As loopholes are found in products on a weekly basis, experts stressed that IT managers should keep abreast with the latest warnings and patches. One way is to subscribe to vulnerability mailing lists such as Microsoft's security bulletin.
"Companies need to take applying patches against new security threats seriously," said Graham Cluley, senior technology consultant at Sophos. "If you don't, then stopping new worms and viruses is as easy as catching smoke in a butterfly net."
"It takes companies anywhere from four to 12 months to apply patches--the exposure window is far too big," said Viren Mantri, regional engineering manager, Network Associates.
Slammer causes increased traffic on UDP port 1434 and spreads via an exploit in Microsoft SQL 2000 Web servers, which in turn scans the Internet for other SQL servers to infect, according to Avert, the anti-virus research division of security software maker Network Associates.
"The exploit uses a buffer overflow to gain control of a target server," Avert said.
To prevent external attacks from exploiting this vulnerability, administrators should block UDP port 1434 by downloading and applying Service Pack 3 from Microsoft.
After the server is restarted, the virus will be cleared from memory and reinfection can be deterred, said Network Associates' Mantri.
Cleaning up
Several anti-virus firms have released advisories on next steps.
For Avert (Network Associates) users:
- Stinger will be able to locate the worm (in memory) on infected SQL servers and shut down the SQL processes.
Stinger is a standalone utility used to detect and remove specific viruses. It is not a substitute for full anti-virus protection, but a tool to assist administrators and users when dealing with an infected system. Stinger utilises next generation scan engine technology, including process scanning, digitally signed DAT files, and scan performance optimisations.
Stinger must be run with administrator privileges to shut down SQL Server. Existing Sniffer users can use Sniffer filter to detect W32/SQLSlammer.worm traffic.
- A McAfee ThreatScan signature update is available to locate unpatched Microsoft SQL 2000 servers.
To effect the update, run the console auto update utility on the ePO server (not ePO console). Next, push out update tasks to all ThreatScan agents. After updating the ThreatScan installation, create a new ThreatScan task of type "Threat Scan".
Select the "Remote Vulnerability Detection" category and the "SQL Slammer Worm Vulnerability Check" on the scan options tab.
When this task is executed, all computers running Microsoft SQL Server 2000 that do not have service pack 3 will be reported.
- For users who have McAfee Desktop Firewall running on their SQL servers, simply create a rule that blocks incoming UDP port 1434.
Meanwhile, Trend Micro users can download its System Cleaner patch from its Web site.
News coverage
Microsoft releases anti-Slammer tools
Microsoft has released early versions of database security applications in reaction to the Slammer worm that wreaked havoc on the Internet last week.
Slammer could have been worse: CA
The Slammer worm, which tore through the Internet 10 days ago, caused disruption to Internet services the world over and Australia was not immune to its danger. However, Computer Associates claims the effects could have been worse.
Counting the cost of Slammer
Analyst firms have begun to weigh in with initial estimates of the damage done by the SQL Slammer worm, the virulent program that spread quickly throughout the Internet a week ago.
Microsoft warns of Slammer morphs
Future versions of Slammer may get you if you don't update, says Microsoft, chastened by its own failure to keep all SQL Server patches up to date.
IT pros protect against Slammer
System administrators' role in protecting Australian enterprises against vulnerabilities has come to the fore with the outbreak of the recent SQL Slammer worm.
Setbacks in search for worm author
Security experts are hunting for clues that might finger the person who wrote the SQL Slammer worm that hammered the Internet this past weekend. Yet chances are, the attacker will escape, investigators said.
Microsoft fails Slammer's security test
Microsoft's policy of relying on software patches to fix major security flaws has been questioned after a series of internal e-mails revealed that the software giant's own network wasn't immune from a worm that struck the Internet last weekend.
New worm burrows into Aust systems
The Slammer worm wreaked havoc on Australian networks over the long weekend as it raged through the Internet.
Slammer 'could have originated from Asia'
Some security experts are pointing to Asia as the birthplace of the worm that wreaked havoc over the weekend on Internet servers worldwide.
Computer worm slows global Net traffic
Cash machines, Internet connections and the servers that sit at the heart of the Internet have been affected by what experts are calling the worst worm since Code Red in 2001.
Keep in mind many admins are *afraid* to apply patches for fear they will break things. I received at least one e-mail from an admin who had applied SP3, but had to remove it when it had negative impacts on the system.