Slammer/Sapphire Worm and Shades of Code Red - 29 Jan 2003

Apply patches in a timely manner!

As you probably know by now, a tiny worm began traveling the Internet over the past weekend. Known as either Slammer or Sapphire, the worm affects unpatched Microsoft SQL Server machines. Patches to prevent the vulnerability the worm exploits have been available since July 2002.

The worm doesn't damage an infected machine, nor does it compromise any data on an infected machine. However, it does prove a simple concept: A tiny worm (376 bytes) with only the essential amount of code can spread rapidly and consume large amounts of bandwidth in the process.

Some people compare this worm with the Code Red worm that affected Microsoft IIS systems last year. However, far more IIS systems than SQL Server machines are online, and the Slammer/Sapphire worm's impact is proving to be relatively short-lived. As Chris Rouland, director of Internet Security Systems' (ISS's) X-Force said in an "InfoWorld" interview, the worm's impact has already lessened significantly. As of Sunday, its impact was more comparable to that of the Nimda virus, which affects Microsoft Outlook clients. According to ISS monitoring, Nimda and Slammer/Sapphire both propagated at about 10,000 attacks per hour on Sunday.

By now, I'm sure Slammer/Sapphire's activity has lessened even further (although it's possible for it to flare up again), whereas the most serious affects of Code Red were probably felt for a longer period. Overall, Nimda is probably more expensive to clean up than Slammer/Sapphire. Even so, the thing Slammer/Sapphire did that Nimda didn't do was severely affect network communications. In some cases, networks went down entirely for brief periods of time.

The reason that some networks went offline was probably twofold. First, the worm consumed a lot of bandwidth, sometimes saturating a given network's total capacity. Second, the worm affected Cisco Systems routers, which countless networks across the Internet use. The worm affected some Cisco routers because of the way those routers were configured to log packets. In some cases, routers were configured to block all traffic to port 1434 and to log all denied packets, such as those destined for blocked port 1434, which SQL Server typically uses. So the worm traffic in conjunction with the logging overwhelmed some routers. To read Cisco's recommendations regarding configuration adjustments, view the related Web page. You might also want to see a graph of how the worm affected traffic at a few of the larger networks.

Another problem with this worm is that it also affects Microsoft SQL Server Desktop Engine (MSDE), which ships inside a lot of products, some from Microsoft and many others from third parties. These products include Visual Studio .NET (Architect, Developer, and Professional Editions), ASP.NET Web Matrix Tool, Microsoft Office XP Developer Edition, Microsoft Developer Network (MSDN) Universal and Enterprise subscriptions, and Microsoft Access. But those products represent just the tip of the iceberg. To see the huge list of products that use MSDE—many of which are probably installed on your systems—visit the SQL Security Web site. The list is updated as those who maintain the list become aware of more products that use MSDE.

A Microsoft Web page offers information about the Slammer/Sapphire worm, including patch information. As always, be sure to read the fine print associated with patches and related articles before you load any patches. Also, consider loading the recently released SQL Server Service Pack 3 (SP3). And if you want a tool that will scan your SQL Server systems to determine whether they're vulnerable, then you can download such a tool courtesy of eEye Digital Security.

To help prevent such attacks from being successful, administrators must patch systems as quickly as possible. They need to maintain firewalls in a deny-all-traffic-until-otherwise-authorized configuration. Also, they must conduct any remote administration that requires opening nonessential ports through a VPN and some kind of remote terminal software. When all the hype around this new worm has finally fizzled out, I hope that businesses will have learned how important it is to take defensive actions sooner rather than later.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.