Agencies thwart SQL worm

How several federal agencies staved off a fast-moving Internet worm that wreaked havoc worldwide

Several federal agencies were able to stave off a fast-moving Internet worm that wreaked havoc on networks worldwide over the weekend.

Known as the SQL Slammer, the worm caused high central processing unit usages on servers, either slowing or shutting down servers by exploiting known vulnerabilities.

The vulnerabilities in this case are in Microsoft Corp.'s SQL Server 2000 database software and were discovered in July 2002. Microsoft issued a patch to plug the security flaws in October.

Although the worm doesn't carry a malicious payload that wipes out files, SQL Slammer is a self-propagating worm that exhausts network bandwidth, causing performance degradation across the Internet.

SQL Slammer took a few hours to spread across Asia, Europe and North America on Jan. 25 as spikes in network traffic affected businesses and government agencies, interrupting the performance of airline travel systems and blocking access to automated teller machines.

Basically "the attack was over and done with in a matter of hours," said Vincent Weafer, senior director of Symantec Corp.'s security response center. It took about five to eight hours for the attack to spread. This illustrates the critical need for agencies and businesses to have a pre-defined plan to deal with fast-spreading worms, Weafer added.

Proper preparation paid off for the Department of Veteran Affairs. "Our new security operations center (SOC), a 24-by-7-by-365 activity under the VA Central Incident Response Capability was on top of it from the beginning," according to Bruce Brody, chief security officer for the VA.

Brody said that throughout the course of the incident, the VA was in constant contact with the Federal Computer Incident Response Center, the focal point for computer security issues impacting civilian agencies.

FedCIRC first released an advisory concerning the SQL Slammer worm on July 29, 2002. FedCIRC reissued the advisory as an informational notice on its Web site (www.fedcirc.gov) Jan. 25, shortly after 8 a.m, according to a General Services Administration spokesperson.

"The VA SOC orchestrated a number of activities throughout the weekend, including several teleconferences with all of the VA regions and put out the necessary patches and tools," Brody said.

"Our telecommunications provider assisted by closing the ports that the worm used to enter and exit the enterprise. While remediation activities and cleanup continue, we believe we withstood the brunt of incident with minimal disruption to our enterprise."

A major Defense Department network deployed throughout North America and Asia was also able to thwart disruption of network services by having the right configuration management and control tools in place, said Carl Wright, vice president of federal operations at Securify Inc., a developer of configuration management software.

Although traffic on the network tripled as the worm utilized bandwidth, no machines were infected because DOD was able to take a proactive stance by having the information it needed to ensure that all firewalls and virtual private networks are properly configured, Wright added.

Using tools that help automate the process of ensuring that systems are properly configured in addition to keeping up to date with patches can help thwart the majority of such attacks, experts said.

"Only about one to 2 percent of attacks are unknown; 98 percent are due to problems that we are already aware of," said Marcus Sachs, director of communication infrastructure protection in the White House Office of Cyberspace Security, during a SANS Institute Webcast.

The worm affected a few computers at the National Oceanic and Atmospheric Administration, said Thomas Pyke Jr., the chief information officer at the Commerce Department. He has asked the department's operating units to certify that their systems have the appropriate software patches installed and to make sure that the firewalls at the edges of the network are configured to prevent incoming attacks and keep the worm from going outside.

Commerce is eager to use the GSA patch dissemination system, Pyke said, adding that the department also takes advantage of services provided by FedCIRC.

Colleen O'Hara and Judi Hasson contributed to this report.

NEXT STORY: Cities win digital divide grants