ZDNet UK / News and Analysis / Security / Security Management

Worm exposes laziness and Microsoft bugs

By Staff, CNET News, 27 January, 2003 08:02

Daily Newsletters

Sign up to ZDNet UK's daily newsletter.

Topics

sql worm, sapphire worm, sql ddos, Slammer

ANALYSIS
The Sapphire worm that hit servers running Microsoft SQL this weekend was a wake-up call for anyone who thought the Internet had become a safer place following increased attention by corporate and government leaders. In the largest such incident since the Code Red and Nimda worms swamped servers in 2001, the Sapphire worm -- also known as Slammer and SQLExp -- infected more than 120,000 computers and caused chaos within many corporate networks. Some Internet service providers in Asia were overwhelmed. The small but malicious program rapidly exploited a six-month-old flaw in Microsoft SQL servers, underscoring a dirty secret in the IT industry: software bugs are common and administrators are slow to fix even widely publicised problems, said Johannes Ullrich, director of the security information site Incidents.org. "Companies should have been ready for (the worm)," he said. "That patch should have been applied -- it's six months old now." The worm started spreading about 9:30pm PST last Friday, just one day after Microsoft chairman Bill Gates sent a memo to customers stating that the company had "accomplished a lot" in its first year of its Trustworthy Computing initiative. For much of the first year, the company has focused on increasing the security of its products. It also came just days after the General Accounting Office, the auditing arm of Congress, said the US government has spent at least US$2.9bn (£1.8bn) in 2002 on information technology related to homeland security. The same amount is expected to be spent again this year. Because the worm exploited an old flaw, security experts directed only moderate criticism at Microsoft, choosing instead to focus on administrators who have failed to patch their software. "I don't think people can really hold Microsoft at fault for this worm," said Marc Maiffret, chief hacking officer for security software firm eEye Digital Security, one of the first groups to release an analysis of the worm. While Microsoft did release flawed software, they fixed that flaw many months ago, he said. "Customers have been able to protect themselves," he stressed. For a variety of reasons, however, companies with Microsoft SQL (pronounced "sequel") servers didn't apply the patches. Moreover, the affected companies also had vulnerable servers that were accessible via the Internet, a disaster waiting to happen. "Some administrators might be at fault, but then some corporate managers might be at fault for understaffing, under-budgeting, and under-empowering their IT staff to be able to handle the security of their network," Maiffret added. The bottom line: More security is needed. While the worm didn't infect as many system as Code Red or Nimda, the pint-sized program spread across the Internet in less than a minute and saturated some companies networks so quickly that administrators couldn't respond. The worm comprised just 376 bytes of code, less than is contained in this paragraph. The worm takes advantage of a flaw in how Microsoft SQL servers handle certain input. By sending a specially crafted data packet over the Internet, the worm can remotely compromise additional systems and spread copies of itself. The worm doesn't create files and doesn't delete data. Rather, it resides in memory and tries to spread as quickly as possible. It's so successful at rapidly sending data, however, that it overloaded many networks and overwhelmed many types of network hardware, effectively cutting off some companies from the Internet. "It is memory-resident, so it is very efficient," said Greg Shipley, director of consulting for security firm Neohapsis. "So there may be less number of hosts affected, but it is so chatty it saturates connections." The worm disrupted more than 13,000 Bank of America automated teller machines, and late Saturday the company was still warning online customers of possible slowdowns in accessing their accounts. "We are currently experiencing problems that may cause online banking to operate more slowly than normal," the message stated. The company could not be reached for comment on Sunday. PeopleSoft was among several Fortune 100 companies that had had network issues on Saturday, according to data provided by Internet watcher Netcraft.org. "The problem was that this was a particularly malicious piece of code," said Steve Lipner, director of security assurance for Microsoft. "If it got a hold of one machine, it hammered away at the network. In a big organization, it's really hard to say that every point of access is protected." In addition, developers using Microsoft's Data Engine 1.0 and Microsoft Desktop Engine 2000 may not have known they were vulnerable to the worm. The software is included in Visual Studio .NET, ASP.NET Web Matrix Tool, Office XP Developer Edition, MSDN Universal and Enterprise subscriptions and Microsoft Access. MSDE is also included in Microsoft Application Center 2000. While some companies scrambled to deal with the problem, most consumers weren't affected, however. "Consumers might have seen longer latencies and slower connections, otherwise it was a non-issue," said Oliver Friedrichs, senior manager for security software maker Symantec. By midday Sunday, traffic caused by the worm had fallen to one-tenth the level it had been in the first few hours of the attack, when the infection peaked, Friedrichs said. "We are not seeing anywhere near the activity of the first two hours," he said. "The worm could have been worse. It could have deleted files. It just took up tremendous amount of bandwidth." The main brunt of the attack may now be within companies that have shut down database connections to the Internet, but still may be dealing with the infection internally, he added. Given that the worm did little damage to the machines it infected -- a reboot would rid any computer of the worm -- some security experts saw the ultimate effect of the attack as a good thing. "A lot of people see this as a wake-up call," said Ullrich of Incidents.org. "Machines that got infected by this one have been open for the past six months." Any database vulnerable to the worm could have been attacked by hackers bent on stealing data. Many SQL databases hold customer data, and the worm highlighted that the data hasn't been safe, said Ullrich. "If you had a vulnerable server, then it's possible that you could have been compromised in the past half-year," he said. With Fortune 100 companies and online retailers among those that may be cleaning their systems of such a worm, the question may not be whether data has been leaked, but how much.
For all security-related news, including updates on the latest viruses, hacking exploits and patches, check out ZDNet UK's Security News Section. Let the editors know what you think in the Mailroom.

Related stories

SQL Slammer worm wreaks havoc on Internet

Microsoft patches SQL Server 2000 database

Windows XP, Office and SQL Server open to new attacks

NHS patients' health data to be anonymised and shared

Apple releases Flashback tool for Mac OS X 10.5

Post your comment

In order to post a comment you need to be registered and logged in.

You can also log in with Facebook. Log in or create your ZDNet UK account below

  • Login

Will not be displayed with your comment

By signing up for this service, you indicate that you agree to our Terms and Conditions and have read and understood our Privacy Policy. Questions about membership? Find the answers in the Community FAQ

Get ZDNet UK's daily newsletter

Enter your email address to sign up

ZDNet UK Live

ju1ce

new to dropbox? sign up here and we both get a 500mb bonus! http://db.tt/aM4pWbT

11 minutes ago by ju1ce on Secure2Share: securing your Dropbox
Random_Error

The only way a touch monitor would be any good is if it were horizontal on the desk, with a virtual keyboard so you could do away with that as well...

1 hour ago by Random_Error on Windows 8 could speed multi-monitor uptake
JBDragon

This is just dumb! Forget that I think Windows 8 will bomb, but really, people are going to go out and buy touch Monitors now??? Just pretend...

3 hours ago by JBDragon on Windows 8 could speed multi-monitor uptake
Jake Rayson

@Andy Bolstridge > Unfortunately, we need the majority to work 9-5 And therein lies the lie. I work very hard indeed for my idleness, early starts...

4 hours ago by Jake Rayson on The Idle Self-employed
Burn-IT

What happens when one hosting platform "acquires data" from another? If I forced the first one to remove it, who is responsible for chasing the...

9 hours ago by Burn-IT on Google picks holes in EU's 'right to be forgotten'
JohnTalich

iSpring Pro is a nice tool, that allows PowerPoint to SCORM conversion. They also have free tool, that also generates SCORM compliant courses.

13 hours ago by JohnTalich on How To Convert PowerPoint To SCORM Compliant Course
aaron.sloman

I think the answer to the question requires a deeper analysis of where the income can come from who else is now competing for it, who else will be...

21 hours ago by aaron.sloman on The three big questions about Facebook's IPO
Brent Pieczynski

Your correctness about Government websites not being compliant with their own websites is correct. Most criticism of other people takes so many...

1 day ago by Brent Pieczynski on Privacy watchdog to chase big companies over cookie law
Kelvyn Taylor

802.11ac does promise some tricks to improve range & reliability, but not sure how these will work in practice until I get real products to play...

1 day ago by Kelvyn Taylor via Facebook on Next-generation 802.11ac routers
mrudang009

My wife and I love our new Kindle Fire. It's lightweight, easy to use and has a great interface. The first thing I recommend anyone with a new...

1 day ago by mrudang009 on Waterstones to sell Kindles with in-store offers
mrudang009

It basically unlocks all the Android marketplace apps and unlocks the device. I am one very happy Kindle owner!

1 day ago by mrudang009 on Waterstones to sell Kindles with in-store offers
Burn-IT

Skittles with tapes and coffee cups. Old tapes so we didn't have to rewind them afterwards.

1 day ago by Burn-IT on Ten IT jobs to save up for those rare lulls
Fraud_fighter

What is mildly amusing to me is when someone thinks a strong password is as strong as one may need, when the truth is usernames and passwords are...

1 day ago by Fraud_fighter on Passwords are here to stay: get used to it
Andy Bolstridge

Performance isn't really the big thing at the moment - not when my ADSL connection will only provide a 8mbps bottleneck to the 3.5gbps speeds these...

1 day ago by Andy Bolstridge via Facebook on Next-generation 802.11ac routers
pjc158

So when is Amazon buying Waterstones?

1 day ago by pjc158 on Waterstones to sell Kindles with in-store offers
J.A. Watson

@JoshArg - Well, I am writing this from my N150 Plus, running Ubuntu 12.04 and using a Bluetooth mouse (well, to be totally correct it is a...

1 day ago by J.A. Watson on Samsung N150 Plus Netbook - Ubuntu Netbook Edition 10.04
J.A. Watson

@duncanjmurray - At least n the case of the specific system I put the SSD into, it is not the case. The boot time improvement is substantial, but...

1 day ago by J.A. Watson on Netbook Upgrade - SSD IN, Windows OUT
archerthom

Sounds like only those who have bought their Kindle from Waterstones will be able to use them in-store - very disappointing. I have no intention...

1 day ago by archerthom on Waterstones to sell Kindles with in-store offers
AndyPagin

From my mainframe operating days... 1) Play hoopla with write permit rings & a can of screen cleaner. 2) Make enormous paper chains (Christmas...

1 day ago by AndyPagin on Ten IT jobs to save up for those rare lulls
61253

An OS X perspective Filenames beginning with a dot/period (.) should not be equated with HFS Plus resource forks; misunderstandings around ._ (dot...

1 day ago by 61253 on SharePoint deployment: Pitfalls of a pioneer

Latest in Security Management

NHS patients' health data to be anonymised and shared

Apple releases Flashback tool for Mac OS X 10.5

IPv6 security: What you need to know

Featured white papers

CIO challenges: Bringing your iPad to work

Aruba Networks

CIO challenges: Bringing your iPad to work

The arrival of personal technology in the office is a challenge for all organisations, but how can it be adapted securely for corporate... Read more

Hacktivism: Threats and reality for IT managers

ZDNet UK

Hacktivism: Threats and reality for IT managers

As high-profile breaches involving consumer data become the norm, this guide looks at where hacking is heading and what individuals can do to protect against possible attacks, from securing data to creating more secure email... Read more

How to defend mobile applications

HP

How to defend mobile applications

Your customers can now perform sensitive transactions anywhere, and mobile apps, devices and data can be more easily attacked. How can you defend against mobile... Read more

Inside ZDNet UK

Asus Transformer Pad TF300T

Asus Transformer Pad TF300T

Passwords are here to stay: get used to it

Passwords are here to stay: get used to it

How to gain total message system visibility

How to gain total message system visibility

HTC One V: First take

HTC One V: First take

SharePoint deployment: The final chapter

SharePoint deployment: The final chapter

Ten IT jobs to save up for those rare lulls

Ten IT jobs to save up for those rare lulls

How fast is your broadband?

How fast is your broadband?