27 January 2002 A ‘Code Red’ style worm that attacks Microsoft SQL Server 2000 databases has been blamed for reducing the Internet to a crawl over the weekend.

Called Slammer, the worm exploits a buffer overflow vulnerability in SQL Server. It then attempts to send itself to randomly generated IP addresses, which caused such a volume of traffic that many Internet service providers (ISPs) were overwhelmed.

The bug was identified and fixed in SQL Server 2000 Service Pack 3, released in July 2002. However, many users have not yet installed it. This is partly because the appropriate patches have to be applied manually. This makes installing SQL Server service packs a fraught and time consuming process.

ISPs and businesses in Asia were particularly hard hit because the worm is believed to have originated in Taiwan. South Korean internet services were shut down for several hours and outages or slowdowns were reported in China, India, Japan, Malaysia, Philippines and Thailand.

However, this may also reflect a lackadaisical approach to security and network abuse issues across the region as well.

The malicious code is just 376 bytes in size and does not harm the data held on the database. It was launched at about 5:30am GMT on Saturday morning, according to anti-virus software vendors.

Links:
Detailed analysis of Slammer – Sophos
Computer Emergency Response Team (CERT) advisory
Microsoft Security Bulletin MS02-039