Virus-Like Infection Jams Global Internet Traffic, Disables ATMs

A fast-spreading, virus-like infection dramatically slowed Internet traffic Saturday, overwhelming the world’s digital pipelines and interfering with Web browsing and e-mail delivery.

Sites monitoring the health of the Internet reported detecting at least 39,000 infected computers, which transmitted floods of spurious signals disrupting hundreds of thousands of systems worldwide. Monitors reported significant slowdowns, although recovery efforts appeared to be succeeding.

“Everything is starting to come back online,” said Bill Murray, a spokesman for the FBI’s National Infrastructure Protection Center. “We know what the issue was and how to mitigate it, and we’re just imploring systems administrators to apply the patches that will prevent this from propagating again.”

Bank of America Corp., one of the nation’s largest banks, said many customers could not withdraw money from its 13,000 automated teller machines because of technical problems caused by the attack.

A spokeswoman, Lisa Gagnon, said the bank restored service to nearly all ATMs by late Saturday afternoon and that customers’ money and personal information had not been at risk.

Millions of Internet users in South Korea were stranded when computers at Korea Telecom Freetel and SK Telecom failed. Service was restored but remained slow, officials said. In Japan, NHK television reported heavy data traffic swamped some of the country’s Internet connections, and Finnish phone company TeliaSonera reported some problems.

“It’s not debilitating,” said Howard Schmidt, President Bush’s No. 2 cyber security advisor. “Everybody seems to be getting it under control.”

Schmidt said the FBI’s cyber security unit and experts at the computer emergency response team CERT Coordination Center, were monitoring the attack and offering technical advice to computer administrators on how to protect against it.

“We, as a technical group, are getting better at identifying these things and putting filters in place in a timely manner,” said Marty Lindner of CERT.

Rick Miller, a spokesman for Microsoft Corp., however, confirmed that Internet congestion was interfering with administrators trying to download the crucial software patch that Microsoft made available to protect vulnerable computers.

The same congestion also prevented consumers from contacting Microsoft over the Internet to unlock the antipiracy features of its latest products, including the Windows XP and Office XP software packages.

Tiffany Olson, spokeswoman for the President’s Critical Infrastructure Protection Board, said the White House may not determine the scope of damage “for at least a couple of days, and we may not know the full impact of this attack at all.” She said companies often don’t report damage to the government.

The virus-like attack, which began about 12:30 a.m. EST, sought out vulnerable computers on the Internet to infect using a known flaw in popular database software from Microsoft called “SQL Server 2000.” The attacking software was scanning for victim computers so randomly and so aggressively, sending out thousands of probes a second, that it saturated many Internet data pipelines.

Most home users did not need to take protective measures.

The FBI was searching for the origin of the attack, which experts variously dubbed “sapphire,” “slammer” or “SQ hell.” Some security researchers noted that software unleashed in Saturday’s attack bore a striking resemblance to blueprints for computer code published weeks ago on a Chinese hacking Web site by a virus author known as “Lion.” An FBI spokesman said he couldn’t confirm that.

Tracing the attack, which appeared to strike first in the United States, might be impossible because it used a transmission method that made it unusually easy to falsify its digital trail, experts said.