Asia fingered as Slammer's birthplace

Some security experts are pointing to the Far East as the birthplace of the worm that wreaked havoc over the weekend on Internet servers worldwide.

Jan. 27, 2003 11:43 a.m. PT

2 min read

Some security experts are pointing to the Far East as the birthplace of the worm that wreaked havoc over the weekend on Internet servers worldwide.

The Slammer worm--also known as Sapphire and SQLExp--exploits vulnerabilities in Microsoft SQL 2000 Web servers and causes increased traffic between servers. The worm started spreading about 9:30 p.m. PST on Friday.

"The worm could have originated from Asia," Roy Ko, center manager for the Hong Kong Computer Emergency Response Team, said in a e-mail interview.

Slammer's spread over the weekend was the largest such incident since the Code Red and Nimda worms swamped servers in 2001. The attack served as a wake-up call for anyone who thought the Internet had become a safer place following increased attention by corporate and government leaders.

"We started to notice heavy Internet traffic in Asia on Saturday afternoon before other parts of the world reported it," said Ko.

A company is claiming that the worm first appeared in Hong Kong, Ko said, but that's still under investigation.

Security software makers such as Trend Micro and Network Associates have not ascertained Sapphire's origins but media reports do lend some weight to Ko's deduction.

According to The Washington Post, security experts who studied the worm have found references in its code to the Chinese hacking group, the Honkers Union of China.

In April 2001, the faction defaced more than 80 U.S. Web sites including those belonging to the Navy, Labor Department and the California Department of Energy.

While the culprits behind this online assault remain unclear, the damage in Asia is far more concrete.



		Help and How-to SQL Slammer worm How to recognize and prevent the virus.

South Korea appears to have taken the brunt of the damage as the region's most wired nation. Almost all of Korea Telecom's--the nation?s largest Internet service provider (ISP)--lost their connections during the attack.

In China, the Web sites of China Telecom, the China Science and Technology Network and the Education and Research Network came to a halt, and Japanese Internet firms reported a network slowdown, said Viren Mantri, regional engineering manager of Network Associates.

Chunghwa Telecom, Taiwan's largest ISP, said millions of Net users were unable to access its portal during the virus onslaught.

CNETAsia's Winston Chai reported from Singapore.