I am pretty much like everybody else when it comes to computer viruses – seems like there’s a new one every time I turn around and I’m starting to tune out the news about the latest one. Big mistake. A newly posted report about the most recent major computer virus epidemic known as Sapphire / Slammer makes for some VERY sobering reading. S / S represents a quantum leap in computer virus capabilities and in retrospect what it did is very, very scary.
From the report: “The Sapphire Worm was the fastest computer worm in history. As it began spreading throughout the Internet, it doubled in size every 8.5 seconds. It infected more than 90 percent of vulnerable hosts within 10 minutes…The worm infected at least 75,000 hosts, perhaps considerably more, and caused network outages and such unforeseen consequences as canceled airline flights, interference with elections, and ATM failures…Sapphire spread nearly two orders of magnitude [i.e., 100 times] faster than [the previous historical virus attack known as] Code Red…While Sapphire did not contain a malicious payload (!?! – SFT italics), it caused considerable harm simply by overloading networks and taking database servers out of operation…”
What happens next time when whoever released this thing gets a malicious payload subroutine added on board for Round Two? It will be a Warhol Worm…
Sure, the sapphire/slammer worm was already pretty malicious, just by messing up servers and eating bandwidth, but…
From what I understand, a botnet of a few thousand compromised machines is enough to knock a major site off the Internet for at least several hours, by simply using up most of their bandwidth. This assumes, no great sophistication, just a brute force distributed denial of service (DOS) attack – basically flooding the victim’s servers with junk requests and other rubbish.
It would have been extremely easy to add this kind of DOS zombie program onto the worm.
Slammer controlled more than 70,000 machines. So, if its authors had set each compromised system to DOS a random server from a list of say ten or twenty, including, for example, yahoo, google, whitehouse.gov, slashdot.org…
…no Internet today, sorry…
That’s what they mean by ‘malicious payload’
This was one of the most devestating worms to date, and it employed a relatively simple propagation algorithm. Worms used to build botnets lately have employed better algorithms, but they haven’t risen to internet-crushing levels. They are less aggressive and exploiting older defects.
I think this might be intentional on the part of the worm authors — they are trying to fly “under the radar” of the AntiVirus companies as they build their botnets. If they exploit a new, universally unpatched defect and crush the internet, there will be a massive immune response wiping out their worm as people run around and clean them up. If they spread slower they will go unnoticed in pockets, and can slowly build up botnet over a period of weeks.
Fortunately, modern worms can also be stopped by modern
<a href=”http://intrinsicsecurity.com”>AntiWorm</a> systems.