As loopholes are found in products on a weekly basis, experts stressed that IT managers should keep abreast with the latest warnings and patches. One way is to subscribe to vulnerability mailing lists such as Microsoft's security bulletin.
"Companies need to take applying patches against new security threats seriously," said Graham Cluley, senior technology consultant at Sophos. "If you don't, then stopping new worms and viruses is as easy as catching smoke in a butterfly net."
"It takes companies anywhere from four to 12 months to apply patches--the exposure window is far too big," said Viren Mantri, regional engineering manager, Network Associates.
Slammer causes increased traffic on UDP port 1434 and spreads via an exploit in Microsoft SQL 2000 Web servers, which in turn scans the Internet for other SQL servers to infect, according to Avert, the anti-virus research division of security software maker Network Associates.
"The exploit uses a buffer overflow to gain control of a target server," Avert said.
To prevent external attacks from exploiting this vulnerability, administrators should block UDP port 1434 by downloading and applying Service Pack 3 from Microsoft.
After the server is restarted, the virus will be cleared from memory and reinfection can be deterred, said Network Associates' Mantri.
Cleaning up
Several anti-virus firms have released advisories on next steps.
For Avert (Network Associates) users:
• Stinger will be able to locate the worm (in memory) on infected SQL servers and shut down the SQL processes.
Stinger is a standalone utility used to detect and remove specific viruses. It is not a substitute for full anti-virus protection, but a tool to assist administrators and users when dealing with an infected system. Stinger utilizes next generation scan engine technology, including process scanning, digitally signed DAT files, and scan performance optimizations.
Stinger must be run with administrator privileges to shut down SQL Server. Existing Sniffer users can use Sniffer filter to detect W32/SQLSlammer.worm traffic.
• A McAfee ThreatScan signature update is available to locate unpatched Microsoft SQL 2000 servers.
To effect the update, run the console auto update utility on the ePO server (not ePO console). Next, push out update tasks to all ThreatScan agents. After updating the ThreatScan installation, create a new ThreatScan task of type "Threat Scan".
Select the "Remote Vulnerability Detection" category and the "SQL Slammer Worm Vulnerability Check" on the scan options tab.
When this task is executed, all computers running Microsoft SQL Server 2000 that do not have service pack 3 will be reported.
• For users who have McAfee Desktop Firewall running on their SQL servers, simply create a rule that blocks incoming UDP port 1434.
Meanwhile, Trend Micro users can download its System Cleaner patch from its Web site.
