Windows IT Pro is the authoritative and independent resource for windows nt, windows 2000, windows 2003, windows xp. Features a collection of resources and magazines for windows IT professionals.
  
  
  Advanced Search 


February 25, 2003

Behind the Scenes of the SQL Slammer Worm Virus

A Web Exclusive from Windows IT Pro
Tim Huckaby
Windows Web Solutions Perspectives
InstantDoc #38138
Windows IT Pro
Email this Article
Printer Friendly
Reader Comments
Digg This
Del.icio.us
RSS
Subscribe to Windows IT Pro | See More SQL Server and Database Articles Here | Reprints | Or get the Monthly Online Pass—only $5.95 a month!

On Friday, January 24, at 9:30 P.M. Pacific time, an Internet attack began causing a dramatic increase in network traffic worldwide. Microsoft identified a worm virus called Sapphire or Slammer, which targets systems running either Microsoft SQL Server 2000 or Microsoft SQL Server Desktop Engine (MSDE). The Slammer virus is similar to a Denial of Service (DoS) attack in that it generates enough network traffic to bring the Internet to a standstill. Slammer doesn't attack SQL Server systems' data. Home users' machines typically aren't affected because their MSDEs aren't exposed to the Internet, but more than a million MSDEs are in production systems that are exposed to the Internet.

The irony of the Slammer crisis is that the vulnerability that the Slammer exploited was first corrected almost 7 months earlier by Microsoft Security Bulletin MS02-039 (Buffer Overruns in SQL Server 2000 Resolution Service Could Enable Code Execution) and in the subsequent cumulative Microsoft Security Bulletin MS02-061 (Elevation of Privilege in SQL Server Web Tasks). In addition, these fixes were also included in SQL Server 2000 Service Pack 3 (SP3) and MSDE 2000 SP3. What does this tell us? Systems and Web administrators don't apply available security patches. Microsoft Internet Information Services (IIS) 6.0 in Windows Server 2003 will ship completely locked down with automatic patching enabled because administrators don't patch systems for reasons that include ignorance and being "too busy." The heavy traffic on the TechNet SQL Server security sites demonstrates the value of online communities in helping systems administrators respond quickly and effectively to threats.

Slammer was another black eye to the already battered Microsoft security effort. Most industry experts agree that security vulnerabilities on other platforms are high, but Microsoft still receives the brunt of attacks. Microsoft is an irresistible target for the type of person who spends his or her time trying to maliciously exploit security weaknesses and who wants bring the world's productivity to a screeching halt.

Behind the scenes at Microsoft on January 24, a response team worked to make sure its customers had the information and resources to get secure. When SQL Server and MSDE customers returned to work on Monday, January 27, they were able to receive customer support from Microsoft Product Support Services (PSS) in a short amount of time. Microsoft also swiftly assembled a development team to issue a rerelease of MS02-061 for SQL Server with automatic installation functionality. As of noon on Monday, Microsoft received about 21,000 download requests per hour for SQL Server-related patches, which included 14,000 requests per hour for SQL Server SP3 and 6800 requests per hour for the rerelease of MS02-061. Microsoft provides access to IT professional-focused public newsgroups through the TechNet site ( http://www.microsoft.com/technet ). The public newsgroups on the TechNet site immediately had helpful information about what was happening with Slammer and how to fix the problem.

I depend on Windows Update to keep my client systems secure. You can get the Windows Update software by selecting Windows Update on the Tools menu in Microsoft Internet Explorer (IE), or you can go directly to the Windows Update site at http://windowsupdate.microsoft.com . Andrew Brust, security expert and founder of Progressive Systems Consulting, said, "Patching is clearly a suboptimal solution for addressing security vulnerabilities, but it's the best way we have of protecting the current installed base of products." So why isn't SQL Server part of Windows Update? And, why isn't every Microsoft product part of Windows Update? Here's my bold prediction: The result of Slammer will be that every Microsoft product will become a part of Windows Update within the next 6 months. What are your thoughts about my prediction and the mechanics of how we might help to reduce the security vulnerabilities that continue to bite us? Email me and tell me your thoughts.

End of Article

Reader Comments
A million MSDE's exposed to the Internet? I wonder how many were "stealth" installs from the thirty or so Microsoft products that install this as part of their setup. Not to mention the hundreds of third-party programs that use MSDE. We use one called POS (seriously!) for authorizing credit card transactions. It installed and enabled MSDE for use as its data store. We have technical people on staff who noticed and remembered that it was there and required patching but I bet the vast majority of apps deployed this way are juicy targets.

Yes, all apps need to at least be analyzed by Windows Update. Even if automatic patching from Update is impractical in the short term, users should at least be warned that there is a problem and referred to the correct site for information.

David Arndt February 26, 2003

I believe if you use HFNETCHK or the MSBA - it will tell you of SQL patches that need applied.

Chad Buser February 26, 2003

You must log on before posting a comment.

If you don't have a username & password, please register now.




Top Viewed ArticlesView all articles
Microsoft Kills OneCare, Will Launch Free Security Solution

Microsoft on Tuesday announced that it would retire its $50-a-year security subscription product, Windows Live OneCare, and replace it with a free solution codenamed "Morro." Unlike OneCare, however, Morro will focus only on core anti-malware features and ...

The website is down because someone removed the X-Box

What happens when a manager mistakes a server for a games console. ...

Xbox 360 Overhaul Arrives with New UI, Avatars

Xbox 360 owners who logon to the system's Xbox Live system this morning will receive the most significant functional change yet to the console's user interface, or dashboard. Dubbed the New Xbox Experience, this new front-end features a completely new ...
SQL Server and Database Whitepapers StoreVault SnapManagers for Microsoft Exchange and SQL Server
Related Events Check out our list of Free Email Newsletters!
SQL Server and Database eBooks Safeguarding Your Windows Servers

SQL Server Administration for Oracle DBAs

Taking Control: Monitoring the Windows Platform Proactively
Related SQL Server and Database Resources Become a VIP member of the Windows IT Pro community!
Get it all with the VIP CD and VIP access. A $500+ value for only $279!

Subscribe to Windows IT Pro!
Solve your toughest technical problems with our experts and access 10,000 + articles online. 30% off

Monthly Online Pass - Only $5.95!
Get instant access to 10,000+ articles from Windows IT Pro Magazine!

TechNet Virtual Labs
Evaluate and test Microsoft's newest products.



ADS BY GOOGLE

Job Openings in IT SPONSORED LINKS FEATURED LINKS
Free Download –VS 2008 Training
Experts Ken Getz & Robert Green plus labs, code, courseware

Maximize speed, performance and reliablity of your PCs and servers—automatically!
Speed Up Your PC! Try Diskeeper 2008 with InvisiTasking Free Now!

Register for SolarWinds VM Monitor
Get X-Ray Vision into Your ESX Servers with SolarWinds FREE VM Monitor

GoGrid Offers FREE Trial for Windows Cloud Servers
Deploy Windows Server 2003 and 2008 with free load balancing through GoGrid’s award winning web-based GUI – all in less than 5 minutes

Order Your SQL Fundamentals CD Today!
Learn how to use SQL Server, understand Office integration techniques and dive into the essentials of SQL Express and Visual Basic with this free SQL Fundamentals CD.

How healthy is your Exchange Server? Find out Now!
Automatic Exchange Server Maintenance helps prevent disasters and improves performance. Download a FREE Exchange Server analysis tool.
You've Deployed SharePoint...Now What?
This one-day free online conference delivers the technical knowledge needed to kick MOSS up a notch. In one information-packed day, independent SharePoint experts will present practical, real-world information and provide take-away, ready-to-use solutions

Ease Your Scripting Pains with the Flexibility of PowerShell!
Paul Robichaux equips you with PowerShell basics in 3 introductory lessons, each followed by live Q&A—all on your own computer! Register today!

What Would You Do If You Ran Microsoft?
ITTV's 2008 inaugural video contest, "If I Ran Microsoft..." is your chance to tell it like it is. Be goofy or be serious, but don"t miss this chance to have fun, win prizes, and go viral in a major way.

Maximize Your SharePoint Investment
This web seminar discusses how true bi-directional replication of SharePoint content from one server to another enables branch offices to maintain access to current SharePoint content.

Rock Your Knowledge, and Compete with Friends and Colleagues!
Are you the Web Application Performance Guru in your office? It's time to have fun! Download now to access the crossword puzzle. Challenge yourself and complete this fun activity!
Windows IT Pro Home Register FAQ for Windows WinInfo News
Europe Edition About Us Contact Us/Customer Service Media Kit Affiliates / Licensing  
SQL Server Magazine Office & SharePoint Pro Windows Dev Pro IT Job Hound ITTV
IT Library Technology Resource Directory Connected Home Windows Excavator Windows SuperSite 
 
 Windows IT Pro is a Division of Penton Media Inc.
 Copyright © 2008 Penton Media, Inc., All rights reserved. Terms and Use | Privacy Statement | Reprints and Licensing