WASHINGTON -- A fast-spreading, virus-like infection dramatically slowed Internet traffic Saturday, overwhelming the world's digital pipelines and interfering with Web browsing and e-mail delivery.
Monitors reported detecting at least 39,000 infected computers, which transmitted floods of spurious signals disrupting hundreds of thousands of other systems worldwide. Sites monitoring the health of the Internet reported significant slowdowns, although recovery efforts appeared to be succeeding.
"Everything is starting to come back online," said Bill Murray, a spokesman for the FBI's National Infrastructure Protection Center. "We know what the issue was and how to mitigate it, and we're just imploring systems administrators to apply the patches that will prevent this from propagating again."
Bank of America Corp., one of the nation's largest banks, said many customers could not withdraw money from its 13,000 ATM machines because of technical problems caused by the attack. A spokeswoman, Lisa Gagnon, said the bank restored service to nearly all ATMs by late Saturday afternoon and that customers' money and personal information had not been at risk.
Millions of Internet users in South Korea were stranded when computers at Korea Telecom Freetel and SK Telecom failed. Service was restored but remained slow, officials said. In Japan, NHK television reported heavy data traffic swamped some of the country's Internet connections, and Finnish phone company TeliaSonera reported some problems.
"It's not debilitating," said Howard Schmidt, President Bush's No. 2 cybersecurity adviser. "Everybody seems to be getting it under control." Schmidt said the FBI's cybersecurity unit and experts at the federally funded CERT Coordination Center were monitoring the attack and offering technical advice to computer administrators on how to protect against it.
"We as a technical group are getting better at identifying these things and putting filters in place in a timely manner," said Marty Lindner of the CERT Coordination Center.
Tiffany Olson, spokeswoman for the President's Critical Infrastructure Protection Board, said the White House may not determine the scope of damage "for at least a couple of days, and we may not know the full impact of this attack at all." She said companies often don't report such damage to the government.
The virus-like attack, which began about 12:30 a.m. EST, sought out vulnerable computers on the Internet to infect using a known flaw in popular database software from Microsoft Corp. called "SQL Server 2000." The attacking software was scanning for victim computers so randomly and so aggressively, sending out thousands of probes a second, that it saturated many Internet data pipelines.
Most home users did not need to take any protective measures.
The FBI was searching for the origin of the attack, which experts variously dubbed "sapphire," "slammer" or "SQ hell." Some security researchers noted that software unleashed in Saturday's attack bore striking resemblance to blueprints for computer code published weeks ago on a Chinese hacking Web site by a virus author known as "Lion." An FBI spokesman said he couldn't confirm that.
Tracing the attack, which appeared to strike first in the United States, might be impossible because it used a transmission method that made it unusually easy to falsify its digital trail, experts said. Mysterious scans that could have been a precursor to Saturday's attack have been detected by Internet sensors since last year, searching out vulnerable computers.
"Scanning has been going on for months and months," said Chris Wysopal of AtStake Inc., a security firm in Cambridge, Mass. "This person probably launched this attack at hundreds of machines all at once."
The attack resembled the "Code Red" virus that struck the Internet during the summer of 2001.
"This is like Code Red all over again," said Marc Maiffret, an executive with eEye Digital Security, whose engineers were among the earliest to study samples of the attack software. "The sheer number of attacks is eating up so much bandwidth that normal operations can't take place."
Schmidt said disruption within the U.S. government was minimal, partly because the attack occurred early on a weekend. The departments of State, Agriculture, Commerce and some units of the Defense Department appeared hardest hit among federal agencies, according to Matrix NetSystems Inc., a monitoring firm in Austin, Texas.
Some Associated Press news services were affected but were restored by morning.
The attack temporarily interfered with the computer network at The Atlanta Journal-Constitution, delaying publication of Sunday's first edition, normally delivered to newsstands Saturday afternoon, and delaying updates on the newspaper's Web site, http://www.ajc.com.
The world's largest Internet provider, America Online, reported no problems. "We remain on alert and continue to closely monitor this situation," spokesman Nicholas Graham said.
The attack sought to exploit a software flaw discovered by researchers in July 2002 that permits hackers to seize control of corporate database servers. Microsoft deemed the flaw to be critical and offered a free repairing patch, but it was impossible to know how many computer administrators applied the fix.
The latest attack could revive debate within the technology industry about the need for an Internet-wide monitoring center, which the Bush administration has proposed.
During the Code Red attack in July 2001, about 300,000 mostly corporate server computers were infected and programmed to launch a simultaneous attack against the Web site for the White House, which U.S. officials were able to defend successfully.
Unlike that episode, the malicious software used in this latest attack did not appear to do anything other than try to spread its own infection, experts said.
AP technology writers Anick Jesdanun and Frank Bajak contributed to this story from New York.
On the Net:
Technical details: http://www.eeye.com/html/Research/Flash/AL20030125.html