Slammer Attack Wanes But Debate Heats Up
After tying up email and online business for nearly three days, the attack of the Slammer worm seems to be over.
"It's over now. I really hope so," says Mikko Hypponen, manager of anti-virus research in F-Secure's Helsinki, Finland office. "The worst didn't happen on Monday. I was a little bit worried about it. The peak in the U.S. was much, much smaller than it was on Monday in Europe. It was surprisingly worse in Europe."
Security analysts from around the globe had worried that the opening of the business week yesterday would bring on a new wave of the worm that had slowed or halted Internet traffic throughout Asia, Europe and North America over the weekend.
The Slammer worm, which takes advantage of a known vulnerability in Microsoft Corp.'s SQL 2000 Web servers, disrupted business, Web browsing, ATM banking and even some telephone service.
The worm, which still garnered F-Secure's second-highest security alert, spiked Internet traffic when business started in Europe yesterday and then again when business commenced in the United States.
While Slammer doesn't damage the infected machine or delete or change files, it generates massive amounts of network packets, overloading servers and routers, slowing down network traffic -- sometimes bringing it to a complete stop under the weight of the attack.
Security analysts say they are not expecting any further spikes caused by the Slammer worm. Various governments, which reportedly include the U.S. and South Korea, are now tracking down whoever released the worm into the wild. Initial investigations are pointing to the worm originating in China.
The Blame Game
And now that the Slammer, also known as Sapphire, is under control, analysts and corporate IT managers are laying blame and trying to figure out how the worm could cause such global disruption.
Slammer's rampage was completely dependent on a known vulnerability going unpatched. Microsoft released a patch for the problem last summer, but obviously many network administrators did not install it, leaving an opening for the attack to spread far and fast around the world.
Analysts also point out that many home users are running SQL on their machines and don't even realize it. The software often comes bundled in third-party software packages, including games. If users don't know it's there, they're obviously not going to install needed patches for it.
But the bulk of the problem came from unpatched corporate networks. And today talk is about who is at fault. Were network administrators negligent or were they too overworked and understaffed to be able to manage the situation properly? Are administrators not properly trained to distinguish serious flaws out of the thousands of vulnerabilities that are discovered every year? Is Microsoft to blame for releasing a patch too complicated to install efficiently?
Security analysts say the answer lies in a combination of all of the above.
"Administrators are inundated with vulnerabilities and patches," says Dan Woolley, a vice president at Reston, Va.-based SilentRunner, Inc., a network security company. "There are so many patches coming out on any given system...you have to prioritize them. You can't install them all. How do you know what you're supposed to do?"
And Woolley says the recent spate of layoffs and budget cuts is only adding to the problem.
"If you don't have as many people on staff, you have an increased number of threats, and there are more and more patches coming out, you're in a box," adds Woolley. "You put that all together and you have a very, very dangerous environment. It all adds up to catch yah."
A study of 200 business PC users, conducted yesterday by Sophos Anti-Virus, shows that system administrators blame each other for the spread of the Internet worm.
The poll shows that 64% say that system administrators who failed to install the latest security patches are the most at fault. Another 24% blame Microsoft for shipping buggy software.
F-Secure's Hypponen says Microsoft should share the blame with administrators.
"Yes, Microsoft did do the responsible thing back in July when it announced the hole and made the patch available," he says. "The initial reaction is that it's all about lazy administrators. But it's not that simple to install Microsoft's patch. It's one of the most difficult patches to install. Many administrators probably tried installing it and gave up or didn't install it right."
Hypponen notes that this past Sunday, Microsoft shipped a new version of the patch -- a more simple version -- because of complaints from the admin community.
But MJ Shoer, president of Jenaly Technology Group, Inc., a Portsmouth, N.H.-based outsourced IT firm, says the problem lies with the overwhelming amount of vulnerabilities and corresponding patches that are continually flooding the industry.
"It's the age-old battle," says Shoer, who notes that deciding which patches to install is like an educated crap shoot. "Patches come out so frequently, it's like the boy who cried wolf... If you installed them all, it would consume the day. You have to evaluate the patches that come out and see what makes sense to apply right away and what makes sense to keep an eye on."