Computer worm grounds flights, blocks ATMs Experts: Little damage in worst Internet attack in 18 months Sunday, January 26, 2003 Posted: 8:58 PM HKT (1258 GMT) -------------------------------------------------------------------------------- Story Tools -------------------------------------------------------------------------------- RELATED • National Infrastructure Protection Center • CERT Coordination Center advisory WHAT IS A WORM? A program that makes copies of itself -- for example, from one disk drive to another, or by copying itself using e-mail or another transport mechanism. Source: Symantec QUICKVOTE Is the Internet too vulnerable? Yes No VIEW RESULTS WORM'S EFFECTS Customers of the Canadian Imperial Bank of Commerce in Toronto were unable to withdraw money using ATMs during part of Saturday. Korea Telecom Freetel and SK Telecom service failed, stranding millions of South Korean Internet users. Internet congestion prevented consumers from contacting Microsoft over the Internet to unlock the anti-piracy features of its latest products, including the Windows XP and Office XP software packages. The U.S. departments of State, Agriculture, Commerce and some units of the Defense Department appeared hardest hit among federal agencies. Some Associated Press news services were temporarily interrupted. The Philadelphia Inquirer reported serious computer problems, though the newspaper had already printed its early Sunday edition. The Atlanta Journal-Constitution computer network was hit, delaying publication of Sunday's first edition and delaying updates of the newspaper's Web site. Source: Associated Press WASHINGTON (CNN) -- A fast-moving computer worm snarled business and government computers Saturday, slowing some corporate systems to the point of inaccessibility. Internet security experts said the worm does not appear to have done any serious damage. The worm, dubbed "SQL Slammer," attacked via a vulnerability discovered six months ago in SQL Server 2000 software from Microsoft Corp., according to Oliver Friedrichs, a senior manager with Internet security firm Symantec Corp. Microsoft has offered a free patch to fix the trouble spot, but not all users of the server software installed the patch. Experts called it the most damaging attack on the Internet in 18 months as networks across Asia, Europe and the Americas were effectively shut down, Reuters reported. Bank of America Corp., one of the nation's largest banks, said many customers could not withdraw money from its 13,000 ATMs because of technical problems caused by the attack, according to The Associated Press. A spokeswoman, Lisa Gagnon, told the AP that the bank restored service to nearly all ATMs by late Saturday afternoon and that customers' money and personal information had not been at risk. Friedrichs said the SQL worm "breaks into the server and tries to spread." "It really generates a lot of network traffic," Friedrichs said. "It's really just going to slow down Internet performance." The White House was notified about the attack after it was discovered early Saturday, said Tiffany Olson, a spokeswoman for the President's Critical Infrastructure Protection Board. The FBI's National Infrastructure Protection Center is investigating, she said. Alan Paller of the SANS Institute, a training organization for technologists who try to protect computer systems and networks, said the SQL worm did not appear to be affecting files stored on computers. Instead, he said, it was causing trouble by replicating quickly and sending queries across computer lines for more vulnerable computers. "It's not a major risk. It's not [doing] either of the two things that are terribly damaging," Paller said. "One is hurting people's machines, and one is knocking things [off-line]." Several companies, including Continental Airlines, reported widespread computer problems Saturday. Continental said the worm attack caused its difficulties. Spokesman Jeff Walt said agents reverted to "the old fashioned way" -- phones, and pen and paper -- to record reservations and electronic tickets. "[That is] more time consuming, so we had some scattered delays around the system and some cancellations of regional flights," said Walt, adding that the airline experienced few problems on its national flights. "It looks like we're getting close to [having] everything resolved." Walt said Continental's hub at Newark, New Jersey, was the most affected by the problems, but problems were also reported in Houston, Texas, and Cleveland, Ohio. No delays lasted more than 30 minutes, he said. The "Slammer" did not appear to affect files stored on computers. Worms of this nature are often precursors to a different type of attack called "distributed denial of service." In that case, computers infected with a worm or other program are directed to send a flood of information to a specific Internet location and force it off-line. "[Saturday's worm] is the recruitment of soldiers, not telling the soldiers where to aim their guns," Paller said. He described Saturday's activity as a "worm with collateral damage." If the vulnerability in the SQL software is not patched, Paller said, it is possible that a future denial of service attack could harness the "zombie" machines created Saturday. Friedrichs said Saturday's worm was similar to the "Code Red" worm, which attacked unpatched Microsoft IIS servers in 2001 and defaced Web pages with the message "Welcome to http://www.worm.com! Hacked By Chinese!" "Code Red" eventually hit more than 700,000 computers and spread too quickly for investigators to trace its origin. So far, "SQL Slammer" has not disturbed any Web pages or other files. As far as the origin of Saturday's worm, Paller said it will be difficult to trace it via technological means. In many cases, a worm's creator brags about his or her activities online and is caught that way. Paller and Olson said Internet service providers and other security organizations had helped slow the worm's spread. "It could have been horrendous," Olson said. -- CNN technology correspondent Daniel Sieberg and White House correspondent Dana Bash contributed to this report. Roger EWROPS