As cleanup of the MS-SQL Slammer worm continued last week, talk among security experts centered on two facets of the attack that might portend greater trouble: the remarkable speed with which Slammer spread, and the idea that future versions might carry a nefarious payload.
Experts fear future variations could wipe out files or worse.
"It could delete [a] whole database," says Ed Skoudis, vice president of security strategy at consultancy Predictive Systems. Extending Slammer's destructiveness would require skill, but chances of that happening are growing since hacker groups and legitimate security firms have posted an analysis of the machine code after reverse-engineering it.
While many are blaming network administrators for failing to take proper precautions, complaints are mounting about how difficult it is to apply patches that Microsoft supplied six months ago to prevent the kind of buffer-overflow attack this worm uses.
Moving in a flash across the Internet, Slammer blasted through an estimated half-million vulnerable servers by week's end, wreaking havoc inside corporate intranets, disrupting e-commerce, and even causing a global 'Net slowdown. Within minutes, it had slipped into corporations through firewalls left open at Port 1433 and 1434, or spread through infection by e-commerce partners. Some ISPs, including AT&T, now are filtering out the worm.
A number of corporations hit by Slammer had to shut down internal operations for a day to get rid of the worm, which was flooding their intranets with a denial-of-service (DoS) attack.
"We experienced a systems slowdown due to the worm," says JP Morgan Chase spokesman Tom Johnson. "And we shut down our online banking as well."
Randomly scanning at high speed in search of unpatched SQL Servers or any unpatched applications using the licensed Microsoft Data Engine (MSDE) code, Slammer generated huge amounts of UDP packet traffic, causing a 50% degradation of Web site availability around the world as it gained steam early Jan. 25. Internet traffic returned to normal around noon that day, according to monitoring firm Keynote Systems.
Slammer's DoS attack was so intense in its first hours that latency-sensitive applications such as voice over IP, among other applications, would have been severely affected, says Hossein Eslambolchi. AT&T's CTO and president of AT&T Labs.
"This really is a national security issue," says Eslambolchi, who advocates that industry coordinate with government to set minimum standards in network design and threat response.
The intrusion-detection systems that AT&T uses provided an early warning about the worm, which AT&T then hastened to filter out via router access control lists, Eslambolchi says. He says this filtering process remains manual about half the time, and further work on automating attack blocking is needed.
Among the victims of Slammer was Microsoft, where the worm infected the unpatched computers used by about 1,000 Microsoft developers, causing the company to scramble as its network was flooded in a DoS attack. The company shut down servers and cleaned them of the tiny 376-byte worm. Many Microsoft customers found it rough going just trying to apply the SQL Server patch code issued last July. They say the patch is hard to do and can easily take six hours.
Rss FeedRss Feed
The Leader in Network Knowledge
Comment