Slammer: One year later

Cash machines froze. Airlines and hospitals dusted off paper forms to schedule reservations and track patients. This was the scene on Jan. 25, 2003, shortly after the Slammer worm appeared and quickly began spreading around the world, flooding computer networks with worm-generated traffic and knocking vital database servers offline.

One year after it appeared, the Slammer worm, aka Sapphire, is being remembered this week as a watershed moment in the life of the Internet: the sudden appearance of a new type of malicious code that could spread worldwide in minutes.

Slammer used a known buffer overflow in Microsoft Corp.’s SQL Server database to spread worldwide in approximately 10 minutes, doubling the number of computers it infected every 8.5 seconds, according to a study of the worm’s outbreak published by The Cooperative Association for Internet Data Analysis (CAIDA).

Months later, the impact is still being felt. Enterprises and vendors have changed policies, increased vigilance to Internet threats and worked to foster better security from Microsoft.

Slammer exposed previously unknown interdependencies that were thought to be separate from the Internet, said Alan Paller, director of research at The SANS Institute.

“People realized that all the things that we didn’t think were connected to the Internet actually were,” Paller said. “If your routers are connected to the Internet and they’re full, nothing can flow, so an outage of Internet connections is an outage of the entire Internet infrastructure.”

That was the case at Beth Israel Deaconess Medical Center, where infections on desktop computers in the research wing slowed the entire hospital network, interrupting systems used by doctors and nurses to track patients, according to John Halamka, CIO of Caregroup Health System.

VPN traffic to Beth Israel is now decrypted and inspected for attack code before passing through the hospital’s firewall, he said.

At FleetBank, machines running products that use the MSDE (Microsoft Data Engine) that was vulnerable to Slammer, including antivirus engines, fell to Slammer, said Eric Hacker, security information architect at Fleet.

Those machines took down small parts of Fleet’s network on Jan. 25, although customers were not affected, Hacker said.

At both Fleet and Beth Israel, Slammer forced administrators to toughen software-patching programs, with an emphasis on automated patch deployment and enforcement of security policies for all devices connecting to the network, Halamka and Hacker said.

Slammer didn’t tell organizations anything that wasn’t already known about network security, but it did underscore the need for readiness and the importance of patch-management and intrusion-prevention technology, said Lance Braunstein, senior vice-president and director of technical operations at Morgan Stanley Dean Witter Online.

The aftermath of the Slammer outbreak brought sweeping changes at Microsoft to improve the security of its products, said Jonathan Perera, senior director of Microsoft’s security business unit.

Microsoft increased vulnerability assessments and penetration testing of its products and deployed new automated tools to inspect product code for security holes, Perera said. But Microsoft security experts were not the only ones chastened by their role in the worm’s spread.

Having seen the damage Slammer caused worldwide, David Litchfield, managing director at NGSSoftware, decided to stop publishing sample code that shows how the vulnerabilities he discovered can be exploited, as he did with the SQL Server vulnerability.

Litchfield doubts that the world will be greeted with a reprise of Slammer on Jan. 25, 2004, citing the lack of a vulnerability that compares with the SQL Server buffer overflow that spawned Slammer.

Litchfield and other experts agree, however, that Slammer has taught companies the importance of vigilance. Major worm outbreaks, although impossible to predict, are inevitable.

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

Featured Articles

Cybersecurity in 2024: Priorities and challenges for Canadian organizations 

By Derek Manky As predictions for 2024 point to the continued expansion...

Survey shows generative AI is a top priority for Canadian corporate leaders.

Leaders are devoting significant budget to generative AI for 2024 Canadian corporate...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now