Agencies thwart SQL worm

[InfoSec News <isn () c4i org>]

http://www.fcw.com/fcw/articles/2003/0127/web-worm-01-27-03.asp

By Rutrell Yasin 
Jan. 27, 2003

Several federal agencies were able to stave off a fast-moving Internet
worm that wreaked havoc on networks worldwide over the weekend.

Known as the SQL Slammer, the worm caused high central processing unit
usages on servers, either slowing or shutting down servers by
exploiting known vulnerabilities.

The vulnerabilities in this case are in Microsoft Corp.'s SQL Server
2000 database software and were discovered in July 2002. Microsoft
issued a patch to plug the security flaws in October.

Although the worm doesn't carry a malicious payload that wipes out
files, SQL Slammer is a self-propagating worm that exhausts network
bandwidth, causing performance degradation across the Internet.

SQL Slammer took a few hours to spread across Asia, Europe and North
America on Jan. 25 as spikes in network traffic affected businesses
and government agencies, interrupting the performance of airline
travel systems and blocking access to automated teller machines.

Basically "the attack was over and done with in a matter of hours,"  
said Vincent Weafer, senior director of Symantec Corp.'s security
response center. It took about five to eight hours for the attack to
spread. This illustrates the critical need for agencies and businesses
to have a pre-defined plan to deal with fast-spreading worms, Weafer
added.

Proper preparation paid off for the Department of Veteran Affairs.  
"Our new security operations center (SOC), a 24-by-7-by-365 activity
under the VA Central Incident Response Capability was on top of it
from the beginning," according to Bruce Brody, chief security officer
for the VA.

Brody said that throughout the course of the incident, the VA was in
constant contact with the Federal Computer Incident Response Center,
the focal point for computer security issues impacting civilian
agencies.

FedCIRC first released an advisory concerning the SQL Slammer worm on
July 29, 2002. FedCIRC reissued the advisory as an informational
notice on its Web site (www.fedcirc.gov) Jan. 25, shortly after 8 a.m,
according to a General Services Administration spokesperson.

"The VA SOC orchestrated a number of activities throughout the
weekend, including several teleconferences with all of the VA regions
and put out the necessary patches and tools," Brody said.

"Our telecommunications provider assisted by closing the ports that
the worm used to enter and exit the enterprise. While remediation
activities and cleanup continue, we believe we withstood the brunt of
incident with minimal disruption to our enterprise."

A major Defense Department network deployed throughout North America
and Asia was also able to thwart disruption of network services by
having the right configuration management and control tools in place,
said Carl Wright, vice president of federal operations at Securify
Inc., a developer of configuration management software.

Although traffic on the network tripled as the worm utilized
bandwidth, no machines were infected because DOD was able to take a
proactive stance by having the information it needed to ensure that
all firewalls and virtual private networks are properly configured,
Wright added.

Using tools that help automate the process of ensuring that systems
are properly configured in addition to keeping up to date with patches
can help thwart the majority of such attacks, experts said.

"Only about one to 2 percent of attacks are unknown; 98 percent are
due to problems that we are already aware of," said Marcus Sachs,
director of communication infrastructure protection in the White House
Office of Cyberspace Security, during a SANS Institute Webcast.

The worm affected a few computers at the National Oceanic and
Atmospheric Administration, said Thomas Pyke Jr., the chief
information officer at the Commerce Department. He has asked the
department's operating units to certify that their systems have the
appropriate software patches installed and to make sure that the
firewalls at the edges of the network are configured to prevent
incoming attacks and keep the worm from going outside.

Commerce is eager to use the GSA patch dissemination system, Pyke
said, adding that the department also takes advantage of services
provided by FedCIRC.

Colleen O'Hara and Judi Hasson contributed to this report.
 


-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.