Recent worm shows worth of security

January 30, 2003|By Mike Himowitz

WHEN I turned on my computer to write this column last night, a little cartoon box appeared at the bottom of my screen. It told me a Windows update was available and asked if I wanted to download it.

I've seen these boxes so often that I stopped counting them long ago. This time, when I clicked on the update icon, my computer informed me that two patches awaited. Windows Security Update 810833 would repair a flaw that could allow an attacker to gain control over my PC if I were using it as a server. Security Update 329170 would protect against a flaw that could help internal hackers take control of my corporate network.

Now in my experience, installing any Windows update is a bit like sweating through a landing in an airplane. There's always a small but not entirely remote chance of a crash, enough to make me wonder, "Is this flight really necessary?"

I don't run a server, and my "corporate" network consists of two computers in my office and one in the next room. So I considered ignoring this update. But then I thought better of it, considering the subject of this column: the Slammer worm that tied corporate networks in knots over the weekend and slowed the Internet to a crawl.

Also known as Sapphire, Helkern and w32.SQLexp (different security companies use their own names), this tiny, 376-byte gremlin slipped into computers running Microsoft SQL Server 2000, which manages large corporate databases.

SQL Server is a popular program that runs on about a million computers worldwide. It works by "listening" for requests that come over the network and responding to them.

For example, a corporate manager might use a program that asks SQL Server for a list of all Widget deliveries in May. If you browse through a catalog on the Web and order merchandise, there's a chance that SQL Server handles the flow of information in the background.

Unfortunately, a flaw in SQL Server's network "ear" allows a hacker to turn a request for information into a nasty executable program. That's what Slammer's creators exploited.

Unlike many other worms and viruses that have bedeviled the Internet, Slammer didn't delete files, wreck databases or steal information. It had only one mission: find other computers running SQL Server and infect them as quickly as possible.

Early in the morning of Saturday, Jan. 25, Slammer began flooding corporate networks and Internet pipelines with data packets, slowing servers and Web traffic to a crawl. Customers at Bank of America were shut out of automated teller machines. American Express customers couldn't check their accounts online, while Countrywide Financial Services, the country's biggest residential mortgage provider, found its Web operations paralyzed for two days. A handful of 911 emergency services were forced to revert to manual dispatching.

Even the gloomiest doomsayers of the computer security business were surprised at how quickly Slammer spread and how many businesses were affected. Before Slammer was brought under control two days later, 120,000 systems had been infected. Luckily, it was easy enough to remove once detected. It did not try to store or hide itself, so it could be deleted by shutting down and restarting SQL Server - assuming that an infected computer could be shut off from other servers that were trying to infect it.

Ordinarily, it would be easy to blame Microsoft for the problem, because its software allowed the hack. In fact, the assault may have been timed for the first anniversary of chairman Bill Gates' "Trustworthy Computing" initiative. That was a promise that Microsoft would make fixing and preventing security flaws its first priority.

But Microsoft was on top of this one. The company maintains an excellent technical Web site that includes security bulletins and software fixes. In fact, it discovered and posted a programming "patch" to eliminate the SQL Server flaw six months ago. All customers had to do was download and install it.

But unlike my version of Windows XP, SQL Server doesn't automatically log on to Microsoft's Web site for updates. It's designed for experienced administrators who are paid to look out for their systems.

The problem is that too many of them don't check for updates on a regular basis. And even if they do check, they've learned to be gun-shy of patches that often have their own bugs and create more problems than they solve. So they wait a while to see if others have problems or to see if Microsoft delivers a "patched" patch. It's a gamble that usually works. This time it didn't.

This doesn't mean that Microsoft is completely off the hook. Slammer infected many of Microsoft's servers because its own administrators never bothered to install the patch.

And it turned out that SQL Server's underlying database engine is included in many Microsoft software development kits, as well as the latest version of Microsoft Office XP. So there were more than a few desktop users who had no idea they were running vulnerable computers.

The forensic pathologists of the Internet will be dissecting the Slammer debacle for a long time. The FBI and other investigators are trying to track down the culprit - now believed to be somewhere in Asia - but it's unlikely they'll ever arrest the perp. And unfortunately, there's nothing much you and I can do to prevent these attacks.

But you can protect your own machine, which was what I finally decided to do last night when the Windows update icon lit up with Security Updates 329170 and 810833.

I clicked the download button, watched my cable modem flash for a few seconds, then listened to my hard disk whir for three or four minutes until Windows told me it was ready to crank up again. I restarted the computer and held my breath. Windows started up without a hitch.

"Cheated death again," I mumbled.

Baltimore Sun Articles
|
|
|
Please note the green-lined linked article text has been applied commercially without any involvement from our newsroom editors, reporters or any other editorial staff.