Skip to comments.Group Estimates Microsoft Slammer Worm Damage at $1 Billion
Posted on 01/30/2003 11:29:38 PM PST by HAL9000
1/30/2003 -- A U.K.-based security firm is estimating that economic damage from the SQL Slammer worm is already over $1 billion, making it the ninth most damaging malware attack yet in the firm's estimation.
MI2g released the billion-dollar estimate on Thursday, which was an upward revision of a figure the group released earlier in the week. "It has also jumped in ranking from number 13 a few days ago to number 9 in terms of the worst malware attacks recorded by the mi2g Intelligence Unit," an mI2g spokeswoman said in a statement.
The worm exploits a vulnerability in SQL Server 2000 and MSDE 2000 that was patched by Microsoft six months ago. It flooded the Internet with traffic starting early Saturday morning. Tens of thousands of hosts were infected. Although many servers were patched over the weekend, the problem resurfaced as users booted up desktop systems to start the work week.
The MSDE is installed in many desktop applications, including some versions of Office XP, Visual Studio, Visio, Visual FoxPro and many non-Microsoft products.
The memory-resident worm, also known as Sapphire and SQL Hell, caused denial of service conditions on some machines, while slowing the Internet generally, especially in the United States and South Korea. The worm did not carry a destructive payload.
The worm took advantage of vulnerabilities in the SQL Server Resolution Service, fixed on July 24, 2002, in a patch distributed with Microsoft Security Bulletin MS02-039. Microsoft's security team recommended that users update their systems with Microsoft Security Bulletin MS02-061, released in October, because the more recent patch is a cumulative patch that includes the fixes in MS02-039 and other critical fixes. SQL Server 2000 Service Pack 3, released Jan. 17, are protects systems from the flaw exploited by the worm.
This can't be!
Microsoft has assured us that their TCO is lower than Linux!
Boeing, other companies make Microsoft 'Slammer' fix
By Dina Bass / Bloomberg News
NEW YORK -- Verizon Communications Inc., Boeing Co. and other companies installed a six-month old patch to repair a flaw in Microsoft Corp.'s database software to block a worm that slowed access to some Web sites this weekend.
Microsoft, the world's biggest software maker, said the "Slammer" worm exploits a weakness in its SQL Server 2000 and MSDE 2000 programs to replicate and flood networks with requests for data. A fix has been available since July, and Microsoft put an easier-to-install version on its Web site Saturday.
The glitch didn't harm computers, and some of the busiest Web sites including EBay Inc., Amazon.Com Inc. and AOL Time Warner Inc. reported no problems because they installed patches after the similar "Code Red" bug struck machines in July 2001, security experts said. Some companies failed to update patches because of cost and complexity, said Chris Rouland, a research executive at software maker Internet Security Systems Inc.
"Chief information officers are faced with a deluge of patches, and it becomes an issue of prioritization, and it's very expensive," Rouland said. A consultant charges about $100 an hour and takes about two hours to fix each server, he said.
There were about 1 billion attacks an hour at the peak this weekend, and about 200,000 to 250,000 machines have been affected by "Slammer," Rouland estimated.
"This is not about a wakeup call," said Simon Perry, vice president of security strategies at Computer Associates International Inc., the world's fifth-largest software maker. "The wakeup call came six months ago" when Microsoft issued the patch. "It's time for people to get out of bed."
Computer worms spread by attacking a system while a virus is spread through the exchange of files. Worms are similar to viruses because they make copies of themselves.
Verizon, the second-largest U.S. provider of fast Web access over telephone lines, had some internal systems slow, spokesman Mark Marchand said. Verizon's phone system was unaffected, and the company made the fix this weekend, he said.
Bank of America Corp. customers were unable to withdraw money from its 13,000 cash machines for a few hours Saturday because of problems related to the worm. Bank One Corp. clients couldn't view credit card account summaries on the Web for "several hours" on Saturday and it was fixed by noon that day, said spokesman Tom Kelly. He said Bank One had no problems with its ATM network.
Boeing shut 2,000 server computers over the weekend to contain the worm, said Bob Jorgensen, a Boeing spokesman. The company had been in the process of testing the patch to make sure it was compatible with Boeing systems and had planned to install it soon. The worm didn't cause production delays or delivery problems, and all computers are running, Jorgensen said.
Ford Motor Co., one of Microsoft's biggest customers, "saw signs of the worm activity," said Ford spokeswoman Christina Camilli. "But nothing major and it didn't disrupt production or critical applications."
There is no evidence that terrorists launched the worm, though it appears a person or a group deliberately targeted companies that failed to install the patch, security experts said.
"It was definitely not by accident," said Vincent Gullotto, a senior research director for security-software maker Network Associates Inc.'s Antivirus Response Team.
The Federal Bureau of Investigation is monitoring the worm and trying to identify the cause, White House spokeswoman Tiffany Olson said this weekend. The type of worm had been detected as early as May 2002 and "the onus has been on the ISPs and company systems administrators to take preventative action to keep this from happening," Olson said.
Microsoft's SQL Server, which competes with Oracle Corp.'s 9i program and International Business Machines Corp.'s DB2 software, is the most popular database for machines that run the Windows operating system, according to research firm Gartner Inc.
Microsoft is calling customers to make sure they have installed the patch, spokesman Rick Miller said. "As people were waking up, there was some concern there would be another hard hit as people came back on line. That doesn't seem to have manifested itself."
Frequent security flaws are crimping Microsoft's ability to sell more programs for running the busiest corporate networks and Web sites, analysts and customers have said. Companies who lack the time and money to apply security updates as they are released should avoid Microsoft products, Gartner has said.
Chairman Bill Gates last year ordered employees to make security their top focus in product development after bugs like Code Red and Nimda cost customers millions of dollars in 2001.
Shares of Redmond, Washington-based Microsoft fell 68 cents to $49.17 as of 4 p.m. New York time in Nasdaq Stock Market trading, the lowest closing price since Oct. 11.
Microsoft also is working to improve patches and tools for helping customers apply the fixes, Miller said. Many customers don't download patches because there are too many and most require restarting computers. Still, customers must be more careful to download important updates, he said.
"In both this case and the cases of Nimda and Code Red, it wasn't like there was a 24-hour period where people had to deploy the patch before something hit," Miller said. "These have been out for months."
Companies in South Korea had widespread slowdowns and the worm was still active Monday because they were slower than companies in the U.S. to install patches, said Steve Chang, chief executive of computer-security software maker Trend Micro Inc.
"U.S. companies are extremely sensitive, so the service providers are providing better security," Chang said. Korean companies may have focused on satisfying demand for service at the expense of protecting their systems, he said.
Security experts said it is unlikely investigators will identify the source of the worm.
"They're probably not going to know who did it unless somebody starts bragging about it, which is possible," said Marc Maiffret, co-founder of eEye Digital Security.
The culprit used a format that makes "spoofing" easy, which means the attack could have been designed to appear as if it came anywhere the creator wanted, he said.
This figure really doesn't seem the least bit credible.
Tuesday, January 28, 2003
Internet worm infects state's big businesses
By PAUL NYHAN
SEATTLE POST-INTELLIGENCER REPORTER
The latest Internet worm struck Washington state's leading businesses, disrupting thousands of Washington Mutual Inc. automated teller machines, infecting The Boeing Co. and even invading Microsoft Corp.'s own operations.
Around Seattle, the worm created some of the greatest problems and consumer headaches yesterday at Washington Mutual, where customers were unable to pay certain bills online, transfer funds over the telephone or even withdraw cash from bank machines.
Even Microsoft, which created the infiltrated software and a subsequent patch to thwart the virus, found itself under attack, as the so-called Slammer worm burrowed into some of its servers.
Consumers likely felt the greatest pinch at financial institutions. Nationwide, up to 2,000 Washington Mutual ATMs were affected at any one time, bank spokeswoman Libby Hutchinson said yesterday.
On Queen Anne Hill, one ATM screen stated: "Sorry, I'm out of commission right now."
The savings and loan said it hoped to have its services fully operational this morning, adding that it concluded the worm didn't violate private customer data. Yesterday, customers were able to visit branches to get cash and perform other banking transactions, Hutchinson said.
"The worm virus was found, isolated and removed," the Seattle-based institution said in a statement yesterday evening, adding the company was "working to have the network to full capacity as quickly as possible."
Washington Mutual was far from alone, as the attack crippled some sensitive corporate and government systems far more seriously than many experts believed possible. Pillars of the financial community, such as American Express Co. and Bank of America Corp., also faced problems.
Not all banks suffered, however. KeyBank and Wells Fargo & Co. were among the financial institutions that reported no problems
In Bellevue, up-to-date computer software usually makes emergency dispatchers quick on response and on reporting incidents on the Eastside, but, as a result of infection by the virus, the communications center personnel had to log information by hand, according to Marcia Harnden, Bellevue police spokeswoman.
The virus attacked the emergency communications system in Bellevue Friday night and continued to slow computer operations until Saturday afternoon. Dispatchers who take emergency calls for Bellevue police and Eastside fire departments are trained to operate without computers in case of a major catastrophe or power outage.
A few miles away on the Microsoft campus in Redmond, some administrators had not applied the company's own security patch, while other servers designed to test security patches were exposed.
"If you have SQL servers that are non-essential, please shut down the MSSQLSERVER service as well as SQL Agent . . . so that we can eliminate nonessential noise/traffic on the network," an internal Microsoft e-mail said Saturday. "Your urgent assistance is required."
Despite the urgency of the message, most Microsoft employees didn't notice the disruption, according to Rick Miller, a Microsoft spokesman.
"We're pretty much up to full speed at this point," Miller said yesterday evening. Though the company had not finished installing the patches, "the effect is significantly minimized," he said.
Across the nation, consumers ran into more obvious problems Saturday and Sunday.
American Express Co. confirmed that customers couldn't reach its Web site to check credit statements and account balances during parts of the weekend.
The attack prevented many customers of Bank of America, one of the largest U.S. banks, and some large Canadian banks from withdrawing money from ATMs Saturday.
Bank of America was largely back to normal by Saturday evening, according to Rich Brown, a bank spokesman in Portland, Ore.
At Countrywide Financial Corp., customers struggled when they tried to use its online site and certain phone services. The mortgage bank expected to completely restore customer access by last night, according to Countrywide spokesman Rick Simon.
Countrywide Financial Corp., Washington Mutual and others were hit by a virus-like attack, alternately dubbed "Slammer" or "Sapphire," that sought vulnerable computers to infect by using a known flaw in popular database software from Microsoft called SQL Server 2000. Microsoft said it has sold 1 million copies of the software.
The global congestion from the Internet attack eased over the weekend and was largely cleared by Monday.
Before the attack passed, the state's largest private employer, Boeing, ran into problems. Saturday morning, Boeing scrambled its computing virus team after detecting the Slammer virus.
The company had major programs running by Saturday afternoon and "the virus didn't really affect much of the company," Boeing spokesman Bob Jorgensen said yesterday.
Critical airplane delivery schedules were not interrupted, Jorgensen added.
Boeing actually began testing a fix for an attack last fall, when Microsoft upgraded a bulletin on the problem from non-critical to critical, according to Jorgensen.
"We then go though a testing to make sure it is going to work effectively with our application," Jorgensen said.
BugTraq, et al., should be mandatory reading for administrators of *any* networked computer. Period.
Slammer Worm - Worst Virus in Over a Year
On Saturday Jan 25th a new computer worm rocketed around the world disrupting hundreds of thousands of systems and slowing Internet traffic to a crawl. The latest virus called the Slammer or Sapphire worm transmitted thousands of packets (large bundled amounts of information) from infected systems, taking advantage of a known software flaw in Microsoft SQL Server.
On Monday, Jan 27th, Bank of America announced that many customers were unable to withdraw money from its 13,000 ATM machines because of technical problems caused by the Slammer worm. Service was fully restored within 48 hours. The nation's largest residential mortgage firm, Countrywide Financial Corp., stated that customers were unable to make payments or check loan information through Tuesday morning. American Express also reported that customers experienced outages as well.
The worm sought out vulnerable computers using Microsoft?s SQL Server 2000 software. Like the earlier Code Red worm, which spread in July 2001, the Slammer is a memory-resident worm and does not write to disk storage. Also, like the Code Red, computers can be protected from the worm by installing a patch provided by Microsoft. Microsoft detected the flaw in July 2002 and soon afterward began offering a free patch to protect systems running SQL Server.
In an ironic twist, the New York Times reported that Microsoft admitted that some of the company's machines had gone unpatched and that its MSN Internet service also had significant slowdowns due to the Slammer worm.
FBI and security experts believe the worm originated in China, as many Asian countries were the earliest to report problems and experienced the most severe outages. The attacking software scanned for victim computers so randomly and aggressively that it quickly congested many of the Internet?s largest data pipelines, slowing e-mail and web surfing around the globe.
As of Jan 30th, security experts report that the congestion from the Internet attack had almost completely cleared. Now the job of investigating its source is in full swing. However, the attack spread so quickly and used such small packets that it may be impossible for researchers to isolate the actual point of origin.
Even though the Slammer was not designed to infect data, or damage system software, or applications resident on desktops and servers, it did represent a severe denial of service attack that cost millions of dollars to companies heavily dependent on Internet traffic. It also underscored the fact that most companies are still extremely vulnerable to malicious or terrorist attacks via the Internet.
Computer Economics estimates that the damages caused by the Slammer worm worldwide will exceed $750 million.