Next ‘Slammer’ could be worse

As cleanup of the MS-SQL Slammer worm continued last week, talk among security experts centered on two facets of the attack that might portend greater trouble: the remarkable speed with which Slammer spread, and the idea that future versions might carry a nefarious payload.

As cleanup of the MS-SQL Slammer worm continued last week, talk among security experts centered on two facets of the attack that might portend greater trouble: the remarkable speed with which Slammer spread, and the idea that future versions might carry a nefarious payload.

Experts fear future variations could wipe out files or worse.

“It could delete [a] whole database,” says Ed Skoudis, vice president of security strategy at consultancy Predictive Systems. Extending Slammer’s destructiveness would require skill, but chances of that happening are growing since hacker groups and legitimate security firms have posted an analysis of the machine code after reverse-engineering it.

While many are blaming network administrators for failing to take proper precautions, complaints are mounting about how difficult it is to apply patches that Microsoft supplied six months ago to prevent the kind of buffer-overflow attack this worm uses.

Moving in a flash across the Internet, Slammer blasted through an estimated half-million vulnerable servers by week’s end, wreaking havoc inside corporate intranets, disrupting e-commerce, and even causing a global ‘Net slowdown. Within minutes, it had slipped into corporations through firewalls left open at Port 1433 and 1434, or spread through infection by e-commerce partners. Some ISPs, including AT&T, now are filtering out the worm.

A number of corporations hit by Slammer had to shut down internal operations for a day to get rid of the worm, which was flooding their intranets with a denial-of-service (DoS) attack.

“We experienced a systems slowdown due to the worm,” says JP Morgan Chase spokesman Tom Johnson. “And we shut down our online banking as well.”

Randomly scanning at high speed in search of unpatched SQL Servers or any unpatched applications using the licensed Microsoft Data Engine (MSDE) code, Slammer generated huge amounts of UDP packet traffic, causing a 50% degradation of Web site availability around the world as it gained steam early Jan. 25. Internet traffic returned to normal around noon that day, according to monitoring firm Keynote Systems.

Slammer’s DoS attack was so intense in its first hours that latency-sensitive applications such as voice over IP, among other applications, would have been severely affected, says Hossein Eslambolchi. AT&T’s CTO and president of AT&T Labs.

“This really is a national security issue,” says Eslambolchi, who advocates that industry coordinate with government to set minimum standards in network design and threat response.

The intrusion-detection systems that AT&T uses provided an early warning about the worm, which AT&T then hastened to filter out via router access control lists, Eslambolchi says. He says this filtering process remains manual about half the time, and further work on automating attack blocking is needed.

Among the victims of Slammer was Microsoft, where the worm infected the unpatched computers used by about 1,000 Microsoft developers, causing the company to scramble as its network was flooded in a DoS attack. The company shut down servers and cleaned them of the tiny 376-byte worm. Many Microsoft customers found it rough going just trying to apply the SQL Server patch code issued last July. They say the patch is hard to do and can easily take six hours.

“We agree – we have to build better tools for this,” Microsoft spokesman Rick Miller says.

Analysts say the software industry has failed to build vulnerability-assessment tools that help customers keep track of their inventory of applications and equipment to determine what needs patching and whether it was done. “Most companies just don’t know what they have to begin with,” says Chris King, security analyst at consultancy Greenwich Technology Partners.

By no means were customers blaming everything on Microsoft.

“It’s the responsibility of anyone who runs and manages a server,” says Paul Krihak, network engineer at Virtua Health. “It’s their responsibility to apply the patches Microsoft puts out. Microsoft can’t go out to every customer and do it for you.”

The financial industry in particular paid a high price for failure to patch. Bank of America’s automatic teller machines were rendered useless for a day because the worm infected the bank’s internal servers that play a role in managing the machines, which are not on the Internet. In Asia, the South Korean stock exchange reported disruptions and Russian government agencies reportedly were affected.

The U.S. government also was caught off guard. The National Infrastructure Protection Center, which wants to be the first point of information about any cyberattack, took hours to get NIPC staff awake and working to issue an alert about Slammer.

“It’s been tough to do the coordination,” acknowledges Marcus Sachs, director for communication infrastructure protection at the White House Office of Cyberspace Security. He expects things to improve by summer, when the NIPC will be more settled in the newly created Department of Homeland Security.

Some experts agree that Slammer will be retooled to be more dangerous, but that SQL Servers and MSDE – a kind of mini-Microsoft SQL code embedded in at least 100 applications – won’t be the target next time.

“A different service will be the target, perhaps printers,” says Vincent Werf, senior director of Symantec security response. Symantec this week is set to issue a threat-advisory report about the types of suspicious scans and outright attacks experienced over the past six months by 500 firms that use Symantec’s managed security services. According to this report, SQL Server is the most widespread hacker probe.

Equipment to combat distributed DoS, including that from Arbor Networks, Captus Networks and Mazu Networks, has become available over the last year, but its use is not widespread in corporations or ISPs.

Intrusion-prevention gateways, such as one from IntruVert, also are seen as a way to block attacks of many types, although the notion of blocking traffic automatically remains controversial because of worries about cutting off legitimate traffic.