On Saturday, February 25, 2003, I was roused by the head of disaster recovery at Merrill Lynch to tell me that our networks were down. We – and the entire internet – had been attacked by a vicious worm called SQL Slammer, which fitted inside a single network packet and infected Microsoft databases. Each infection would broadcast, looking for other nodes to infect in such volumes that the network froze. Not just data traffic – we had recently installed an internet protocol-based phone system, so even the phones didn’t work.
Most malware back then was created by young techies, pitting their ingenuity against Microsoft and the establishment. Slammer’s creators made no money from it; they were technically brilliant delinquents having fun. There were other attack types too, such as denial of service, which took down banks’ websites, and phishing, which lured customers into giving away their credentials. The impact was more on retail than commercial banking.