Slammer Worm Highlights Need For Up-To-Date Security

The SQL Slammer worm, also called Sapphire, targeted a known flaw in Microsoft SQL Server 2000 and clogged Internet traffic as it scanned for vulnerable systems. The software giant released a patch for the flaw in July.

"It just proves people aren't putting things in place. There's been advisories for some time and they haven't taken notice of them," said Steve Crutchley, chief security officer at 4FrontSecurity, a consulting firm based in Reston, Va.

"It's like playing Russian roulette. They spin the chamber and cross their fingers they won't be hit," he said.

Patrick Mueller, senior security consultant and analyst at Neohapsis, a Chicago-based security consulting firm, said he hopes the SQL worm will encourage companies to take a more proactive approach to security.

"People just aren't motivated to keep their systems patched until something like what just happened," he said.

"It's yet another problem that fits into the category of things we can avoid through good maintenance and configuration practices," said Paul Rohmeyer, COO at Icons, a security consulting firm based in North Brunswick, N.J. "We'll use this as an example to explain to customers why they want to pay attention to good configuration management."

Slammer hit early Saturday morning, infecting thousands of systems and clogging Internet traffic around the world. By Monday morning, the problem appeared to have dissipated and security solution providers said they were handling mop-up situations.

"There were some slowdowns [and] outages but it wasn't catastrophic," Mueller said. Other than the way it aggressively scanned for vulnerable systems, the worm's payload wasn't particularly malicious, he added.

But Mueller noted that the worm affects Microsoft SQL Server 2000 Desktop Engine (MSDE), which is included in other Microsoft applications such as Visio 2000, so it can infect laptops and workstations running those applications.

"There will be continued fallout," he said.

Ed Skoudis, vice president of security strategy at Predictive Systems, a New York-based security services firm, said Slammer is very small--376 bytes--and very fast, which is different from the complex worms of the past year or two.

"This little worm showed that small and fast can really win the race," he said.

Slammer showed the surprising number of SQL servers publicly accessible on the Internet, as well as the inadequacy of current vulnerability management systems, Skoudis said.

Icons' Rohmeyer said there is a market need for a comprehensive tool to assess vulnerabilities and implement patches across multiple platforms.

Meanwhile, security specialists said they expect to see variations of Slammer.

"There's a good chance there may be variants in the future that are more malicious," Mueller said.