[ISN] Study: Slammer was fastest-spreading worm yet

From: InfoSec News (isnat_private)
Date: Tue Feb 04 2003 - 02:50:03 PST

  • Next message: InfoSec News: "[ISN] Linux Security Week - February 3rd 2003"

    By Martyn Williams
    IDG News Service
    FEBRUARY 03, 2003
    A just-completed study into the Slammer worm, which hit the Internet a
    week ago, has concluded what many people already suspected: Slammer
    represented a significant milestone in the evolution of worms and was
    by far the fastest-spreading worm yet seen.
    The study was conducted by a group of experts representing the 
    Cooperative Association for Internet Data Analysis (CAIDA); the 
    International Computer Science Institute; security company Silicon 
    Defense; the University of California, Berkeley's electrical 
    engineering and computer sciences department; and the University of 
    California, San Diego's computer science and engineering department. 
    Its results provide a look into the first moments of the spread of 
    Slammer and offers some impressive statistics. 
    During the first three minutes of the worm's spread, the number of 
    infected machines doubled roughly every 8.5 seconds, the study found. 
    This is more than 250 times faster than Code Red, which hit in 
    mid-2001 and had a doubling time of 37 minutes, according to the 
    report. The worm hit its full scanning rate of around 55 million scans 
    per second about three minutes after the attack began at approximately 
    12:30 a.m. EST on Jan. 25. 
    The result was that within 10 minutes of the start of the attack, the 
    majority of the estimated 75,000 machines that were hit had already 
    been infected, said the report. 
    Slammer's spread was considerably faster for several reasons, said the 
    report. First, it was small. At just 376 bytes in size, the worm and 
    required headers fit inside a 404-byte Universal Datagram Protocol 
    packet. Code Red was 4KB in size, and the Nimda worm was around 37KB. 
    The worm also worked differently from Code Red. Slammer generated 
    random IP addresses and dispatched itself to those addresses without 
    scanning to find out whether the target machine was running either of 
    the two pieces of software that were vulnerable to attack: Microsoft 
    Corp.'s SQL Server 2000 database and MSDE 2000 (Microsoft SQL Server 
    2000 Data Engine). Because of its random nature, given enough time, 
    the worm would hit all vulnerable machines. 
    However, the speed with which it propagated appears to have 
    contributed to its downfall. Spread of the worm eventually began to 
    slow because bandwidth from infected machines to the Internet couldn't 
    support the exponential growth in IP packets being generated, the 
    report said. 
    Its signature, attacking a specific port on vulnerable systems, was 
    also easy to detect, and network-level blocking of the ports in 
    question was effective in slowing the worm. 
    In the case of Code Red, the worm probed machines to find vulnerable 
    servers and attacked only the IP addresses of machines judged 
    vulnerable. This led to a much slower rate of infection. 
    The report also identified at least one implication of the attack. 
    It said smaller user populations could potentially be more vulnerable 
    to attack. In the past, worms often targeted only software for which 
    there was a large installed base of users. But given the speed with 
    which Slammer-like worms can spread, less popular software now also 
    presents a viable breeding ground for worms, the report said. 
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Tue Feb 04 2003 - 05:39:42 PST