Internet Recovering From Slammer

SQL worm traffic slows after a day of system slowdowns and spotty outages.

Internet performance was returning to normal late Saturday in the wake of one of the fiercest cyber-assaults in recent memory, but security experts said the vast number of vulnerable machines means it will likely be some time before things are truly back to normal. And as IT administrators patched up their remaining unprotected servers, investigators worldwide began the hunt for the source of the damaging attack.

Dubbed the Sapphire Worm, or SQL Slammer (so called because security engineers were called out of bars just after midnight Friday to begin the detection and clean-up work), the malware took advantage of known vulnerabilities to exploit a flaw in Microsoft Corp.s SQL Server 2000.

Slammer hit the Internet hard Friday night and early Saturday morning, slowing Web traffic to a crawl globally as it generated billions of attacks, according to security response experts.

Internet monitoring firm Matrix NetSystems Inc. late Saturday reported that the Slammer attack appeared to be subsiding. During the attack, Web users -- especially in Asia and the northeastern U.S. --experienced delays, "but the underlying Internet was largely unaffected. However, because of high levels of packet loss, applications such as voice-over-IP were affected. E-mail servers also felt the effects of the worm traffic," according to the Austin, Texas companys advisory. The Slammers signature on performance charts was similar to the Goner worm launched in Dec. 2001, Matrix officials said.

Scanning activity attributed to the worm peaked just before 6 a.m. on the East Coast Saturday, when Slammer was sending nearly 8,000 packets per minute at almost 4,000 target IP addresses, according to data gathered by The SANS Institute. The worms travels slowed somewhat over the next several hours, and remained fairly steady at about 4,000 packets per minute later in the day.

Though the attack had slowed, questions remained over how an exploit of a well known vulnerability -- for which patches have long been available -- managed to do so much damage. The answer may lie in the nature of the Microsoft SQL server patch itself.

"SQL patches are indeed more laborious to install than standard Operating System patches and therefore why many SQL machines may have gone unpatched," said Eric Schultze, Director of Research and Development at security firm Shavlik Technologies. "Where operating system patches can be installed either via Windows Update or by downloading and executing one hotfix file, SQL server patches must be installed by hand, one file at a time.

"SQL hotfixes do not include an automated installer routine," said Schultze, himself a former member of Microsofts Trustworthy Computing team and an author of several of the vendors security bulletins. "Instead, customers must download and unzip the hotfix package that contains the individual replacement files. The readme file that comes with the patch instructs the user to locate each SQL server instance on their computer, stop each instance of SQL, find copies of all the files in their SQL instances that match the files that ship in the patch, rename or move the existing files to another name or location, and manually copy the files from the patch into the appropriate directory for each SQL instance. It only takes one forgotten SQL instance or misnamed file to leave a machine vunerable."

Shavlik has posted a free version of their HFNetChkPro scanner to allow administrators to determine if theyve applied the most recent SQL Server 2000 SP2 patch.

Meanwhile, investigators at the epicenter of the attack in South Korea said they had traced the origin of the worm beyond that countrys borders. The Chosun Ilbo newspaper reported Saturday evening that officials of the Korean federal cyber-terror emergency center were certain that despite the concentration of infection in South Korea, the attack had come from outside their country. Korean officials were asking investigators in other countries to cooperate in their probe.

Korea was especially hard hit by Slammer, which brought down key ISPs including KT-Hanaro and Durunet, Chosun Ilbo reported. At the height of the attack, most of the Asian nations Internet communications had ground to a halt, as had public service communications systems, electronic banking, and even cell phone service from SK Telecom, according to the reports.

At home, the FBIs NIPC Watch and Warning Unit is investigating and is seeking information on the worm through its website.

That flaw exploited by Slammer, first discovered in July 2002, exists because of the way SQL handles data sent to its monitor port, according to Marc Maiffret, chief hacking officer for eEye Digital Security in Aliso Viejo, Calif.

Once a vulnerable computer is compromised, the worm will infect that target, randomly select a new target, and resend the exploit and propagation code to that host, said Chris Rouland director of the X-Force response team at Internet Security Systems Inc., in Atlanta.

"Although the Slammer worm is not destructive to the infected host, it does generate a damaging level of network traffic when it scans for additional targets," an X-Force alert reads. "A large amount of network traffic is created by the worm. Billions of attacks have been detected in the last 12 hours from various industry sources."

ISS received reports that several major national ISPs were either experiencing severe latency or were completely unreachable during the height of the attack, ISS Rouland said. Overnight, five of the Internets 13 root DNS servers were down and two others had latencies of more than 10 seconds, he added.

The Slammer worm doesnt scan local subnet addresses like the Nimda worm, ISS officials said. It simply seeks to replicate itself and does not try to further compromise servers or retain access to compromised hosts. The Slammer worm also does not infect or modify files, as it only exists in memory.

"It should be noted that this worm is not the same as an earlier SQL worm that used the SA/nopassword SQL vulnerability as its spread vector," eEyes Maiffret wrote in a posting on the NTBugtraq mailing list. "This new worm is more devastating as it is taking advantage of a software-specific flaw rather than a configuration error. We have already had many reports of smaller networks brought down due to the flood of data from the Sapphire Worm trying to re-infect new systems."

Experts are recommending administrators immediately firewall SQL service ports at all of their gateways. The worm uses only UDP port 1434 (SQL Monitor Port) to spread itself to a new systems. Since Slammer takes advantage of a known vulnerability, administrators are also urged to apply current patches available at or contained within SQL 2000 services packs at