Reader's advisory: Wired News has been unable to confirm some sources for a number of stories written by this author. If you have any information about sources cited in this article, please send an e-mail to sourceinfo[AT]wired.com.
The global worming attack that fried much of the Internet this weekend may return on Monday as unpatched systems and applications boot up at the start of the workweek.
The worm can attack a multitude of Microsoft applications as well as applications distributed by other companies including administration, helpdesk, corporate antivirus and assorted security applications.
Network administrators may not even be aware that their systems harbor programs that need to be patched.
"Slammer" began to spread shortly after midnight ET on Saturday and quickly slapped many computer systems around the world offline.
Telecommunications systems in Asia and Europe were swamped, some North American ATM machines ceased to spit out cash, and several airline reservations systems shut down.
It's anyone's guess whether the worm will return in full force on Monday, but security experts said they don't think Slammer is dead yet.
Slammer targets Microsoft's SQL Server 2000 as well as applications created with the Microsoft SQL Server 2000 Desktop Engine (MSDE 2000). Any application using this codebase is open to the exploit unless it is patched.
"It's entirely possible that we may not see the full effect of this worm for several days," said security consultant Ken Pfeil. "Judging by previous worms of this nature, we could be in for a rather bumpy ride."
Microsoft gives MSDE 2002 away for free so developers can build it into their applications, explained network security consultant Mike Sweeney.
"Programmers rarely understand the ramifications of using something like the MSDE 2000 package in the network from a support/security perspective," said Sweeney. "They use it because it's free and it saves them the drudgery of coding it themselves."
"But if the IT department is not aware of MSDE 2000 code in applications, they won't know to patch the desktops which leaves them vulnerable to a possible attack," added Sweeney. "This is the classic 'what we have here is a failure to communicate' problem. Microsoft has done a very poor job in communicating to the administrative side of the house how all these neat programming aids tie into the big picture."
Microsoft released a patch for Slammer in July 2002, but security experts said that a successful install required users to manually edit system files, a complication that resulted in some patches being installed incorrectly, if they were installed at all.
A service pack that included a fix for the vulnerability that Slammer exploits was released on January 17, 2003. Although the service pack fix is easier to install than the stand alone fix, it still requires some time to download and configure – up to two hours depending on the size of a users SQL database, experts said.
Some who attempted to patch their systems after hearing about the worm were unable to download the fix from Microsoft because of a sudden spike in download demand and the worm's own network-clogging traffic.
Slammer scanned systems in such an aggressive manner that some countries initially assumed it was a targeted attack against their national infrastructure.
South Korea's Ministry of Information and Communication announced that "hackers have launched an all-out attack" on the country's telecommunications system early on Saturday, but have since decided that the collapse of the county's entire communications system was caused by Slammer.
"Within 3 hours since the outbreak began we detected more than 20 thousand attempts to penetrate into our network," said Igor Mitiurin, head of the Information Security Department in Russlavbank, one of Russia's biggest banks. The bank had previously patched its system and was unaffected.
Virtually all Bank of America ATMs were down for much of Saturday. Canadian Imperial Bank of Commerce ATMs were also knocked offline.
"I have twenty-two bucks in my pocket and 14 people coming over to eat chili, drink beer and watch the Superbowl tomorrow," Manhattan resident Gail Pastore fumed, after finding out she wouldn't be able to make a withdrawal. "It's not going to be a good weekend."
