Dawn of the Superworm
Experts warn that the Slammer worm is a harbinger of worse strains to come.
The attack came swiftly and without warning. At 12:30 a.m. eastern standard time, January 25, a single packet of data containing the Slammer worm began spreading across the Internet. Within 10 minutes the worm reached 90 percent of the Net and infected more than 75,000 machines. At its peak 30 minutes later, it disrupted one out of five data packets. The result: service blackouts, canceled flights, and disabled ATMs.
Next time around, we might not be so lucky.
Slammer (also called Sapphire or SQL Hell) was a piece of code about the length of the first paragraph of this story. It created havoc but destroyed no data, and network managers could easily stop it by blocking a port or turning off an infected server, say security experts.
Like Nimda and Code Red before it, Slammer was probably just an experiment rather than a deliberate attempt to hobble the Internet, says Ryan McGee, product marketing director at McAfee Security in Santa Clara, California.
Nevertheless, all three experiments were "successes." And that success is likely to encourage cyberterrorists to build new "superworms" that blend the most potent features of proven worms, and to then use them against specific targets or even as weapons of cyberwar, analysts say.
"If this new era of worms plays out the same way other eras have, the next phase of development will be to see what they can do to damage computers, delete files, and steal personal information," McGee says. In fact, the U.S. Department of Homeland Security warns that terrorists may launch cyberattacks as well as physical ones.
A Zombie Army
Building such a superworm is not difficult, says Dan Ingevaldson, team leader for X-Force, the research-and-development arm of Internet Security Services in Atlanta.
"All you really need is to take an existing worm and mate it with a new head to create a new method of attack," he says.
Worse, hybrid worms could be stealthier than Slammer and its ilk. One could nest in millions of systems and lie dormant until activated for a distributed denial-of-service attack, bombarding a specified server with requests from those many infected systems, says Stuart Staniford, chief executive of Silicon Defense in Eureka, California.
"A worm can create millions of zombies, because it spreads so fast," Staniford says. "Sapphire made an enormous amount of noise." A worm that spread quickly and then deactivated would be tougher to combat, he notes.
Holey Software, Batman
Like most worms, Slammer attacked a vulnerability known to hackers and security wonks alike: a flaw in Microsoft SQL Server 2000, the database program used by hundreds of thousands of servers.
Symantec estimates that more than 2500 new vulnerabilities were found in common applications last year, an 81.5 percent jump over 2001. About 80 percent are severe flaws, meaning they could allow remote control of a program or a computer.
Awareness accounts for part of the jump: Software security is under greater scrutiny, explains Symantec. Back in March, for example, ISS announced a 15-year-old critical flaw in Sendmail, which handles about 50 to 75 percent of e-mail traffic transmitted over the Net. A day after the flaw was exposed, a group called the Last Stage of Delirium released code that hackers could use to exploit it and control certain types of servers.
Despite rising concern about security, most software vendors focus on adding features rather than fixing existing products--partly because the market demands it.
"Everyone wants to be on the cutting edge," remarks Richard Forno, who is a noted security consultant and author based in Washington, D.C. "The problem is that when we buy the latest and greatest products, we also acquire the latest and greatest vulnerabilities."
Sometimes software users ignore fixes, considering them too complex or costly to implement. Microsoft issued a patch for SQL Server more than six months before Slammer's attack. Yet thousands of computers--including some at Microsoft--were unpatched, allowing Slammer to spread.
So far, we've gotten off cheap. Worldwide, Code Red caused $2 billion in damage, and 2000's Love Bug virus hit $9 billion. They were merely cybervandalism on a grand scale. But deliberate assaults on our electronic infrastructure could do damage that dwarfs both of those figures.
In February, the White House issued the National Strategy to Secure Cyberspace, which calls for private and public sector cooperation in the fight against cyberterror.
Forno says that the government guidelines are a good start, with one big problem. "Nobody is held accountable," he says. "Until you can force accountability for security failures, there's no incentive for anybody to make any real improvements."
In the meantime, businesses must fend for themselves, juggling intrusion-detection systems, firewalls, and software patches. Individuals have to rely on personal firewalls and antivirus software, and hope the Net's built-in redundancies and overall resilience will shield them from permanent damage in an attack.
"Worms might upset us, make us lose some data or the use of our PC for a day," says Fred Felman, vice president for marketing at Zone Labs, a San Francisco firewall developer. "But if people lose their trust in the Net, then we really have a problem."
Cybercrime News Archive