MS SQL Server Worm Cripples Internet

Internet traffic slowed to a crawl early Saturday morning as a virus-like worm exploited a known flaw in Microsoft SQL Server 2000 and flooded the world's digital backbones. The attack used a buffer overflow to execute code on a vulnerable SQL Server, causing that system to randomly seek out other computers to infect and in the process consume massive amounts of bandwidth.

Major Internet providers began to block the malicious traffic by mid-morning Saturday, although UUNet continued to report major slowdowns.

Microsoft issued a security bulletin and patch for the SQL Server 2000 flaw last July, but many network administrators had apparently not updated their systems. One such administrator told BetaNews that a tool offered by Microsoft to confirm all hot fixes were applied, HFNetChk, did not correctly identify the missing patch.

The worm, called "Sapphire" or "SQL Slammer," specifically targeted UDP port 1434 in order to find SQL Servers to compromise. By blocking all traffic on that port and the primary SQL Server port, 1433, network administrators were able to quell the floods. Affected servers had to be rebooted in order to stop the flow of data.

It is unclear how many variants of the worm were spreading, as the damage is still being assessed. Along with flooding Internet pipelines, administrators reported the worm modified SQL Server settings such as encryption and default port configuration.

Anti-virus company Symantec estimated that at least 22,000 systems were affected worldwide.