Slammer hits hard, damage limited

A fresh Internet bug called the SQL Slammer wreaked havoc last week crippling server bandwidth in the US, Korea and Europe. Network Associates’ Anti-Virus Emergency Response Team (AVERT) estimated that 150,000 to 200,000 servers worldwide were infected within the first two days as Slammer spread rapidly via Microsoft SQL servers. When the attack began, packet loss across the Internet approached 20 per cent, monitoring firm Matrix NetSystems, said. Packet loss rates are usually less than 1 per cent. However, the worm died a relatively quick death upon arrival in Australia. Security agency AusCERT said there were few visible victims despite a substantial spike in scanning. AusCERT security analyst, Jamie Gillespie, was on duty at the time the worm struck locally. He said scanning activity had abated to “negligible background noise levels” by the afternoon of Monday, January 27, despite a mountain of hype from security vendors and media. Slammer was responsible for large amounts of Internet traffic as well as billions of UDP/IP probes causing the Internet and online service to be inaccessible, a spokesperson from Internet Security Systems’ (ISS) X-Force research and development team said. The worm propagates by scanning for vulnerable servers using UDP port 1434. When a server is compromised the worm loads its instructions into memory and begins scanning randomly for further prorogation. While current analysis of the worm indicates there is no malicious payload, the scanning activity produced causes a denial of service attack due to the high rate of outbound UDP packets. “This one seems to be subsiding quite nicely,” Gillespie said. “A couple of ISPs in Australia were reporting three to four times normal traffic [during the peak] of the attack, with some people saying there was upwards of 100Megabits/sec on larger connections. “It seems to be that when you see an exploit patched up, a few months later you’ll see the worm for it spread around.” Although the Microsoft SQL Server vulnerability was identified and patched as a hot fix in July 2002, affected users may have delayed patching in order to assess any adverse consequences of (MS SQL Server) Service Pack 3, released on January 12, 2003, a fortnight before Slammer struck. At that time many IT staff may also still have been on leave. While most enterprise victims are traditionally silent about such exposure, Microsoft .Net Users Group Sydney president, Adam Cogan, offered a heartfelt confession. “It’s got a lot of traction — it affected a lot of people,” Cogan said. “It brought down quite a few of our customers … it brought down our company, (Superior Software for Windows), and members of our user group were affected. “It shows the popularity of SQL Server these days that so many people were affected like this. It’s important to treat security as a high priority. When a service pack comes out we now know we have to treat this seriously and do it as quickly as possible. “Everybody knew about Service Pack 3. The people I have spoken to this morning felt like they were a bit slack about waiting too long to put the service pack on. Don’t stuff around,” Cogan mournfully continued. Senior security consultant for Computer Associates, Daniel Katz, warned that SMEs were at particular risk. “You will probably find that a number of small business organisations will be running Microsoft Small Business Server in which the advanced edit installs MS SQL Server by default – whether you want it or not,” he said. “The cost will be in labour and time.” Others are less forgiving. A well-placed source within a telco said, “Seriously, what the #%&* are these people doing? Which idiot puts MS SQL Server anywhere near the frontline? If you’re a victim site, you have bigger issues to worry about — sack your IT staff … now! [And don’t worry about passwords, they’re all probably ‘password’].” Australia and New Zealand vice-president of TruSecure Corporation, Anthony Turco, was more diplomatic. “You would have to have a really good business reason not to have that port – 1434/UDP – externally shut off and firewalled,” he said. “People have to take this stuff seriously. That’s the trade off with software that is feature rich.” Ironically, Microsoft itself fell victim. The worm infested host machines on the company’s US network, flooding it with traffic. The vulnerable machines were mostly in the company’s Redmond campus and concentrated in an area of Microsoft’s network used by SQL Server developers. Meanwhile, security vendors disagreed on the severity of the threat posed by Slammer. Trend Micro labelled the worm “destructive” and “high risk” while Symantec assessed its damage potential as “low”. Network Associates and eEye Digital Security, among the first companies to spot and dissect the worm, both issued high-risk alerts on the worm. While the worm may be easy to defend against, a vast number of systems remain unprotected. “[Slammer] doesn’t destroy, remove, hack or extract any data,” Matrix NetSystems’ vice-president of marketing and business development, Tom Ohlsson, said. “But it’s a very, very aggressive worm when it comes to self-replication.” Slammer’s speed in spreading itself recalls another worm that rampaged through the Net: Code Red, a scourge that appeared in mid-2001 and infected hundreds of thousands of servers. Despite the availability of a patch, Code Red caused about $US2 billion in damage.n