System administrators are probably still cursing the Slammer worm, which remains a threat to unpatched SQL Servers. But its progress is slowing down, according to security experts.
The worm surfaced early Saturday and quickly infected machines running SQL Server. A stack-based buffer overflow in SQL Server and Microsoft SQL Server Desktop Engine (MSDE) allowed the worm to spread. The worm could have been much worse; it didn't destroy or steal information stored in the SQL Server databases. But some networks were clogged by the worm's attempts to spread.
Media attention to the worm probably played a role in its decline, said Chris Wraight, technology consultant at antivirus vendor Sophos. But some administrators dropped everything to patch their systems or block the firewall port that Slammer uses.
Yet companies with unpatched systems are still susceptible. "Traditionally, some people won't patch even if they hear news about [a new worm]," said Russ Cooper, surgeon general at TruSecure Corp., a Herndon, Va., managed security services provider. Some of major Internet service providers have stopped filtering for it. "Their customers tell them they need access to the port," he said.
Slammer uses UDP port 1434 to search for other vulnerable SQL Servers. Most companies don't need the port open and should have it blocked as a precaution, experts have said.
Cooper warns that new, potentially nastier variants of Slammer are possible, as was the case with Nimda and Code Red. Worms such as Slammer don't go away; they just drop to smaller levels. "We continue to see Code Red," Cooper said. "Somebody isn't releasing it every month. It's surviving."
Slammer was the first major network-based worm of the year. E-mail based worms such as Lirva and Yaha.K achieved some traction in the early part of the month. However, worms such as Slammer highlight the need for companies to patch vulnerabilities that can be exploited by malicious code.
"I think administrators will be serious [about vulnerabilities] for a month," Wraight said. "But I'm afraid they will fall back into complacency."
Worms like Slammer show that protecting against malicious code involves more than slapping antivirus software on e-mail servers and desktops. "Companies need to look beyond protecting against Outlook-based viruses to examining all their computing infrastructure," Wraight said.
FOR MORE INFORMATION:
SearchSecurity.com news exclusive: "Manic Monday for SQL Server admins"
- FEEDBACK: Share your SQL-Slammer horror stories.
Drop News Writer Edward Hurley a message.