The
Sapphire worm that hit servers running Microsoft SQL Server is a wake-up call
for anyone who thought the increased attention by corporate
and government leaders made the Net a safer place.
In the largest such incident since
the Code Red and Nimda worms bored into servers in 2001, the
Sapphire worm--also known as Slammer and SQLExp--infected more
than 120,000 computers and caused chaos within many corporate
networks. Some Internet service providers in Asia were
overwhelmed.
The small but malicious program rapidly exploited a
6-month-old flaw in Microsoft SQL Server, underscoring a dirty
secret in the information technology industry: Software bugs
are common, and administrators are slow to fix even widely
publicized problems, said Johannes Ullrich, director of the
security information site Incidents.org.
"Companies should have been ready for (the worm)," he said.
"That patch should have been applied--it's 6 months old now."
The worm started spreading about 9:30 p.m. PST on Friday,
just one day after Microsoft Chairman Bill Gates sent a memo to customers stating that the
company had "accomplished a lot" in its first year of its
Trustworthy Computing initiative. For
much of the first year, the company has focused on increasing
the security of its products.
It also came just days after the General Accounting Office,
the auditing arm of Congress, said that the U.S. government
has spent at least $2.9 billion in 2002
on information technology related to homeland security. The
same amount is expected to be spent again this year.
Because the worm exploited an old flaw, security experts
directed only moderate criticism at Microsoft, choosing
instead to focus on administrators who have failed to patch
their software.
"I don't think people can really hold Microsoft at fault
for this worm," said Marc Maiffret, chief hacking officer for
security software firm eEye Digital Security, one of the first
groups to release an analysis of the worm. Microsoft did
release flawed software but fixed the flaw many months ago,
Maiffret said. "Customers have been able to protect
themselves," he stressed.
For a variety of reasons, however, companies with Microsoft
SQL (pronounced “sequel”) Server didn't apply the
patches. Moreover, the affected companies also had
vulnerable servers that were accessible via the Internet--a
disaster waiting to happen.
"Some administrators might be at fault, but then some
corporate managers might be at fault for understaffing,
underbudgeting, and under-empowering their IT staff to be able
to handle the security of their network," Maiffret added.
The bottom line: More security is needed. Though the worm
didn't infect as many systems as Code Red or Nimda, the
pint-sized program spread across the Internet in less than a
minute and saturated some companies' networks so quickly that
administrators couldn't respond. The worm comprised just 376
bytes of code, fewer bytes than in this paragraph.
The worm takes advantage of a flaw
in how Microsoft SQL Server handle certain input. By sending a
specially crafted data packet over the Internet, the worm can
remotely compromise additional systems and spread copies of
itself. The worm doesn't create files and doesn't delete data.
Rather, it resides in memory and tries to spread as quickly as
possible.
It's so successful at rapidly sending data, however, that
it overloaded many networks and overwhelmed many types of
network hardware, effectively cutting off some companies from
the Internet.
"It is memory-resident, so it is very efficient," said Greg
Shipley, director of consulting for security firm Neohapsis.
"So there may be less number of hosts affected, but it is so
chatty it saturates connections."
The worm disrupted more than 13,000
Bank of America automated
teller machines, and late Saturday, the company was still
warning online customers of possible slowdowns in accessing
their accounts. "We are currently experiencing problems that
may cause online banking to operate more slowly than normal,"
the message stated. The company could not be reached for
comment on Sunday.
PeopleSoft was among
several
Fortune 100 companies that had had network issues on
Saturday, according to data provided by Internet watcher
Netcraft.org.
"The problem was that this was a particularly malicious
piece of code," said Steve Lipner, director of security
assurance for Microsoft. "If it got a hold of one machine, it
hammered away at the network. In a big organization, it's
really hard to say that every point of access is protected."
In addition, developers using Microsoft's Data Engine 1.0
and Microsoft Desktop Engine 2000 may not have known they were
vulnerable to the worm. The software is included in Visual
Studio .NET, ASP.NET Web Matrix Tool, Office XP Developer
Edition, MSDN Universal and Enterprise subscriptions and
Microsoft Access. MSDE is also included in Microsoft
Application Center 2000.
While some companies scrambled to
deal with the problem, most consumers weren't affected,
however.
"Consumers might have seen longer latencies and slower
connections, otherwise it was a nonissue," said Oliver
Friedrichs, senior manager for security software maker
Symantec.
By midday Sunday, traffic caused by the worm had fallen to
one-tenth of the level it had been in the first few hours of
the attack, when the infection peaked, Friedrichs said.
"We are not seeing anywhere near the activity of the first
two hours," he said. "The worm could have been worse. It could
have deleted files. It just took up tremendous amount of
bandwidth."
The brunt of the attack may now be within companies that
have shut down database connections to the Internet, but may
still be dealing with the infection internally, he added.
Given that the worm did little damage to the machines it
infected--a reboot would rid any computer of the worm--some
security experts saw the ultimate effect of the attack as a
good thing.
"A lot of people see this as a wake-up call," said Ullrich
of Incidents.org. "Machines that got infected by this one have
been open for the past six months."
Any database vulnerable to the worm could have been
attacked by hackers bent on stealing data. Many databases hold
customer data, and the worm highlighted that the data hasn't
been safe, said Ullrich.
"If you had a vulnerable server, then it's possible that
you could have been compromised in the past half-year," he
said.
With Fortune 100 companies and online retailers among those
that may be cleaning their systems of such a worm, the
question may not be whether data has been leaked, but how
much.