Slammer: the day a worm turned nasty

Cash machines froze. Airlines and hospitals dusted off paper forms to schedule reservations and track patients. This was the scene on Jan. 25, 2003, shortly after the Slammer worm appeared and quickly began spreading around the world, flooding computer networks with worm-generated traffic and knocking vital database servers offline. One year after it appeared, the Slammer worm, aka Sapphire, is being remembered this week as a watershed moment in the life of the Internet: the sudden appearance of a new type of malicious code that could spread worldwide in minutes. Slammer used a known buffer overflow in Microsoft’s SQL Server database to spread worldwide in approximately 10 minutes, doubling the number of computers it infected every 8.5 seconds, according to a study of the worm's outbreak published by The Cooperative Association for Internet Data Analysis (CAIDA). Months later, the impact is still being felt. Enterprises and vendors have changed policies, increased vigilance to Internet threats, and worked to foster better security from Microsoft. Slammer exposed previously unknown interdependencies that were thought to be separate from the Internet, said Alan Paller, director of research at The SANS Institute. "People realized that all the things that we didn't think were connected to the Internet actually were," Paller said. "If your routers are connected to the Internet and they're full, nothing can flow, so an outage of Internet connections is an outage of the entire Internet infrastructure." That was the case at Beth Israel Deaconess Medical Center, where infections on desktop computers in the research wing slowed the entire hospital network, interrupting systems used by doctors and nurses to track patients, according to John Halamka, CIO of Caregroup Health System. VPN traffic to Beth Israel is now decrypted and inspected for attack code before passing through the hospital's firewall, he said. At FleetBank, machines running products that use the MSDE (Microsoft Data Engine) that was vulnerable to Slammer, including anti-virus engines, fell to Slammer, said Eric Hacker, security information architect at Fleet. Those machines took down small parts of Fleet's network on Jan. 25, although customers were not affected, Hacker said. At both Fleet and Beth Israel, Slammer forced administrators to toughen software-patching programs, with an emphasis on automated patch deployment and enforcement of security policies for all devices connecting to the network, Halamka and Hacker said. Slammer didn't tell organizations anything that wasn't already known about network security, but it did underscore the need for readiness and the importance of patch-management and intrusion-prevention technology, said Lance Braunstein, senior vice president and director of technical operations at Morgan Stanley Dean Witter Online. The aftermath of the Slammer outbreak brought sweeping changes at Microsoft to improve the security of its products, said Jonathan Perera, senior director of Microsoft's security business unit. Microsoft increased vulnerability assessments and penetration testing of its products and deployed new automated tools to inspect product code for security holes, Perera said. But Microsoft security experts were not the only ones chastened by their role in the worm's spread. Having seen the damage Slammer caused worldwide, David Litchfield, managing director at NGSSoftware, decided to stop publishing sample code that shows how the vulnerabilities he discovered can be exploited, as he did with the SQL Server vulnerability. Litchfield doubts that the world will be greeted with a reprise of Slammer on Jan. 25, 2004, citing the lack of a vulnerability that compares with the SQL Server buffer overflow that spawned Slammer. Litchfield and other experts agree, however, that Slammer has taught companies the importance of vigilance. Major worm outbreaks, although impossible to predict, are inevitable.