Slammer: One year later

Cash machines froze. Airlines and hospitals dusted off paper forms to schedule reservations and track patients. This was the scene on Jan. 25, 2003, shortly after the Slammer worm appeared and quickly began spreading around the world, flooding computer networks with worm-generated traffic and knocking vital database servers offline.

One year after it appeared, the Slammer worm, aka Sapphire, is being remembered this week as a watershed moment in the life of the Internet: the sudden appearance of a new type of malicious code that could spread worldwide in minutes.

Slammer used a known buffer overflow in Microsoft Corp.'s SQL Server database to spread worldwide in approximately 10 minutes, doubling the number of computers it infected every 8.5 seconds, according to a study of the worm's outbreak published by The Cooperative Association for Internet Data Analysis (CAIDA). infected every 37 minutes,

Months later, the impact is still being felt. Enterprises and vendors have changed policies, increased vigilance to Internet threats, and worked to foster better security from Microsoft.

Slammer exposed previously unknown interdependencies that were thought to be separate from the Internet, said Alan Paller, director of research at The SANS Institute.

"People realized that all the things that we didn't think were connected to the Internet actually were," Paller said. "If your routers are connected to the Internet and they're full, nothing can flow, so an outage of Internet connections is an outage of the entire Internet infrastructure."

That was the case at Beth Israel Deaconess Medical Center, where infections on desktop computers in the research wing slowed the entire hospital network, interrupting systems used by doctors and nurses to track patients, according to John Halamka, CIO of Caregroup Health System.

VPN traffic to Beth Israel is now decrypted and inspected for attack code before passing through the hospital's firewall, he said.

At FleetBank, machines running products that use the MSDE (Microsoft Data Engine) that was vulnerable to Slammer, including anti-virus engines, fell to Slammer, said Eric Hacker, security information architect at Fleet.

Those machines took down small parts of Fleet's network on Jan. 25, although customers were not affected, Hacker said.

At both Fleet and Beth Israel, Slammer forced administrators to toughen software-patching programs, with an emphasis on automated patch deployment and enforcement of security policies for all devices connecting to the network, Halamka and Hacker said.

Slammer didn't tell organizations anything that wasn't already known about network security, but it did underscore the need for readiness and the importance of patch-management and intrusion-prevention technology, said Lance Braunstein, senior vice president and director of technical operations at Morgan Stanley Dean Witter Online.

The aftermath of the Slammer outbreak brought sweeping changes at Microsoft to improve the security of its products, said Jonathan Perera, senior director of Microsoft's security business unit.

Microsoft increased vulnerability assessments and penetration testing of its products and deployed new automated tools to inspect product code for security holes, Perera said.

But Microsoft security experts were not the only ones chastened by their role in the worm's spread.

Having seen the damage Slammer caused worldwide, David Litchfield, managing director at NGSSoftware, decided to stop publishing sample code that shows how the vulnerabilities he discovered can be exploited, as he did with the SQL Server vulnerability.

Litchfield doubts that the world will be greeted with a reprise of Slammer on Jan. 25, 2004, citing the lack of a vulnerability that compares with the SQL Server buffer overflow that spawned Slammer.

Litchfield and other experts agree, however, that Slammer has taught companies the importance of vigilance. Major worm outbreaks, although impossible to predict, are inevitable.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Have an opinion on security? Want to have your articles published on CSO? Please contact CSO Content Manager for our guidelines.

More about Cooperative Association for Internet Data AnalysisMicrosoftMorgan StanleyMorgan Stanley Dean WitterSANS InstituteThe SANS InstituteVigilance

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Paul Roberts

Latest Videos

More videos

Blog Posts