Security reminder
The bottom line: More security is needed. While the worm didn't infect as many system as Code Red or Nimda, the pint-sized program spread across the Internet in less than a minute and saturated some companies networks so quickly that administrators couldn't respond. The worm comprised just 376 bytes of code, less than is contained in this paragraph.
The worm takes advantage of a flaw in how Microsoft SQL servers handle certain input. By sending a specially crafted data packet over the Internet, the worm can remotely compromise additional systems and spread copies of itself. The worm doesn't create files and doesn't delete data. Rather, it resides in memory and tries to spread as quickly as possible.
It's so successful at rapidly sending data, however, that it overloaded many networks and overwhelmed many types of network hardware, effectively cutting off some companies from the Internet.
"It is memory-resident, so it is very efficient," said Greg Shipley, director of consulting for security firm Neohapsis. "So there may be less number of hosts affected, but it is so chatty it saturates connections."
The worm disrupted more than 13,000 Bank of America automated teller machines, and late Saturday the company was still warning online customers of possible slowdowns in accessing their accounts.
"We are currently experiencing problems that may cause online banking to operate more slowly than normal," the message stated. The company could not be reached for comment on Sunday.
PeopleSoft was among several Fortune 100 companies that had had network issues on Saturday, according to data provided by Internet watcher Netcraft.org.
"The problem was that this was a particularly malicious piece of code," said Steve Lipner, director of security assurance for Microsoft. "If it got a hold of one machine, it hammered away at the network. In a big organisation, it's really hard to say that every point of access is protected."
In addition, developers using Microsoft's Data Engine 1.0 and Microsoft Desktop Engine 2000 may not have known they were vulnerable to the worm. The software is included in Visual Studio .NET, ASP.NET Web Matrix Tool, Office XP Developer Edition, MSDN Universal and Enterprise subscriptions and Microsoft Access. MSDE is also included in Microsoft Application Center 2000.
While some companies scrambled to deal with the problem, most consumers weren't affected, however.
"Consumers might have seen longer latencies and slower connections, otherwise it was a non-issue," said Oliver Friedrichs, senior manager for security software maker Symantec.
By midday Sunday, traffic caused by the worm had fallen to one-tenth the level it had been in the first few hours of the attack, when the infection peaked, Friedrichs said.
"We are not seeing anywhere near the activity of the first two hours," he said. "The worm could have been worse. It could have deleted files. It just took up tremendous amount of bandwidth." The main brunt of the attack may now be within companies that have shut down database connections to the Internet, but still may be dealing with the infection internally, he added.
Given that the worm did little damage to the machines it infected--a reboot would rid any computer of the worm--some security experts saw the ultimate effect of the attack as a good thing.
"A lot of people see this as a wake-up call," said Ullrich of Incidents.org. "Machines that got infected by this one have been open for the past six months."
Any database vulnerable to the worm could have been attacked by hackers bent on stealing data. Many SQL databases hold customer data, and the worm highlighted that the data hasn't been safe, said Ullrich.
"If you had a vulnerable server, then it's possible that you could have been compromised in the past half-year," he said.
With Fortune 100 companies and online retailers among those that may be cleaning their systems of such a worm, the question may not be whether data has been leaked, but how much.
13%
1%
