Remembering Slammer on Its Anniversary

Paul Roberts, IDG News Service
Friday, January 23, 2004

Security is tighter, but experts say fast-moving worms will crawl again.

Cash machines froze. Airlines and hospitals dusted off paper forms to schedule reservations and track patients. This was the scene on January 25, 2003, shortly after the Slammer worm appeared and quickly began spreading around the world, flooding computer networks with worm-generated traffic and knocking vital database servers offline.

One year after it appeared, the Slammer worm, also known as Sapphire, is being remembered this week as a watershed moment in the life of the Internet: the sudden appearance of a new type of malicious code that could spread worldwide in minutes.

Slammer used a known buffer overflow in Microsoft's SQL Server database to spread worldwide in approximately ten minutes, doubling the number of computers it infected every 8.5 seconds. According to a study of the worm's outbreak published by the Cooperative Association for Internet Data Analysis (CAIDA), another system was infected every 37 minutes.

Months later, the impact is still being felt. Corporations and vendors have changed policies, increased vigilance to Internet threats, and worked to foster better security from Microsoft.


Lessons Learned
Slammer exposed previously unknown interdependencies that were thought to be separate from the Internet, says Alan Paller, director of research at the SANS Institute.

People realized that all the things that we didn't think were connected to the Internet actually were, Paller says. If your routers are connected to the Internet and they're full, nothing can flow, so an outage of Internet connections is an outage of the entire Internet infrastructure.

That was the case at Beth Israel Deaconess Medical Center, where infections on desktop computers in the research wing slowed the entire hospital network, interrupting systems used by doctors and nurses to track patients, according to John Halamka, chief information officer of Caregroup Health System.

VPN traffic to Beth Israel is now decrypted and inspected for attack code before passing through the hospital's firewall, he says.

At FleetBank, machines running products that use the Microsoft Data Engine that was vulnerable to Slammer, including antivirus engines, fell to Slammer, says Eric Hacker, security information architect at Fleet.

Those machines took down small parts of Fleet's network on January 25, 2003, although customers were not affected, Hacker says.

At both Fleet and Beth Israel, Slammer forced administrators to toughen software-patching programs, with an emphasis on automated patch deployment and enforcement of security policies for all devices connecting to the network, both Halamka and Hacker say.

Slammer didn't tell organizations anything that wasn't already known about network security, but it did underscore the need for readiness and the importance of patch-management and intrusion-prevention technology, says Lance Braunstein, senior vice president and director of technical operations at Morgan Stanley Dean Witter Online.


Microsoft Regroups
The aftermath of the Slammer outbreak brought sweeping changes at Microsoft to improve the security of its products, says Jonathan Perera, senior director of Microsoft's security business unit.

Microsoft increased vulnerability assessments and penetration testing of its products and deployed new automated tools to inspect product code for security holes, Perera says.

But Microsoft security experts were not the only ones chastened by their role in the worm's spread.

Having seen the damage Slammer caused worldwide, David Litchfield, managing director at NGSSoftware, decided to stop publishing sample code that shows how the vulnerabilities he discovered can be exploited, as he did with the SQL Server vulnerability.

Litchfield doubts that the world will be greeted with a reprise of Slammer on January 25, 2004. He cites the lack of a vulnerability that compares with the SQL Server buffer overflow that spawned Slammer.

Litchfield and other experts agree, however, that Slammer has taught companies the importance of vigilance. Major worm outbreaks, although impossible to predict, are inevitable.

More at PCWorld