet services use the KT server, so all suffered the same interruption.
Graham Cluley of Sophos Anti-Virus, a British virus detection firm, said its first reports came from companies in Asia. A number in Europe have also contacted Sophos reporting a degradation in Internet speed, he added.
AOL, the world's largest ISP with over 35 million subscribers, appeared to survive unscathed. A spokesman for the Time Warner Internet unit said the worm had had no impact on its service.