ZDNet UK / News and Analysis / Security / Security Management

Worm exposes laziness and Microsoft bugs

By Staff, CNET News, 27 January, 2003 08:02

Daily Newsletters

Sign up to ZDNet UK's daily newsletter.

Topics

sql worm, sapphire worm, sql ddos, Slammer

ANALYSIS
The Sapphire worm that hit servers running Microsoft SQL this weekend was a wake-up call for anyone who thought the Internet had become a safer place following increased attention by corporate and government leaders. In the largest such incident since the Code Red and Nimda worms swamped servers in 2001, the Sapphire worm -- also known as Slammer and SQLExp -- infected more than 120,000 computers and caused chaos within many corporate networks. Some Internet service providers in Asia were overwhelmed. The small but malicious program rapidly exploited a six-month-old flaw in Microsoft SQL servers, underscoring a dirty secret in the IT industry: software bugs are common and administrators are slow to fix even widely publicised problems, said Johannes Ullrich, director of the security information site Incidents.org. "Companies should have been ready for (the worm)," he said. "That patch should have been applied -- it's six months old now." The worm started spreading about 9:30pm PST last Friday, just one day after Microsoft chairman Bill Gates sent a memo to customers stating that the company had "accomplished a lot" in its first year of its Trustworthy Computing initiative. For much of the first year, the company has focused on increasing the security of its products. It also came just days after the General Accounting Office, the auditing arm of Congress, said the US government has spent at least US$2.9bn (£1.8bn) in 2002 on information technology related to homeland security. The same amount is expected to be spent again this year. Because the worm exploited an old flaw, security experts directed only moderate criticism at Microsoft, choosing instead to focus on administrators who have failed to patch their software. "I don't think people can really hold Microsoft at fault for this worm," said Marc Maiffret, chief hacking officer for security software firm eEye Digital Security, one of the first groups to release an analysis of the worm. While Microsoft did release flawed software, they fixed that flaw many months ago, he said. "Customers have been able to protect themselves," he stressed. For a variety of reasons, however, companies with Microsoft SQL (pronounced "sequel") servers didn't apply the patches. Moreover, the affected companies also had vulnerable servers that were accessible via the Internet, a disaster waiting to happen. "Some administrators might be at fault, but then some corporate managers might be at fault for understaffing, under-budgeting, and under-empowering their IT staff to be able to handle the security of their network," Maiffret added. The bottom line: More security is needed. While the worm didn't infect as many system as Code Red or Nimda, the pint-sized program spread across the Internet in less than a minute and saturated some companies networks so quickly that administrators couldn't respond. The worm comprised just 376 bytes of code, less than is contained in this paragraph. The worm takes advantage of a flaw in how Microsoft SQL servers handle certain input. By sending a specially crafted data packet over the Internet, the worm can remotely compromise additional systems and spread copies of itself. The worm doesn't create files and doesn't delete data. Rather, it resides in memory and tries to spread as quickly as possible. It's so successful at rapidly sending data, however, that it overloaded many networks and overwhelmed many types of network hardware, effectively cutting off some companies from the Internet. "It is memory-resident, so it is very efficient," said Greg Shipley, director of consulting for security firm Neohapsis. "So there may be less number of hosts affected, but it is so chatty it saturates connections." The worm disrupted more than 13,000 Bank of America automated teller machines, and late Saturday the company was still warning online customers of possible slowdowns in accessing their accounts. "We are currently experiencing problems that may cause online banking to operate more slowly than normal," the message stated. The company could not be reached for comment on Sunday. PeopleSoft was among several Fortune 100 companies that had had network issues on Saturday, according to data provided by Internet watcher Netcraft.org. "The problem was that this was a particularly malicious piece of code," said Steve Lipner, director of security assurance for Microsoft. "If it got a hold of one machine, it hammered away at the network. In a big organization, it's really hard to say that every point of access is protected." In addition, developers using Microsoft's Data Engine 1.0 and Microsoft Desktop Engine 2000 may not have known they were vulnerable to the worm. The software is included in Visual Studio .NET, ASP.NET Web Matrix Tool, Office XP Developer Edition, MSDN Universal and Enterprise subscriptions and Microsoft Access. MSDE is also included in Microsoft Application Center 2000. While some companies scrambled to deal with the problem, most consumers weren't affected, however. "Consumers might have seen longer latencies and slower connections, otherwise it was a non-issue," said Oliver Friedrichs, senior manager for security software maker Symantec. By midday Sunday, traffic caused by the worm had fallen to one-tenth the level it had been in the first few hours of the attack, when the infection peaked, Friedrichs said. "We are not seeing anywhere near the activity of the first two hours," he said. "The worm could have been worse. It could have deleted files. It just took up tremendous amount of bandwidth." The main brunt of the attack may now be within companies that have shut down database connections to the Internet, but still may be dealing with the infection internally, he added. Given that the worm did little damage to the machines it infected -- a reboot would rid any computer of the worm -- some security experts saw the ultimate effect of the attack as a good thing. "A lot of people see this as a wake-up call," said Ullrich of Incidents.org. "Machines that got infected by this one have been open for the past six months." Any database vulnerable to the worm could have been attacked by hackers bent on stealing data. Many SQL databases hold customer data, and the worm highlighted that the data hasn't been safe, said Ullrich. "If you had a vulnerable server, then it's possible that you could have been compromised in the past half-year," he said. With Fortune 100 companies and online retailers among those that may be cleaning their systems of such a worm, the question may not be whether data has been leaked, but how much.
For all security-related news, including updates on the latest viruses, hacking exploits and patches, check out ZDNet UK's Security News Section. Let the editors know what you think in the Mailroom.

Related stories

SQL Slammer worm wreaks havoc on Internet

Microsoft patches SQL Server 2000 database

Windows XP, Office and SQL Server open to new attacks

Data leaks cost Midlothian a record £140k fine

Google-backed DMARC system aims to block phishers

Post your comment

In order to post a comment you need to be registered and logged in.

You can also log in with Facebook. Log in or create your ZDNet UK account below

  • Login

Will not be displayed with your comment

By signing up for this service, you indicate that you agree to our Terms and Conditions and have read and understood our Privacy Policy. Questions about membership? Find the answers in the Community FAQ

Get ZDNet UK's daily newsletter

Enter your email address to sign up

ZDNet UK Live

Dennis Nilsson

If we allow corporate interest to dictate the way our government circumvents due process against foreign entities then we should accept the same...

27 minutes ago by Dennis Nilsson via Facebook on ACTA stumbles in Germany
GHar123

I totally dislike pirating of works, I fear that artists will be deterred from creating works if they think that they are going to get ripped off....

2 hours ago by GHar123 on ACTA stumbles in Germany
JCB33

How dare film makers, artists or anybody that invests in creativity stop us pirating their works for free. I want to be able to walk into my local...

8 hours ago by JCB33 on ACTA stumbles in Germany
Moley

@GrueMaster. I prefer horses for courses rather than one size fits all. I, and I suspect most other computer users, do not really wish to have...

10 hours ago by Moley on A tale of two distros: Ubuntu and Linux Mint
greycynic

The product that scares me every time I have to use it is the Office 2007 version of Excel. The first bug that I found was applying the median...

10 hours ago by greycynic on Ten flawed products that derail productivity
GrueMaster

Nice review and very informative. One thing I'd like to add (in reply to whs001's 1st question), the main reason to have the same interface from...

11 hours ago by GrueMaster on A tale of two distros: Ubuntu and Linux Mint
Frederick Wrigley

I'be been using Mint 12 since the RC came out, and I am far more happy with the Cinnamon, the Mate, and, yes (with extensions), theGnome 3...

12 hours ago by Frederick Wrigley via Facebook on A tale of two distros: Ubuntu and Linux Mint
bdantas

Excellent article. One small correction, though--although a fresh installation of Linux Mint 12 will, indeed, provide the user with a version of...

13 hours ago by bdantas on A tale of two distros: Ubuntu and Linux Mint
Alan Ralph

In related news, the ISPs club together to get the members of the Home Affairs Select Committee (ya goofed on that part, ZDNet UK) copies of "The...

13 hours ago by Alan Ralph via Facebook on MPs urge ISPs to take down terrorist material
Alan Ralph

In related news, the ISPs club together to get the members of the Home Affairs Select Committee (ya goofed on that part, ZDNet UK) copies of "The...

13 hours ago by Alan Ralph via Facebook on MPs urge ISPs to take down terrorist material
Moley

For Gnome 2 die-hards, it is possible to add icons to the bottom panel (or top top panel, if you prefer) which provide the exact Gnome 2...

14 hours ago by Moley on A tale of two distros: Ubuntu and Linux Mint
ramwellian

Your comments would seem pretty naive and immature. Your 'solution' appears to be, "gee, let's all just give in to the hackers and give them...

14 hours ago by ramwellian on Cloud computing security: no more oxymoron?
BugStalker

"Interesting thought ... If you installed Win7 as a dual boot on a machine that previously only had Linux, and it wrecked your Linux installation,...

15 hours ago by BugStalker on Windows 7 Declares War on GRUB
whs001

This is an excellent summary of Ubuntu and Mint and the interface differences between them. Most such articles take a very partisan position for...

15 hours ago by whs001 on A tale of two distros: Ubuntu and Linux Mint
Moley

@ewallace. Not so clear. Anyone can obtain the text, for example from here http://www.ustr.gov/webfm_send/2379. I support ACTA so long as it and...

15 hours ago by Moley on ACTA: Facts, misconceptions and questions
45283

I think WinRT is fantastic. I just wish it was an option for people that didn't want to go through Microsoft's App Store with its attendant...

18 hours ago by 45283 on Why Windows 8 needs architectural hygiene for WOA
Burn-IT

Nine people? £30m? Who's back pocket is that lot going in? And IF they say it is for new buildings, what about all the ones the government has...

19 hours ago by Burn-IT on Police set to launch three £30m e-crime hubs
ewallace

Just to be clear, nobody knows what is in the text of ACTA, here is a photograph of the text of ACTA http://twitpic.com/8h9iju as submitted to the...

19 hours ago by ewallace on ACTA: Facts, misconceptions and questions
fgvrg56

Unfortunately main issue is that ASUS is refusing to accept that they make some mistake on this version of asus Transformer prime. 1 - GPS sensor...

21 hours ago by fgvrg56 on Asus Eee Pad Transformer Prime Wi-Fi & GPS problems?
Ben Woods

@Marcus A fair question. Just talked with Archos which said it was working on an announcement for next week....

22 hours ago by Ben Woods on Archos confirms G9 Ice Cream Sandwich update schedule

Latest in Security Management

Data leaks cost Midlothian a record £140k fine

Google-backed DMARC system aims to block phishers

Ten ways to take the sting out of IT disasters

Featured white papers

CIO challenges: Bringing your iPad to work

Aruba Networks

CIO challenges: Bringing your iPad to work

The arrival of personal technology in the office is a challenge for all organisations, but how can it be adapted securely for corporate... Read more

Keeping safe from organised cybercrime

Symantec.cloud

Keeping safe from organised cybercrime

As cyber-criminals become increasingly coordinated in their cross-medium attacks, a solid, communicating and... Read more

Why is encryption important?

Symantec.cloud

Why is encryption important?

Data protection has become a hot topic, but where is the real threat and what can you do to protect your business?... Read more

Inside ZDNet UK

A tale of two distros: Ubuntu and Linux Mint

A tale of two distros: Ubuntu and Linux Mint

2012 Predictions: VCE FastPath, VI SAN Probe & Hadoop

2012 Predictions: VCE FastPath, VI SAN Probe & Hadoop

BlackBerry Bold 9790

BlackBerry Bold 9790

How to handle data replication

How to handle data replication

Ten factors that make Ubuntu 11.10 a hit

Ten factors that make Ubuntu 11.10 a hit

Toshiba Portégé Z830-10P Review

Toshiba Portégé Z830-10P Review

BT's archive: Pictures from the vault

BT's archive: Pictures from the vault