When Will The Next Slammer Strike?

scubacuda writes "Business Week has an article on how the Slammer worm demonstrates just 'how vulnerable the Internet remains': MS's own DBs were affected, telephone/ATM/etc were knocked out, and if the worm had occurred only 48 hours later (preventing investor's trading, 911 calls, banking services), there could have been a 'virtual Net shutdown.' Vincent Weafer, director of the computer-security outfit Symantec's Anti-Virus Response Center (SARC), says that the likelihood that a Slammer-style worm will hit at a more vulnerable moment is high."

Could someone explain...

[zerosignal]

...why ATMs were affected? I've seen this mentioned in a few articles but I didn't think banks would use the Internet to connect ATMs on their systems.

Re:Could someone explain...

ATMs are not connected to the internet, but to the bank's private network, which, yes, runs over TCP/IP. So a computer that got infected and had access to the internal network would be enough to crash those reachable ATMs.

Brett Glass : http://www.brettglass.com

Re:Could someone explain...

[MoTec]

Many ATMs use a phone line to connect to the network to run the transaction so if the phone lines are down so is the ATM. Some use leased lines or other communication technologies but a POTS line does the job and is often cheapest.

Re:Could someone explain...

[DJayC]

It is unclear in the article if they mean ATM as in bank ATM's, or ATM as in asynchronous transfer mode networks. I'm sure the author doesn't even know in which context ATM is used.

Just a thought *shrugs*

Re:Could someone explain...

My assumption was that they were talking about ATM (Asynchronous Transfer Mode). Many ATM networks were significantly hurt by this because routers and switches that utilize SVCs kept building and rebuilding circuits.

The whole point of this problem can be simplified to bad code and bad base installs. I keep hearing people say it's not MS's problem. I work with a wide variety of products in the networking (L2 & L3+ WAN) and systems world. Any one of the vendors that I deal with would lose serious market share if their products were found to be vunerable to something like this and they simply patched it but didn't change the base install to be "secure".

Let's start by taking an example of a comparable product -- postgreSQL. We all know that a recent patch to this product fixed a possible remote exploit. Certainly the bug shouldn't have been there and it was something that should be patched. However, the point is that the postgreSQL base install doesn't even allow remote connections. In fact, the config file tells you that without remote connections allowed, it's still probably an liberal configuration that should be locked down more.

I'll buy that MS has a large market share and that occasionally something will get through the normal protections; however, the base installs should be locked down. Why aren't they? It's a question that is very simple to answer.

MS sold the Internet community a grand story. In this story, running a server is a simple task that anyone can do. For this story to be believed, they have to have the base install do everything out of the box without any special configuration which might require a real administrator, dba, network design specialist, etc. If the products were actually locked down like they should be (like most of the competing products are), MS would have a bigger job in support calls because 80% of the non-administrators that work with MS platforms would be ill-equiped to handle the proper configuration of the server to get it to work.

I have a product that I use on linux that was written with this kind of security in mind. The config file is riddled with lines like: die "you didn't go through your config file!". If you don't completely configure the product, it keeps dying on startup. This is how products should be released--locked down and set to die if the configuration is not explicitly setup by the admin with them being aware of the dangers to each option they set back on.

I also hear a lot of people complaining that people didn't install the patches, I again go to the point of the base install. If the product's base install were locked down, far less databases would have been open even if they were unpatched. Seriously, let's be reasonable, why should an SQL server open ports by default to anything except maybe 127.0.0.1. Many databases now only need one or two subnets open anyway since their database interaction goes on with an application server (often a web server) which serves as the db client for the users anyway and quite a few databases on the lower end systems (where most of the sysadmins who don't know how to lock things down are) reside on the same box as the app services.

Re:Could someone explain...

[JediTrainer]

Yes. ATMs as in bank ATMs. Cash machines.

I don't know about most people, but the outage affected customers of CIBC Bank in Canada, who couldn't withdraw their cash from many machines throughout Ontario (the news said Toronto only, but it affected some of my family and friends in other areas too).

Being a customer of a different bank (TD Canada Trust), I was not affected.

This is nothing yet

[Scarblac]

The scariest thing is actually that this kind of damage is being done by a worm that doesn't actually do anything except spread itself (as far as I know, anyway).

Damage would be much worse if these things started cleaning hard drives after the action (yeah yeah, backups - just like all your databases always have the latest patches, right?)

When Will The Next Slammer Strike?

[ksheka]

When is the next Microsoft product being released?

Two ways of "solving" this problem . . .

[aaronhurd]

In my opinion, there are two ways that people will react to the problem of exploits in computer software:

In the short term, I expect that the most recent attack will provide a huge sales boost to pre-packaged "security solutions" like firewalls, virus protection, etc. and will probably be used as an extra card that the government can play when arguing for implementing a comprehensive Internet monitoring system. Of course, both of these things are unfortunate, as neither one promotes security and the latter gives the government way too much power . . .

Long term, the best protection against exploits in computer software is a shift in attitude about where software companies should place their priorities. At present, it is more lucrative for companies to push a piece of software out the door and sell upgrades than to spend extra time developing secure software. Only a strong fiscal mandate from corporate customers will change the way software companies do business . . . and I hope that mandate comes soon.

Re:Government Funding of Security/Virus Prevention

[damiam]

I think we ought to make virus-protection code public

It is.

who can't afford 50 bucks on a virus scanner or decent firewall software

Then don't pay 50 bucks.

I saw Nimda infections up until the end of last year

Norton and McAfee both provided free available Nimda removal tools. Besides, if you can afford IIS, you can afford a virus scanner.

Analysis of the Slammer/Sapphire worm

[Istealmymusic]

This was posted on BugTraq:

From: "Nicholas Weaver"
Date: Fri, 31 Jan 2003 6:09 PM
To: bugtraq@securityfocus.com
Subject: The Spread of the Sapphire/Slammer SQL Worm
We have completed our preliminary analysis of the spread of the Sapphire/Slammer SQL worm. This worm required roughly 10 minutes to spread worldwide making it by far the fastest worm to date. In the early stages the worm was doubling in size every 8.5 seconds. At its peak, achieved approximately 3 minutes after it was released, Sapphire scanned the net at over 55 million IP addresses per second. It infected at least 75,000 victims and probably considerably more.

This remarkable speed, nearly two orders of magnitude faster than Code Red, was the result of a bandwidth-limited scanner. Since Sapphire didn't need to wait for responses, each copy could scan at the maximum rate that the processor and network bandwidth could support.

There were also two noteworthy bugs in the pseudo-random number generator which complicated our analysis and limited our ability to estimate the total infection but did not slow the spread of the worm.

The full analysis is available at

• http://www.caida.org/analysis/security/sapphire/
• http://www.silicondefense.com/sapphire/
• http://www.cs.berkeley.edu/~nweaver/sapphire/

David Moore, CAIDA & UCSD CSE
Vern Paxson, ICIR & LBNL
Stefan Savage, UCSD CSE
Colleen Shannon, CAIDA
Stuart Staniford, Silicon Defense
Nicholas Weaver, Silicon Defense and UC
Berkeley EECS

A must read for anyone who wants to know about this worm. Its impact was huge--90% infection of all vulnerable hosts in 10 minutes . Even some E911 systems were knocked out. The internet routers at large were saturated with 120ms latency. Twice the speed of Code Red. All this with a simple PRNG scanning algorithm.

Microsoft products aren't for internet use

[bkontr]

MS products are too buggy for the internet. Even when MS comes out with patches sysadmins are extremely reluctant to apply them (even at Microsoft) in fear that the patch will cause more problems (ie BSOD) than it fixes. Remember Microsoft got hit by Slammer hard because it didn't install its own patches. Was Microsoft waiting for customers to beta test thier software before they even tried it themselves??? Plus the MS SQL server is not the only MS product that Slammer can infect......when are people going to hold Microsoft accountable for its lack of security and general poor coding??

Time to hold M$ Accountable.

[BigBlockMopar]

The same MS that didn't apply their *own* patches ?!?

The problem that I have is, even though I don't run any Microsoft software, their incompetence keeps on screwing me around and costing me productivity.

I get hundreds of e-mail virii per day, owning partially to incompetent users, but also partially to incompetent Outlook programmers.

At the height of Code Red, I was getting hundreds of hits per day to my webserver.

That last worm effectively shut down portions of the Internet.

Now, here's the problem. If I'm driving down the road, and a Hyundai's brakes fail and cause it to run a red light and plow into the side of me, it'll piss me off, but it's a quirk, and shit happens.

If, every couple of months, a Hyundai's brakes fail and I get hit, pretty soon, I'll start to get very pissed off, not just with the idiots who drive Hyundais, but also with Hyundai itself.

This has gotten to be utterly ridiculous. We have to find some way of holding Microsoft accountable for their fucking ineptitude.

Worm indicates massive back-end udp exposures?

[pophop]

1. The worm was strictly based on UDP 1434 transfer
I find it very difficult to believe major corporation firewalls would allow UDP 1434 inside from Internet. Some, maybe - but few.
So: I rule our direct penetration from the Internet for most corporate environments.

2. Worm was memory resident only. Reboot cleared it.
Most user PC's would be rendered useless by the worm. CPU and local Network saturation would do that. So I doubt that people got infected and THEN VPN'ed into work. They would reboot, clear the worm, possibly get re-infected - but I doubt
if they would be able to bring an already infected machine into work via VPN.

Note: If split tunneling was allowed then it is quite possible for an already conencted home PC to act as a vector into a company - my guess
is that this is NOT common.
So: I rule out employee remote access as a primary vector.

3. This leaves me with back-end connectivity across private "trusted" comm channels. ( i.e. Frame ) .
I know this was a vector in at least one case - and the circumstances ( misconfigured ACL's that were overly generous in what UDP traffic they
allowed from "trusted" business partners ) is something that I suspect is very common in large organizations.

The speed which this thing moved ( see: http://isc.sans.org/port1434start.gif ) and the actual vectors I saw make me very suspicious that
the large organizations of the world are massively linked by misconfigured routers/firewall that allow way too much UDP traffic flow between
trusted partners - affectively a "fuse" linking the worlds computing infrastructures.

That's it. Wacky and overly-speculative perhaps but I would be interested in getting some anonymous feedback about the successful attack vecors
other people saw in the propagation of the worm - particularly people in large organizations that have large "private" comm networks.

Re:Stealth worm

[chromatic]

Cancelling a meeting decreases your productivity? Whoa.

Re:MS's own DBs were affected

[Bedouin+X]

They (MS) know better than anyone that applying an SQL Server hotfix is a royal pain in the ass. They just modified the initial Slammer vulnerability patch so that it has an installer. Before that you had to stop the server, backup the files, copy the new files manually into their respective directories, and then run a couple of queries in the query analyzer.

This and MS's reputation for having to patch patches (sometime 2 or 3 times) is why people don't jump at the chance to apply one of those damn things. It took this incident for them to make installing a simple SQL Server hotfix less than a 25 minute job.

I also downloaded SP3 4 times and every time I tried to run setup, I got a "setupsql.exe can not be found" error. I STILL don't have SP3 on my SQL server, but it's firewalled anyway so I'm not totally naked.