As the worm squirms: Slammer still runs amok

As the worm squirms: Slammer still runs amok

Summary: More than four years after Slammer started exploiting holes in Microsoft's SQL Server and Desktop Engine database products, the worm continues to squirm in machines that serve as eternal carriers for the worm.

TOPICS: Tech Industry
More than four years after Slammer started exploiting holes in Microsoft's SQL Server and Desktop Engine database products, the worm continues to squirm in machines that some believe will never be disinfected.

Over the past two days, SQL Slammer was listed as the number one threat on Arbor Network's new ATLAS (Active Threat Level Analysis System), accounting for a whopping 25 percent of all malicious Internet activity detected by Arbor's censors. The bulk of the Slammer attacks are coming from infected hosts in China.

Although the worm isn't dramatically impacting network availability like that January morning in 2003 when it spread like wildfire around the world, the fact that Slammer is still slithering confirms that there some boxes that will never be dewormed.

Microsoft released a patch for the flaw in July 2002 and provided disinfection tools immediately after the attack but, for a myriad of reasons, there are infected boxes out there scanning violently for vulnerable hosts.

In fact, according to sources in the anti-malware community, a high-profile Web company brought up a SQL Slammer host by accident a few weeks ago, setting off all kinds of alarm bells. "They took it down pretty quickly, but you get the idea: everyone is vulnerable," said a source.

According to statistics from Arbor Networks, there are more than 1300 unique SQL Slammer hosts contacting its sensors. This is just a small fraction of infected hosts and signals just how impossible it is to completely kill a virulent network worm.

It's much of the same with the Blaster worm of the summer of 2003. According to statistics culled from Microsoft's monthly updated MSRT (malicious software removal tool), between 500 and 800 copies of Blaster are removed from Windows machines every day. (Most of the Blaster removals came from pre-SP2 Windows machines).

Arbor's ATLAS also shows a high rate of attacks against the ASN.1 vulnerability fixed by Microsoft since February 2004.

Topic: Tech Industry

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • This is good news

    [i]Over the past two days, [b]SQL Slammer was listed as the number one threat[/b] on Arbor Network?s new ATLAS (Active Threat Level Analysis System), [b]accounting for a whopping 25 percent of all malicious Internet activity[/b] detected by Arbor?s censors. The bulk of the Slammer attacks are coming from infected hosts in China.[/i]

    Unless anyone wants to make the case that SQL Slammer has been actively spreading onto new machines, these statistics pretty much confirm what I've believed for a while now: malware is getting hyped, mostly by the media and the ABMers, far beyond what it is actually harming. Go to any anti-virus company's threat center and the top 10 is nothing more than a list of very low profiled, socially engineered mass-mailing worms. While there are obviously still vulnerabilities out there, the bad guys have figured out that socially engineered worms can't be patched and simply changing the title of the email makes it a whole new attack (a fact that you must keep in mind when the likes of Apple maliciously spread FUD about 140,000 Windows viruses).
    • Actually...

      you can thank MSDE for the bulk of continuing Slammer issues. Most companies using SQL Server have patched it. Unfortunately, there are thousands of small applications that use MSDE as a local database and the users aren't even aware of it. Many of these are end-users who wouldn't even make the connection between "SQL Server" and "MSDE" even if they did know.

      Slammer will continue to find unsuspecting homes for some time to come. The blame can be pretty evenly spread between Microsoft for writing SQL Server/MSDE and the developer community for not going back to address the issue. Many developers feel that since MSDE is a third party app in their eyes, they're not responsible for it once it's deployed. I look at it this way...if I'm responsible for any software being installed on a client machine, I'm responsible for the upkeep of that software whether I wrote it or not.
      • MS itself not immune.

        Keep in mind that Microsoft itself fell victim weeks/months after it released patches for Slammer.

        I recall an interesting article by Mary Jo Foley relaying a report from an MS insider that 47 of the company's own interner servers had fallen victim to Blaster...well after the patches were out:
    • Not Quite...

      I'm willing to bet that Arbor's "censors" (lol) are passive. That is, they count probes from infected boxes scanning them. There are several factors then, which would cause Slammer to appear more prevalent than it really is.

      [b]1) Counting per-probe artificially inflates Slammer's numbers.[/b]

      Because Slammer used UDP, it's able to probe several hundred hosts in the same amount of time that Blaster, et al could target one. While Blaster and co. use TCP and needed to ocnduct several packet exchanges with their victims, Slammer could fire away a single packet and be done -- successful or not.

      [b]2. Weaknesses in Slammer's IP generation make it probe certain hosts repeatedly.[/b]

      I spotlighted this tendency of Slammer in my analysis to repeatedly probe certain hosts. Sometimes the worm will get "stuck" in a loop where it perpetually probes IPs on the same network. If one of these IPs happened to be one of Arbor's sensors, you'd see a spike in Slammer activity for that sensor which doesn't correlate to the internet at large.

      [b]3. Passive sensor systems don't catch interactive client-side exploits.[/b]

      The most common types of exploits these days (as in, attacks targeting vulnerabilities in software rather than social-engineering users) target browser bugs. For that, you can thank XP SP2 and Windows Server 2003 SP1 -- both of which offer restrictive, default-on firewalls. The endpoints like MSRPC (Blaster) and MSDE (Slammer) don't listen needlessly anymore like they used to. Arbor's sensors, however, don't go browsing the web -- they sit and wait for attacks to come to them, most likely -- and so, attacks based on browser vulnerabilities will be missed completely.

      [b]4. Users, not software, are the most common target.[/b]

      Arbor's sensors also ignore, no doubt, the torrent of mass-spammed e-mail malware that's out there -- the stuff that doesn't exploit any vulnerability in the OS, and just relies on user error to spread.

      Now that we've established why Arbor's numbers [i]probably[/i] inflate an old worm's significance, let's go line-by-line through your post.

      [b]1. Slammer HAS been spreading to new machines.[/b]

      Keep in mind, software that deploys OLD versions of Microsoft Desktop Engine (MSDE) that are vulnerable to Slammer is still out there and sometimes, still supported. Third-party vendors who install MSDE don't take it upon themselves to patch it. If they don't, any machine that installs MSDE-enabled software will get hit with Slammer. It's just that simple.

      [b]2. Malware isn't getting hyped.[/b]

      The reason that the "Top 10" lists on most AV sites are malware that spreads by social engineering is often because that malware reaches the most boxes. Note that "reaching" a box (i.e., an e-mail gateway processing an infected message) is not the same as "infecting" it (i.e., malware ran, but was detected and cleaned up) and many AV companies focus on the number of detections, rather than the number of unique systems with the detection.

      [b]3. Vulnerabilities and malware are weakly correlated.[/b]

      The number of vulnerabilities in an OS has, at best, a weak link to the number of systems running that OS which will be infected with malware. A vulnerability in the OS or an application can create an opportunity for malware to spread, but an OS [i][u]without any vulnerabilities[/u][/i] will not necessarily be an OS [i][u]without any malware victims among its users[/u][/i]. In fact, when an OS is as popular as Windows, it's very [b]unlikely[/b] that this will be the case. Social engineering will, to some extent, always work.

      [b]4. The 140,000 viruses argument isn't FUD -- even if the number is useless.[/b]

      I used Windows for 14 years, before I switched to Mac. I ran Windows XP as a limited user, and even with that painful step, I still had virus/spyware problems just from everyday browsing. Windows, without anti-virus/anti-spyware software will gradually become unusable. On my Mac, on the other hand, anti-spyware/anti-virus software is a bigger problem than all of the diseases it might cure combined. Why? The malware target profile of OS X is near-zero. That's not necessarily a security trait of OS X, but it does illustrate a hidden cost of Windows -- anti-malware solutions.

      Accusing Apple of "maliciously spread[ing]" a number that most of the anti-malware community holds to be accurate would seem to undermine the claim implicit in your screen name. Calling yourself "NonZealot" would lead me to believe that you didn't hold intractable, unreasonable biases in favor of a particular platform, but your posts suggest otherwise. You are as much a PC fanboy, or more, than I am a Mac Zealot, and I would never use Windows again. Not for security, either -- even though I've spent six years in the field.
      • Limited user browsing

        You must have tried very hard to get infected surfing as a limited user. Over the past eight years working with thousands of Windows machines, I've only ever seen one peiece of adware that actaully worked when the user was logged on as a limited user. This clever peice of crapware installed itself in the user's profile and set itself to startup when the user logged on. Of course, because it stayed in the users profile, it was easy to clean up.

        Running as a limited user affords an extra amount of protection in Windows since virtually all the malware out there assumes admin privs and dies when it doesn't have it. That will change with Vista though. :(
        • Didn't try hard, but managing a box with an LUA is a challenge...

          I used my limited user account for day-to-day purposes. I did everything with the machine while logged on interactively with this account and there was no central management. I also elevated manually on a few occasions where that was necessary to do something like a software installation. As such, my configuration was something like Vista's Admin Approval mode, but a much larger management challenge.

          As such, it's possible that the prevalence of malware I saw was partly due to other factors. For example, third-party apps like Firefox, Flash, etc. were often a few days out of date, because they invariably refuse to update for an LUA.

          I saw some stuff, though (a handful of cases, not a ton) of malware that would install itself into a limited account. One piece of malware was actually registered as a Firefox extension.

      ...and I thought you didn't exist.

      BTW, it's 114,000 known viruses, not 140,000. If you're going to attempt to knock on Apple, keep your numbers straight.
      • Ditto! least keep him honest (since you won't make him reasonable...)
  • This line says it all:

    [b]"The bulk of the Slammer attacks are coming from infected hosts in China."[\b]

  • Ahhh! the classics!

    they never get old
    Reverend MacFellow
  • "Zero Day"?

    Shouldn't you change the name of your blog to something like "Plus One Thousand Four Hundred Sixty One Day"?
  • Slammer war story

    Ahhh, yes. SQL Slammer. "The terminator" I like to call it, as in, it "terminated" pretty much any LAN it touched.

    We had a server on-site that was being maintained by a third party as part of a contract. The third party was also assisting us in bringing up a new Cisco network infrastructure. In their infinite wisdom, one their people opened up the firewall so that he could get to the server from the outside. Instead of just opening up the port he needed, he opened up the whole IP.

    I got a call that our web sites were down on the weekend, which was strange, since we didn't get an alert from our monitoring systems.

    When I got there sure enough, I could not bring up any of our websites, or even connect to the web servers from my office workstation. I went into the server room and sat down at the local consoles. The web servers seemed fine. No errors in the logs. Nothing to indicate anything was wrong. So I traced the network cable back to the switch. I noticed that instead of blinking, the activity light on our Cisco switch was just 'on'.

    After realizing there was some sort of DoS going on, I finally tracked it down to one server. I unplugged the network cable, and watched as the activity lights on everything went almost dead. The worm, on one mid range x86 server, single handedly took down the entire network full of brand new Cisco routers and switches.

    $50,000 Cisco 4000 series switches - *terminated*
    $50,000 Cisco 6509 Router - *terminated*
    All of our websites - *terminated*
    In house monitoring system - *terminated*
    Traffic from every other server on our LAN - *terminated*

    All by a "few" mal-formed UDP packets. ;)

    We think that Norton Symantec is the top floor in a high rise.I see dead of night meetings here.
  • Slammer W.

    I was wondering if this is a very difficult worm to crack ? it seems like that there would be a way to block the IP address comming in from the offending country ? sort of a hardware firewall that could be programmed to block any range of IP addresses of known IP addresses from a malicious hacker, and other trouble makers. just an idea to pass along.