Worm exposes apathy, Microsoft flaws

The Sapphire worm that hit servers running Microsoft SQL Server is a wake-up call for anyone who thought increased attention by corporate and government leaders made the Net safer.

Robert Lemos Staff Writer, CNET News.com
Robert Lemos
covers viruses, worms and other security threats.
Robert Lemos
5 min read
The Sapphire worm that hit servers running Microsoft SQL Server is a wake-up call for anyone who thought the increased attention by corporate and government leaders made the Net a safer place.

Special Report
Code Red for security
Virulent worm calls into doubt
our ability to protect the Net.

In the largest such incident since the Code Red and Nimda worms bored into servers in 2001, the Sapphire worm--also known as Slammer and SQLExp--infected more than 120,000 computers and caused chaos within many corporate networks. Some Internet service providers in Asia were overwhelmed.

The small but malicious program rapidly exploited a flaw in Microsoft SQL Server for which a patch had been available for half a year, underscoring a dirty secret in the information technology industry: Software bugs are common, and administrators are slow to fix even widely publicized problems, said Johannes Ullrich, director of the security information site Incidents.org.

"Companies should have been ready for (the worm)," he said. "That patch should have been applied--it's 6 months old now."

The worm started spreading about 9:30 p.m. PST on Friday, just one day after Microsoft Chairman Bill Gates sent a memo to customers stating that the company had "accomplished a lot" in its first year of its Trustworthy Computing initiative. For much of the first year, the company has focused on increasing the security of its products.

It also came just days after the General Accounting Office, the auditing arm of Congress, said that the U.S. government has spent at least $2.9 billion in 2002 on information technology related to homeland security. The same amount is expected to be spent again this year.

Because the worm exploited an old flaw, security experts directed only moderate criticism at Microsoft, choosing instead to focus on administrators who have failed to patch their software.

"I don't think people can really hold Microsoft at fault for this worm," said Marc Maiffret, chief hacking officer for security software firm eEye Digital Security, one of the first groups to release an analysis of the worm. Microsoft did release flawed software but fixed the flaw many months ago, Maiffret said. "Customers have been able to protect themselves," he stressed.

A disaster waiting to happen
For a variety of reasons, however, companies with Microsoft SQL (pronounced "sequel") Server didn't apply the patches. Moreover, the affected companies also had vulnerable servers that were accessible via the Internet--a disaster waiting to happen.

"Some administrators might be at fault, but then some corporate managers might be at fault for understaffing, underbudgeting, and under-empowering their IT staff to be able to handle the security of their network," Maiffret added.

Help and How-to
SQL Slammer worm
How to recognize and
prevent the virus.

The bottom line: More security is needed. Though the worm did not infect as many systems as Code Red or Nimda, the pint-sized program spread across the Internet in less than a minute and saturated some companies' networks so quickly that administrators couldn't respond fast enough to stop the resulting deluge of data. The worm comprised just 376 bytes of code, fewer bytes than in this paragraph.

The worm takes advantage of a flaw in how Microsoft SQL Server handle certain input. By sending a specially crafted data packet over the Internet, the worm can remotely compromise additional systems and spread copies of itself. The worm doesn't create files and doesn't delete data. Rather, it resides in memory and tries to spread as quickly as possible.

It's so successful at rapidly sending data, however, that it overloaded many networks and overwhelmed many types of network hardware, effectively cutting off some companies from the Internet.

"It is memory-resident, so it is very efficient," said Greg Shipley, director of consulting for security firm Neohapsis. "So there may be less number of hosts affected, but it is so chatty it saturates connections."

The worm disrupted more than 13,000 Bank of America automated teller machines, and late Saturday, the company was still warning online customers of possible slowdowns in accessing their accounts. "We are currently experiencing problems that may cause online banking to operate more slowly than normal," the message stated. The company could not be reached for comment on Sunday.

PeopleSoft was among several Fortune 100 companies that had had network issues on Saturday, according to data provided by Internet watcher Netcraft.org.

"The problem was that this was a particularly malicious piece of code," said Steve Lipner, director of security assurance for Microsoft. "If it got a hold of one machine, it hammered away at the network. In a big organization, it's really hard to say that every point of access is protected."

In addition, developers using Microsoft's Data Engine 1.0 and Microsoft Desktop Engine 2000 may not have known they were vulnerable to the worm. The software is included in Visual Studio .NET, ASP.NET Web Matrix Tool, Office XP Developer Edition, MSDN Universal and Enterprise subscriptions and Microsoft Access. MSDE is also included in Microsoft Application Center 2000.

The brunt gone by?
While some companies scrambled to deal with the problem, most consumers weren't affected, however.

"Consumers might have seen longer latencies and slower connections, otherwise it was a nonissue," said Oliver Friedrichs, senior manager for security software maker Symantec.

By midday Sunday, traffic caused by the worm had fallen to one-tenth of the level it had been in the first few hours of the attack, when the infection peaked, Friedrichs said.

"We are not seeing anywhere near the activity of the first two hours," he said. "The worm could have been worse. It could have deleted files. It just took up tremendous amount of bandwidth."

The brunt of the attack may now be within companies that have shut down database connections to the Internet, but may still be dealing with the infection internally, he added.

Given that the worm did little damage to the machines it infected--a reboot would rid any computer of the worm--some security experts saw the ultimate effect of the attack as a good thing.

"A lot of people see this as a wake-up call," said Ullrich of Incidents.org. "Machines that got infected by this one have been open for the past six months."

Any database vulnerable to the worm could have been attacked by hackers bent on stealing data. Many databases hold customer data, and the worm highlighted that the data hasn't been safe, said Ullrich.

"If you had a vulnerable server, then it's possible that you could have been compromised in the past half-year," he said.

With Fortune 100 companies and online retailers among those that may be cleaning their systems of such a worm, the question may not be whether data has been leaked, but how much.