Huge worm a Net threat

According to a report authored by U.S. security experts, the Sapphire Worm “doubled in size every 8.5 seconds. It infected more than 90 per cent of vulnerable hosts in 10 minutes.”

And to think, the situation could get worse.

Sapphire, also known as Slammer, took out many Microsoft Corp. SQL Servers the weekend of Jan. 24. It was “the fastest computer worm in history,” reads the report, published last month and penned by security mavens like Stuart Staniford, founder of Silicon Defense, a high-tech protection firm in Eureka, Calif.

The paper explains just how damaging this single-minded program was, bent on exploiting a well-known buffer overflow problem in SQL Server. Sapphire “caused network outages…cancelled airline flights, interference with elections, and ATM failures.”

As the most prolific worm to date, Sapphire elicits certain questions. What could be next? For instance, could a worm target not just particular servers, but infect every Web-connected box on the planet?

The answer: it’s conceivable.

Staniford co-authored a report last summer entitled “How to Own the Internet in Your Spare Time.” The paper outlines potential worms, among them “Warhol” and “flash.”

Armed with a sort of “hit list” and employing a divide-and-conquer strategy, the Warhol worm would know just which servers are vulnerable. It would divvy up the work among numerous copies in order to get through the hit list quicker. As well, Warhol would use “permutation scanning”: copies of the worm would know which hosts had been scanned already. This makes for efficient infection.

Warhol would be “capable of attacking most vulnerable targets in…less than 15 minutes,” Staniford and his colleagues wrote.

During an interview with Network World Canada, the author said Sapphire was not a Warhol worm. Sapphire used random scanning, not a hit list, to find vulnerable hosts. Still, it “pretty much achieved” Warholian speed, Staniford said.

The flash worm would also carry a list of attack sites, but it would use an even more sophisticated divide-and-conquer tactic to infect targets in “tens of seconds.” However, the long attack list might make the worm too big to sneak past intrusion detection systems (IDS) without triggering an alarm.

Sapphire, on the other hand, was tiny, Staniford pointed out.

“In my mind, Code Red was a small worm at 4KB. I had a little failure of the imagination that a worm could be 376 bytes.”

Does Staniford think a worm could take out the Internet? “I think that’s a possibility,” he said, adding that a graduate-level computer science student could create flash and Warhol worms.

Other security experts agree with Staniford’s assessment of the situation.

“Slammer was very focused on that one vulnerability on SQL Server,” said Jan Sundgren, an industry analyst with Giga Information Group Inc., headquartered in Cambridge, Mass. “You can imagine a worm that finds an equally fruitful vulnerability for exploitation and then combines it with other avenues of infection. You could have something that, because it spreads in multiple ways, manages to bring down even more of the Internet than Slammer did.”

Still, “it would be pretty short term,” he said. “People would react quickly. With Slammer, it was pretty easy to get it out of the system. Reboot the SQL server, patch it or close the port.”

Staniford and his co-authors said future worms might be more difficult to catch. “A flash worm…appears capable of infecting the vulnerable population in tens of seconds – so fast that no human-mediated counter-response is possible.”

Human responses are notoriously slow. Sapphire exploited a problem in SQL Server that Microsoft fixed last summer. Nonetheless, the worm “infected at least 75,000 hosts,” according to a review of its spread.

Why didn’t IT administrators at affected companies simply patch SQL Server earlier? Perhaps because patching isn’t a simple undertaking to begin with.

“There are over 6,000 known vulnerabilities,” said Michael Murphy, Toronto-based general manager Canada with Symantec Corp., illustrating how difficult it can be to keep up with patches across the enterprise.

Murphy advocates using a layered security system to guard against attacks like Warhol and flash. Companies should marry host-based IDS with network-based IDS, firewall technology and patch management policies.

Symantec sells host-based IDS software, network-based IDS software and firewalls. The firm also offers a security management service based on event correlation technology.

Victor Keong, a Toronto-based partner in Deloitte & Touche LLP’s security services group, said an Internet-destroying worm is “not inconceivable,” especially given the mutable definition of “the Internet.”

“Way back two or three years ago we had distributed denial of service (DDoS) attacks that brought down CNN, Yahoo, E-Trade. For a lot people, Yahoo, E-Trade, CNN, that is the Internet.…So it’s not inconceivable that a targeted attack would bring those sites down again. Add to that the malicious code that we’ve seen lately that works in the back office – Slammer – (and) the combination could be deadly.”

Staniford calls for a cyber centre of disease control (CDC), where law agencies work alongside security experts to analyze threats.

Murphy, however, said a cyber CDC is redundant. “It exists. If you think of Symantec, we have our SecurityFocus group with its…threat management and alert services, which are there to search for vulnerabilities and attack motives, to provide that early warning for customers.”

Murphy said vulnerabilities might be on the rise because more and more companies are divulging information about problems in their software. He called it “responsible disclosure.”

Staniford said it’s a fine line between responsible disclosure and giving worm writers the information they need to succeed.

“We obviously debated that intensely when we were writing the paper,” he said, referring to descriptions of Warhol and flash. “Before we published it, we did a paragraph-by-paragraph level review of what we would put in and would not put in, on the basis of, ‘is this more help to the defence than the attackers?’

“The problem is, you can’t just make completely vague prognostications of doom. People won’t take you seriously without enough detail.”

See “How to Own the Internet in Your Spare Time” at See “The Spread of the Sapphire-Slammer Worm” at