Worldy worm. Blue areas represent the spread of Sapphire.

The Fastest Worm Ever

The Sapphire worm that struck the Internet 2 weeks ago was the fastest spreading computer infection in history, according to a new technical report, whose authors call this latest infection a milestone in worm evolution.

Unlike computer viruses, which embed themselves in programs and can't spread without help, worms use computer networks to propagate. Sapphire, also called Slammer, debuted at 9:30 p.m. Pacific time on 24 January and spread to more than 75,000 computers around the globe in a few minutes, knocking out 911 emergency services, automated teller machines, and airline online ticketing systems as well as denying Internet access to millions.

In a technical paper published online yesterday, investigators report that during the first explosive minutes of Sapphire's attack, the worm doubled its numbers every 8.5 seconds, more than 250 times speedier than the Code Red worm that attacked the Internet in July 2001 (see comparison). Within 10 minutes, Sapphire infected more than 90% of vulnerable hosts. "It grew so fast it actually interfered with its further growth, because it clogged up the available bandwidth," says study co-author David Moore at the San Diego Supercomputer Center.

The secret of the worm's success was its tiny size. Sapphire's instructions were only 376 bytes long, about the length of this paragraph. Such brevity allowed Sapphire to fit into network packets, the blocks of data computer systems swap online. By exploiting a quirk in Microsoft's SQL database management servers (and a desktop equivalent), Sapphire rapidly sent itself to potential victims. For instance, an infected desktop computer with a typical DSL connection could deal out roughly 300 copies per second of the worm; a faster university or corporate server could send copies up to 100 times faster. By comparison, the Code Red worm only sent six copies of itself every second.

The outbreak died down after about 24 hours as network administrators applied a software patch from Microsoft. Because Sapphire did not have a malicious payload attached to it, it wreaked havoc merely by flooding networks with bogus traffic. However, Moore says a more sinister worm carrying up to 1500 bytes--enough space to add data-erasing instructions or other nasty commands--would have been nearly as fast.

"This research clearly indicates that a fundamentally new security approach is required," says Carey Nachenberg, a senior security analyst at Symantec Research Labs in Cupertino, California. Responses to a computer virus/worm typically "take hours and require companies to capture and analyze a threat in the lab, produce a fingerprint, and distribute the fingerprint to millions of users," he says. "By the time a traditional cure is ready, a large fraction of susceptible machines could be compromised by such a flash threat."

Related sites
The technical paper, "The Spread of the Sapphire/Slammer Worm"
Microsoft's Customer Update on the "Slammer" Attack