Setbacks in search for worm author

Some say Hong Kong; others are pointing to Korea.

Security experts are hunting for clues that might finger the person who wrote the SQL Slammer worm that hammered the Internet this past weekend. Yet chances are, the attacker will escape, investigators said.

		Special Report Code Red for security Virulent worm calls into doubt our ability to protect the Net.

"It's going to be so hard to tell where even the first attack came from," said Marc Maiffret, chief hacking officer for security software firm eEye Digital Security, who did an early analysis of the worm. "The first (attack) that was sent out could have seemed to come from Microsoft...or NSA.gov (the National Security Agency)."

The problem underscores the difficulty in tracking a smart attacker on the Internet. The worm was spread by sending out a single packet of data using a type of technology known as the user datagram protocol, or UDP. The initial packets could have had any source address that the attacker wanted. Given that, the best hope that security experts and authorities may have is that the author could do something dumb such as brag, Maiffret said.

The SQL Slammer worm hit fast and hard over the weekend, starting around 9:30 p.m. PST Friday. Within minutes, the worm had spread to 120,000 computers, a number experts estimated by including every computer connected to the Internet that was running a vulnerable version of Microsoft's SQL Server software.

The incident was the worst Internet attack since the Code Red and Nimda worms hit companies almost 18 months ago.

Companies infected with the SQL Slammer worm found their Internet connections overloaded with data, as the malicious program attempted to spread. Some Internet service providers had problems dealing with the worm, causing delays in responses for some customers.

Most companies and ISPs have recovered, and security experts are now focusing on finding the culprit.

Finding the first victim
Some of the effort has been focused on finding so-called Victim Zero, the first computer infected by the worm. The hope is that an extensive forensic analysis on that computer will reveal from where the original attack came.

The North American Network Operators Group apparently narrowed down the source of the first packets to a college in the Midwest, a large Web hosting provider, an ISP, and a Web conferencing and streaming content provider. However, the group can only confirm that the first attacks seen by its networks appeared from those sites.

Network protection provider Counterpane Internet Security has focused on a probe that its sensors detected at noon on Friday. The data packet was sent from a computer in Korea to an SQL server in Australia. Because the server in Australia wasn't vulnerable to the flaw, nothing happened, and no other potential attacks were seen.

Bruce Schneier, chief technology officer of Counterpane, readily admits that the probe may not be connected or meaningful. "It was isolated; it looked like the same probe," he said. "There will never be a definitive answer. All we can give will be our best guess."

The FBI is investigating the attacks, but it hasn't indicated whether it's turned its focus to any particular group or country.

"We are all looking into that," FBI spokesman Paul Bresson said, adding that there was no way to judge whether the bureau would get a break in the case. "Each case is different. In many cases, it's difficult to pinpoint the attacker."

		Help and How-to SQL Slammer worm How to recognize and prevent the virus.

Some experts have focused on Hong Kong. Security research firm iDefense on Monday released an analysis that suggested the worm may have originated from the Chinese hacking group Honker Union of China (HUC), but the company admitted that the evidence is slim and mostly circumstantial.

"A definite correlation between the actual worm code and the HUC is still undetermined," iDefense analysts wrote in the report. "As far as is known, the group has not claimed responsibility for the attack."

The company based its analysis on the fact that the hacking group--which was responsible for many Web site defacements following the U.S.-China spy plane incident in April 2001--had posted code capable of exploiting the flaw in Microsoft's SQL Server. iDefense pointed to the fact that the code began with a "no operation," or NOP, command and that the group had a member whose handle was n0p.

Yet other researchers thought such connections were tenuous at best.

eEye's Maiffret dismissed the NOP signature theory. "We haven't seen anything in (the worm code) that is pointing to any group," Maiffret said. "That's used in almost every payload ever written. It's not a signature. Anyone who is making that connection probably shouldn't be working in security."