Slammer Attack Wanes But Debate Heats Up

Datamation content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

After tying up email and online business for nearly three days, the attack
of the Slammer worm seems to be over.

“It’s over now. I really hope so,” says Mikko Hypponen, manager of
anti-virus research in F-Secure’s Helsinki, Finland office. “The worst
didn’t happen on Monday. I was a little bit worried about it. The peak in
the U.S. was much, much smaller than it was on Monday in Europe. It was
surprisingly worse in Europe.”

Security analysts from around the globe had worried that the opening of the
business week yesterday would bring on a new wave of the worm that had
slowed or halted Internet traffic throughout Asia, Europe and North America
over the weekend.

The Slammer worm, which takes advantage of a known
vulnerability in Microsoft Corp.’s SQL 2000 Web servers, disrupted business,
Web browsing, ATM banking and even some telephone service.

The worm, which still garnered F-Secure’s second-highest security alert,
spiked Internet traffic when business started in Europe yesterday and then
again when business commenced in the United States.

While Slammer doesn’t
damage the infected machine or delete or change files, it generates massive
amounts of network packets, overloading servers and routers, slowing down
network traffic — sometimes bringing it to a complete stop under the weight
of the attack.

Security analysts say they are not expecting any further spikes caused by
the Slammer worm. Various governments, which reportedly include the U.S. and
South Korea, are now tracking down whoever released the worm into the wild.
Initial investigations are pointing to the worm originating in China.

The Blame Game

And now that the Slammer, also known as Sapphire, is under control, analysts
and corporate IT managers are laying blame and trying to figure out how the
worm could cause such global disruption.

Slammer’s rampage was completely dependent on a known vulnerability going
unpatched. Microsoft released a patch for the problem last summer, but
obviously many network administrators did not install it, leaving an opening
for the attack to spread far and fast around the world.

Analysts also point out that many home users are running SQL on their
machines and don’t even realize it. The software often comes bundled in
third-party software packages, including games. If users don’t know it’s
there, they’re obviously not going to install needed patches for it.

But the bulk of the problem came from unpatched corporate networks. And
today talk is about who is at fault. Were network administrators negligent
or were they too overworked and understaffed to be able to manage the
situation properly? Are administrators not properly trained to distinguish
serious flaws out of the thousands of vulnerabilities that are discovered
every year? Is Microsoft to blame for releasing a patch too complicated to
install efficiently?

Security analysts say the answer lies in a combination of all of the above.

“Administrators are inundated with vulnerabilities and patches,” says Dan
Woolley, a vice president at Reston, Va.-based SilentRunner, Inc., a network
security company. “There are so many patches coming out on any given
system…you have to prioritize them. You can’t install them all. How do
you know what you’re supposed to do?”

And Woolley says the recent spate of layoffs and budget cuts is only adding
to the problem.

“If you don’t have as many people on staff, you have an increased number of
threats, and there are more and more patches coming out, you’re in a box,”
adds Woolley. “You put that all together and you have a very, very dangerous
environment. It all adds up to catch yah.”

A study of 200 business PC users, conducted yesterday by Sophos Anti-Virus,
shows that system administrators blame each other for the spread of the
Internet worm.

The poll shows that 64% say that system administrators who failed to install
the latest security patches are the most at fault. Another 24% blame
Microsoft for shipping buggy software.

Patch Flood

F-Secure’s Hypponen says Microsoft should share the blame with
administrators.

“Yes, Microsoft did do the responsible thing back in July when it announced
the hole and made the patch available,” he says. “The initial reaction is
that it’s all about lazy administrators. But it’s not that simple to install
Microsoft’s patch. It’s one of the most difficult patches to install. Many
administrators probably tried installing it and gave up or didn’t install it
right.”

Hypponen notes that this past Sunday, Microsoft shipped a new version of the
patch — a more simple version — because of complaints from the admin
community.

But MJ Shoer, president of Jenaly Technology Group, Inc., a Portsmouth,
N.H.-based outsourced IT firm, says the problem lies with the overwhelming
amount of vulnerabilities and corresponding patches that are continually
flooding the industry.

“It’s the age-old battle,” says Shoer, who notes that deciding which
patches to install is like an educated crap shoot. “Patches come out so
frequently, it’s like the boy who cried wolf… If you installed them all,
it would consume the day. You have to evaluate the patches that come out and
see what makes sense to apply right away and what makes sense to keep an eye
on.”