Businesses dig out from Slammer

IT staff look to lessons learned from previous attacks

Two days after the new, fast spreading W32.Slammer worm wreaked havoc on the Internet, organizations in the U.S. that were affected say that good technology and prompt reaction to the emerging attack prevented more widespread disruption.

Stories abound of network slowdowns in the hours following the first appearance of the worm early Saturday morning.

Beth Israel Deaconess Medical Center (BIDMC) in Boston experienced slowdowns for approximately six hours as a result of Slammer, according to John Halamka, MD, Chief Information Officer of the CareGroup Health System.

Blocking ports 1433 and 1434 on affected machines eventually brought Slammer under control, Halamka said.

Physician Craig Gordon arrived at 7:30 Saturday morning to find many of the computer systems that the hospital uses to track clinical data and enter patient orders were not working and that access to the Internet was gone.

Gordon and the rest of the staff at BIDMC fell back on lessons learned from previous virus outbreaks and computer outages, using teamwork and an older paper-based system to manage their patients until the clinical systems came back online a couple hours later.

"People just figured out what was up, what was down and what we could do to make the day go on. It was actually pretty extraordinary.  Everybody did their job and helped each other out. It was really about as normal as it could be," Gordon said.

At Northeastern University in Boston , IT staff was notified of the mounting attack by monitoring systems and were on hand at just after midnight Saturday to address infection on some of the University's 13 Microsoft SQL Server hosts, according to Leo Hill, director of technology research and integration at Northeastern.

The IT staff worked to locate the source of the problem and stem the flow of traffic produced by Slammer. By 7:30 in the morning, Northeastern's staff had Slammer under control, with little or no disruption to students, employees or faculty, according to Hill.

The cleanup at Northeastern was hastened by the fact that most of the institution's SQL servers had Microsoft's SQL Server Service Pack 2 or Service Pack 3 already installed. Those service packs patched the software vulnerability that was exploited by Slammer, according to Hill.

IT staff at the place where former Northeastern student Shawn Fanning wrote the original Napster application were also armed with a variety of firewalls and traffic shapers that helped spot and thwart the Slammer outbreak, according to Hill.

"Our students are very creative these days. We figure if we can't defend against one of these [worms] we definitely can't protect ourselves against our students," Hill said.

Halamka also said that monitoring tools and up-to-date network hardware from Cisco Systems helped to blunt the impact of Slammer at BIDMC.

Although BIDMC had patched its SQL Server machines using Service Pack 3 in July, however, IT staff didn't anticipate the worm spreading through the vulnerable Microsoft Data Engine 2000 (MSDE) component, which was also affected by the SQL vulnerability and was installed on personal computers running Microsoft Office XP in the hospital's research area and in private offices, Halamka said.

Those nonserver machines caused the slowdowns on BIDMC's network, according to Halamka.

Such lapses are common given the large number of software security bulletins and patches released by companies such as Microsoft each year, according to Vincent Gullotto, vice president of the McAfee AVERT (Anti-Virus Emergency Response Team) division.

"The difficulty for organizations is to know which patches to apply and which not to apply," Gullotto said.

Organizations should consider working with security consulting companies or speaking directly with software vendors to determine the possible impact of security vulnerabilities.

"Administrators need to look at each bulletin and determine how bad the vulnerability is and whether it affects them. When the vulnerability is on a popular platform that you are using, some action is required because the more popular the platform, the more valuable a target it is for a hacker," Gullotto said.

In addition to scrutinizing each patch announcement, organizations should consider deploying vulnerability assessment tools for their network and increasing the frequency with which they roll out software updates to user desktops, Gullotto said.


Copyright © 2003 IDG Communications, Inc.

How to choose a low-code development platform