How a computer hacker and an internet virus called Slammer gave the worldwide web a serious cold

Before you turn on your computer this morning, you might like to reflect that all may not be well with the internet today. Since early on Saturday, a virulent worm called Slammer has been paralysing web servers that use Microsoft's Windows operating system – the second time this has happened in 18 months.

The timing of the attack has led to claims of cyberterrorism but so far nobody has worked out who was behind it. In the US, the effects of the worm were widely felt: most of the Bank of America's 13,000 cash machines went offline. Five of the 13 "root" servers, which translate names such as amazon.com into a string of machine-readable numbers, were overwhelmed by the traffic generated by infected machines, estimated at more than 22,000 at one point. It clogged up networks, making sites slow to load and interfering with e-mail.

For Microsoft, the latest attack is embarrassing on two counts. First, it comes just as it wanted to push its SQL web-server software harder. While it dominates the desktop, with Windows installed on more than 90 per cent of the world's PCs, it runs less than half the servers on the Net; many instead use a free web server called Apache that has never seen an attack like this. Selling SQL Server will now be harder.

Second, in January 2002, Microsoft's founder, Bill Gates, sent one of his rare company-wide e-mail memos. In future, he said, the behemoth must emphasise security and reliability over showy features; it should be able to resist attacks from outside, and retain users' privacy. "If we don't do this, people simply won't be willing – or able – to take advantage of all the other great work we do," he wrote. A huge team of programmers was redirected to checking the company's products in search of security holes, and to closing them.

All in all, Mr Gates was lucky that the latest attack happened at a weekend. It began about at 5am GMT: a few, then more, of the web servers on the Net that run the SQL Server 2000 database software were infected. Just like a real virus, the code infected the systems and started them replicating itself – by sending out thousands of probes every second looking for other computers running the same software which could be vulnerable to infection.

Though the probes were tiny – only 376 bytes of code – there were so many that the spreading infection saturated many data links. In Korea, SK Telecom and Korea Telecom Freetel shut down, claiming they were the victims of a denial-of-service attack – in which outside computers freeze a web server by making repeated demands for its status – by unknown hackers. It turned out to be the new worm, Slammer.

Experts at once noted the similarities between this and the September 2001 attack by a worm called Code Red, which infected 300,000 servers running Microsoft's Integrated Internet Server. Examination of that code showed that it was programmed to launch an attack on the White House website; it was fought off. Even so, it was estimated to have caused $2bn (£1.25bn) of extra work.

Slammer seems to have had no aim, although experts warned that within a couple of days – that is, by today or tomorrow – hackers will have examined its code and come up with versions that have vicious payloads.

Even without it, it led to widespread problems. "I walked into the server room and was greeted with a ton of orange lights [that are normally just blinking]. That [worm] can really cook out the damage!" wrote Matt, a systems administrator, on the programmers site Slashdot.

"Someone really has carefully crafted this worm to try to bring down the net. And what better time than on a Saturday morning when all admins are away and not planing to work the next day!"

"This is like Code Red all over again," said Marc Maiffret, an executive with eEye Digital Security, whose engineers were among the first to study the attack software. "The sheer number of attacks is eating up so much bandwidth that normal operations can't take place."

But the Net generally is much closer to collapse – in the sense that companies and organisations are at the mercy of random events such as this – than most people are aware.

Take two examples. Nominet, the non-profit organisation that handles registration of every domain in the UK – such as independent.co.uk – found its database servers struggling to cope with an abrupt spike at the end of last week in the number of demands for details of the owners of the domains. "There were about 20 per second," said Lesley Lowley, the managing director. "In essence, the person behind it was getting websites all over the world to send queries to us asking for details of huge numbers of owners of website names." Nominet has about three million such websites registered – "UK domains are still healthy," Ms Lowley said – and it became clear quite quickly what the attacker was after. "We traced it back to Australia. We think it was a spammer who wanted to get e-mail addresses to send junk mail to."

At almost the same time, thousands of people throughout Britain found that various sites "vanished", and that they were unable to send or receive e-mail, after a systems administrator at WorldCom deleted some files in the course of "housekeeping".

While Nominet has taken action to have the suspect spammer cut off the Net, and the problems caused by WorldCom unwound themselves by the end of Friday, these cases illustrate both how reliant we are on the Net – where losing connectivity can make businesses judder towards a halt – and how unceasing is the war against the people who use computers against the Net's better-natured users.

For example, the spread of broadband connections in the past year has brought thousands of people connections that download up to 40 times faster than a standard phone line. Yet only a fraction of them know that such machines – especially if they are running Microsoft Windows – are an open door for a hacker. A random e-mail can plant a "Trojan" program that will give them control of your machine or, more worryingly, let them watch everything you do, including typing your passwords for your banks.

Yet hardly any UK internet service providers supporting broadband offer or require customers to install a firewall. And if customers do get hacked, the ISP will say it's their own fault.

Similarly, spam – junk e-mail – threatens to overwhelm users: estimates suggest that their volume will overtake that of legitimate e-mail this year. But without a way to identify and root out, and block the spammers, the internet is at the mercy of the people exploiting its open nature.

But the system doesn't have to be so liable to collapse. A next-generation system for letting machines on the Net communicate with each other – called IPv6, for "internet protocol version 6" – has been under discussion for a decade. It could replace the current system, IPv4, allowing more systems, including phones and even fridges, to communicate over the Net, while giving more security and traceability to it. Everyone knows what it is and how to use it. But nobody does.

"The actual implementation is still theoretical," said Roland Perry, a spokesman for Linx, which represents the companies that keep the internet ticking over in the UK. "I would be surprised if it was the norm to have IPv6 in use in five years. Something else will happen to make it obsolete first."

Christian de Larrinaga, the director of the IPv6 Task Force UK, agrees that without an incentive, getting it used is "something of a chicken and egg situation". Yet it would probably have made tracing the source of the weekend's attack a lot simpler.

"People need to do a better job about fixing vulnerabilities," said Howard Schmidt, President Bush's deputy cyber-security adviser. But the question is, which people? Microsoft? The operators? The Net's users? The answer is unlikely to come in a hurry.

VIRUSES THAT SHOOK THE INTERNET

November 1988: The Sendmail worm, written by Robert Morris, below, then a student at Cornell University in the US. In the days when the internet was almost exclusively used by academics, Morris wrote a small program that exploited flaws in two widely used internet programs, Sendmail (which sends electronic mail) and Finger (which checked if someone was online). A bug in Morris's code made the worm spread faster than he expected; many sites took themselves offline to avoid being infected. Morris, the son of a high-ranking official at the US government's National Security Agency, was fined $10,000 (£6,000) in 1990.

June 1998: The Chernobyl virus was spread in pirated software disks. It made the computer's start-up chip burn out, rendering the machine useless. The writer was never found.

March 1999: The Melissa virus spread around the Net by exploiting a weakness in Microsoft's Windows operating system. Released on a Friday, it brought down several corporate networks, and had a new lease of life when people turned on their machines again on Monday.

May 2000: The Love Bug virus, above, spread like wildfire around the world by e-mail attachment. It exploited flaws in Windows: opening the attachment automatically sent a copy to everyone in the PC's address book, and deleted the user's music and image files.

A Filipino, Reomel Ramones, 27, was arrested on suspicion of releasing the virus but was freed because the Philippines had no law against spreading computer viruses.

September 2001: The Code Red (aka Nimda) virus/worm infecteddesktop PCs running Windows and servers running Microsoft's IIS Web software. About 300,000 computers were infected, although a fix had been available before the attack started. Even now, some "unpatched" computers still fall victim.

January 2003: Simon Vallor, below, from Wales, was jailed for two years for writing three viruses that infected thousands of computers worldwide running Windows in 2001. Some could destroy all the data on a hard drive. The judge said "so many people use and rely on computers these days, any interference with that use must be regarded as a very serious matter".