Worm exposes laziness and Microsoft bugs

• Tags:
• Slammer,
• Sql Ddos,
• Sapphire Worm,
• Sql Worm

Published: 27 Jan 2003 08:02 GMT

• 
• 
• 
• 
• 

The Sapphire worm that hit servers running Microsoft SQL this weekend was a wake-up call for anyone who thought the Internet had become a safer place following increased attention by corporate and government leaders.

In the largest such incident since the Code Red and Nimda worms swamped servers in 2001, the Sapphire worm -- also known as Slammer and SQLExp -- infected more than 120,000 computers and caused chaos within many corporate networks. Some Internet service providers in Asia were overwhelmed.

The small but malicious program rapidly exploited a six-month-old flaw in Microsoft SQL servers, underscoring a dirty secret in the IT industry: software bugs are common and administrators are slow to fix even widely publicised problems, said Johannes Ullrich, director of the security information site Incidents.org.

"Companies should have been ready for (the worm)," he said. "That patch should have been applied -- it's six months old now."

The worm started spreading about 9:30pm PST last Friday, just one day after Microsoft chairman Bill Gates sent a memo to customers stating that the company had "accomplished a lot" in its first year of its Trustworthy Computing initiative. For much of the first year, the company has focused on increasing the security of its products.

It also came just days after the General Accounting Office, the auditing arm of Congress, said the US government has spent at least US$2.9bn (£1.8bn) in 2002 on information technology related to homeland security. The same amount is expected to be spent again this year.

Because the worm exploited an old flaw, security experts directed only moderate criticism at Microsoft, choosing instead to focus on administrators who have failed to patch their software.

"I don't think people can really hold Microsoft at fault for this worm," said Marc Maiffret, chief hacking officer for security software firm eEye Digital Security, one of the first groups to release an analysis of the worm. While Microsoft did release flawed software, they fixed that flaw many months ago, he said. "Customers have been able to protect themselves," he stressed.

For a variety of reasons, however, companies with Microsoft SQL (pronounced "sequel") servers didn't apply the patches. Moreover, the affected companies also had vulnerable servers that were accessible via the Internet, a disaster waiting to happen.

"Some administrators might be at fault, but then some corporate managers might be at fault for understaffing, under-budgeting, and under-empowering their IT staff to be able to handle the security of their network," Maiffret added.

The bottom line: More security is needed. While the worm didn't infect as many system as Code Red or Nimda, the pint-sized program spread across the Internet in less than a minute and saturated some companies networks so quickly that administrators couldn't respond. The worm comprised just 376 bytes of code, less than is contained in this paragraph.

The worm takes advantage of a flaw in how Microsoft SQL servers handle certain input. By sending a specially crafted data packet over the Internet, the worm can remotely compromise additional systems and spread copies of itself. The worm doesn't create files and doesn't delete data. Rather, it resides in memory and tries to spread as quickly as possible.

It's so successful at rapidly sending data, however, that it overloaded many networks and overwhelmed many types of network hardware, effectively cutting off some companies from the Internet.

"It is memory-resident, so it is very efficient," said Greg Shipley, director of consulting for security firm Neohapsis. "So there may be less number of hosts affected, but it is so chatty it saturates connections."

The worm disrupted more than 13,000 Bank of America automated teller machines, and late Saturday the company was still warning online customers of possible slowdowns in accessing their accounts. "We are currently experiencing problems that may cause online banking to operate more slowly than normal," the message stated. The company could not be reached for comment on Sunday.

PeopleSoft was among several Fortune 100 companies that had had network issues on Saturday, according to data provided by Internet watcher Netcraft.org.

"The problem was that this was a particularly malicious piece of code," said Steve Lipner, director of security assurance for Microsoft. "If it got a hold of one machine, it hammered away at the network. In a big organization, it's really hard to say that every point of access is protected."

In addition, developers using Microsoft's Data Engine 1.0 and Microsoft Desktop Engine 2000 may not have known they were vulnerable to the worm. The software is included in Visual Studio .NET, ASP.NET Web Matrix Tool, Office XP Developer Edition, MSDN Universal and Enterprise subscriptions and Microsoft Access. MSDE is also included in Microsoft Application Center 2000.

While some companies scrambled to deal with the problem, most consumers weren't affected, however.

"Consumers might have seen longer latencies and slower connections, otherwise it was a non-issue," said Oliver Friedrichs, senior manager for security software maker Symantec.

By midday Sunday, traffic caused by the worm had fallen to one-tenth the level it had been in the first few hours of the attack, when the infection peaked, Friedrichs said.

"We are not seeing anywhere near the activity of the first two hours," he said. "The worm could have been worse. It could have deleted files. It just took up tremendous amount of bandwidth."

The main brunt of the attack may now be within companies that have shut down database connections to the Internet, but still may be dealing with the infection internally, he added.

Given that the worm did little damage to the machines it infected -- a reboot would rid any computer of the worm -- some security experts saw the ultimate effect of the attack as a good thing.

"A lot of people see this as a wake-up call," said Ullrich of Incidents.org. "Machines that got infected by this one have been open for the past six months."

Any database vulnerable to the worm could have been attacked by hackers bent on stealing data. Many SQL databases hold customer data, and the worm highlighted that the data hasn't been safe, said Ullrich.

"If you had a vulnerable server, then it's possible that you could have been compromised in the past half-year," he said.

With Fortune 100 companies and online retailers among those that may be cleaning their systems of such a worm, the question may not be whether data has been leaked, but how much.

---

• 
• 
• 
• 
• 

• Share this article:
• Digg
• Slashdot
• Del.ici.ous
• Stumble
• Reddit

• Most Recent
• Most Popular
• Most Discussed