Slammer worm

by ballistic 4 Replies latest watchtower bible

  • ballistic
    ballistic

    This was on the BBC web site before 125,000 users were put out of action at the company I work for this afternoon...

    UK businesses are among those counting the costs of the Slammer worm that hit computers over the weekend.

    The virulent worm crippled online traffic and affected an estimated quarter of a million computers worldwide.

    At the moment the internet is recovering from its sticky cheese fondue state

    Graham Cluley, Sophos
    SQL Slammer targeted a known flaw in Microsoft's database software affecting servers rather than home computers.

    The incident, which experts say has been the most damaging net attack in 18 months, shut down many of the servers which run websites around the globe.

    Pants down

    Cheshire-based Midnightexpress Lingerie Ltd was just one of the UK businesses to be affected by Slammer.

    The Midnightexpress website went down at around 0500 GMT on Saturday and was offline until 1600 GMT in the afternoon.

    "It was a damn nuisance and ironic that it struck on the same Saturday that we had launched an advertisement campaign for Valentine's Day in the national press," Managing Director John Vincent told BBC News Online.

    "People would have gone to look at the website and it wouldn't have been there. It is likely that they won't bother going back," he added.

    Who's to blame?

    Mr Vincent estimates that his firm alone has lost thousands of pounds worth of business but believes that getting compensation is unlikely to be easy.

    "As it is an international virus, ISPs will probably have some form of disclaimer," he said.

    He acknowledges that his own ISP Mistral did all they could to get the site back up and wonders if the blame really lies with the makers of the software, Microsoft.

    "It is difficult to lay the blame at anyone's door. It all comes back to Bill Gates as usual," he said.

    Cheese fondue

    Anti-virus firm Sophos is currently running a poll to ascertain whether users will blame Microsoft or the systems administrators who failed to provide adequate patches for the flawed software.

    "To Microsoft's credit they told people about the bug six months ago and ultimately it may be that systems administrators need to buck up their ideas and take security more seriously," said Sophos' Senior Technology Consultant Graham Cluley.

    The internet meltdown experienced by many over the weekend does appear to be over now, he said.

    "At the moment the internet is recovering from its sticky cheese fondue state and becoming the rapidly moving liquid we all expect it to be," he said.

    Other UK firms hit by Slammer included Hewlett Packard, Borders.co.uk, Letsbuyit.co.uk and Thorntons.co.uk.

  • AlanF
    AlanF

    : "To Microsoft's credit they told people about the bug six months ago and ultimately it may be that systems administrators need to buck up their ideas and take security more seriously," said Sophos' Senior Technology Consultant Graham Cluley.

    That's right. Unfortunately, many of Microsoft's own administrators neglected to update their SQL Server software with the proper patch, and so they got hit really bad over the weekend. Goes to show that Microsoft employs the worst programmers in the computer industry. I'm not sure that these guys go into the company that bad, or that working for Microsoft turns them into horrible programmers. The amazing thing is that so many security breaches are due to exactly the same sorts of gross programming errors -- "buffer overflow" etc. You'd think they could manage to get this right after a few years.

    AlanF

  • Nathan Natas
    Nathan Natas

    Here's what Steve Gibson had to say about it:

    A New Internet Worm


    Worm Propagation Slows Internet to a Crawl


    Very early Saturday morning (25 Jan 2003) global Internet traffic was dramatically impacted by the self-replicating efforts of a new Internet worm. The combined effect of the worm's aggressive, high-speed probing by tens of thousands of infected Windows machines generated traffic sufficient to congest major Internet traffic exchange points and cause worldwide problems.

    Twelve hours later, though tens of thousands of Windows systems remain infected and continue attempting to infect others, the Internet's largest "backbone" carriers and ISPs are now "filtering" (blocking) the worm's replication traffic to limit its global disruption.

    Personal firewall log watchers will probably have noted an increase in "probes" to port 1434. (Microsoft SQL Server's monitor port.) Each probe contains a complete copy of the worm, being sent to random Internet IP addresses by copies of the worm running within infected Windows-based computers.

    Beyond the inconvenience of a slow Internet, and rapidly filling personal firewall logs, most personal computer users have little to fear from this worm because it only targets and infects unpatched versions of Microsoft's SQL server, usually only present on corporate servers.

    However, since some popular Windows applications install a vulnerable copy of SQL Server, end-users may also be at risk. Please see the the details page for a list of these applications.

    Please see this page for a quick worm
    vulnerability self-check and additional news.

  • Simon
    Simon

    This site was down but my ISP had already patched their servers. Unfortunately, other servers in the same data-centre were vulnerable and these flooded the data pipes.

    Of course we got it at work too (we have got every major worm/virus) and had to do hasty patches / cleanup.

    I think there are a few contributing factors:

    • Lack of security in depth. eg. why not limit the connections to a SQL box from the web server(s) and DBAdmin's PCs whcih can easilly be done. This woudl prevent all sorts of vulnerabilities. Only give access to what is needed. It applies to services too.
    • SysAdmins are overworked. Sure, it would be great to update every PC but most struggle to do even the basic fundamental stuff.
    • Management apathy. Most don't want to pay for fixes being applied that they haven't seen an issue with.

    Making updates easier to apply would be better - perhaps something like 'Windows Update' for servers?

  • Goshawk
    Goshawk

    AlanF,

    Good point, but that is not the worst of it. Not only do they (Microsoft) release a program with major security holes in it, but it was an outside security analyst that showed them the hole. The update (patch) was written and made available to system administrators but to get this patch through support the same administrators were charged for this support.

    Kind of like a company manufacturing a product that has a design flaw, and after the flaw is fond will happily fix this problem for a price.

    Goshawk of the Microsoft = BTG & Gates = antiChrist class

Share this

Google+
Pinterest
Reddit