They were 376 bytes that shook the world.

At 5:30 a.m. Greenwich Mean Time on the morning of 25 January 2003, the Sapphire worm began dispatching copies of itself to the Internet. The worm, also known as SQL Slammer, began infecting computers running a very popular Microsoft database program, Microsoft SQL Server.

To infect a computer, the worm first sent itself to a specific communications port of the computer, one the SQL Server used to send and receive requests. When the computer attempted to process the "request," the worm caused a data buffer in the computer to overflow. The overflow in turn caused the computer to install Sapphire, which then sent copies of itself over the Internet. And so it went, computer after computer, with astonishing speed and efficiency.

The virus began infecting a widening circle of computers in a contagion that zoomed around the world, doubling every 8.5 seconds. By 5:40 a.m., just 10 minutes after it was unleashed, Sapphire had spread to at least 70 000 computers—90 percent of all the vulnerable machines in the world. The worm's paltry few hundred bytes carried no malicious payload and so deleted no data or software. But the sheer torrent of data coursing over the Internet consumed nearly all available capacity, crashing networks, bank ATMs, and flight-scheduling systems.

After the dust settled, a few days later, a London computer security firm, Mi2g Ltd., estimated that Sapphire had caused about US $1 billion in damages, related mostly to lost productivity.

Incredibly enough, Sapphire was at that time only the ninth most costly computer attack on record, according to the London firm. And it was an unfortunate harbinger of things to come: in February 2004 alone, Mi2g estimates, various malevolent attacks caused upwards of $68 billion in damages worldwide, much of it due to worms, such as MyDoom and several others that rampaged through the Internet that month. Ever since the first worms were released on the world in the late 1980s, those who write them and those who fight them—including the developers of computer intrusion-detection systems—have been engaged in a sort of arms race [see sidebar, Worm Evolution"].

At IBM Zurich Research Laboratory, we're working on a remedy for worms that differs from other approaches in targeting worms specifically rather than trying to prevent all breaches of computer security. Our system, called Billy Goat, does just one thing but does it extremely accurately.

Protection of a computer system begins with good locks, in the form of hardware and software barriers. But just as homeowners often keep watchdogs to sniff out a burglar even after he has gotten past a locked door, so do many of today's systems monitor suspicious activities that take place inside a computer.