Slammer--the first 'Warhol' worm?
Last week's malevolent virus infected most of its targets in almost no time, putting it in the realm of a "Warhol" worm because it could infect the entire Internet in 15 minutes.
The findings come from the Cooperative Association for Internet Data Analysis (CAIDA), a mainly U.S. government-funded think tank devoted to developing tools and standards for measuring Internet traffic. According to a CAIDA report issued late last week, the SQL Slammer worm--also known as Sapphire--doubled in size every 8.5 seconds when it first appeared, and reached the full rate at which it was scanning for vulnerable computers--a rate of more than 55 million scans per second--after about three minutes.
This puts
Researchers have theorized about such worms for some time, and a paper presented at last year's Usenix Security Symposium by security experts Vern Paxson, Stuart Staniford and Nicholas Weaver also predicted the emergence of such worms. Until now, however, no examples have been released into the wild.
The authors of the CAIDA report--David Moore, Vern Paxson, Stefan Savage, Colleen Shannon, Stuart Staniford and Nicholas Weaver--noted that the worm paves the way for future versions that could spread even more quickly and create more chaos. "If the worm had carried a malicious payload, had attacked a more widespread vulnerability, or had targeted a more popular service, the effects would likely have been far more severe," they wrote in the report.
Slammer's spread was two orders of magnitude faster than Code Red, which infected 359,000 computers in the summer of 2001, and doubled in size only about every 37 minutes, according to CAIDA.
Slammer infected fewer computers than Code Red, but was significantly limited by flaws in its design. For example, a faulty random-number generator meant that the worm was not able to scan all possible Internet addresses. Also, said CAIDA researchers, its method of random scanning was so aggressive that it quickly bogged down networks and was unable to continue operating at full throttle.
The researchers noted that although the nature of the SQL bug exploited by Slammer helped it to spread quickly--the bug was exploitable by sending a single packet to a particular UDP ((user datagram protocol) port--other types of worms could spread just as quickly. "Any worm with a reasonably small payload can be crafted into a bandwidth-limited worm of a similar nature," they wrote.
Traditional virus-blocking methods are now practically useless for stopping the new breed of worm, the report's authors noted. "Since high-speed worms are no longer simply a theoretical threat, worm defenses need to be automatic; there is no conceivable way for system administrators to respond to threats of this speed," they wrote.
On Friday, Stuart Okin, Microsoft UK's chief security officer, warned that morphed forms of Slammer could cause more problems than the original. This is because Slammer had no payload, so it did not do any direct damage aside from the effects of its denial-of-service nature, and systems could be cleaned by being switched off and on again.
ZDNet U.K.'s Matthew Broersma reported from London.