Microsoft posts 'find Slammer' tools

February 6, 2003 (Computerworld) Responding to the rapid spread of the Slammer worm through a software vulnerability in its SQL Server 2000 database product, Microsoft Corp. has posted prerelease versions of a number of utilities that can ferret out systems that are susceptible to Slammer.
The tools, which were posted to Microsoft's Web site last week, include:

• SQL Scan, which can scan a computer, network domain or range of IP addresses and identify instances of SQL Server 2000 or the Microsoft SQL Server Desktop Engine (MSDE) 2000 that are vulnerable to Slammer.


• SQL Check, which can scan an individual computer running most flavors of the Windows operating system for instances of SQL Server 2000 and MSDE 2000 that are vulnerable. For later versions of Windows, such as NT 4.0, Windows 2000 and Windows XP, SQL Check can also disable the vulnerable services.


• SQL Critical Update, which can scan a computer running Windows NT 4.0, Windows 2000 or Windows XP, identify vulnerable instances of SQL Server 2000 and MSDE 2000, and automatically patch the vulnerable files.

The tools are provided "as is" by Microsoft, and all are "under continuing development," according to information posted online. In addition, some of the tools, such as SQL Scan and SQL Critical Update, aren't supported by all of Microsoft's current operating systems.
While Microsoft's tools will be welcome news for network administrators -- even in a prerelease state -- they aren't the first such tools on the market.
U.K.-based computer security company Next Generation Security Software Ltd. (NGS) updated its scanning tool, Typhon II, in July to test for the Slammer vulnerability, according to David Litchfield, co-founder of NGS and the person who first identified the SQL Slammer vulnerability.
Unfortunately, many SQL Server administrators are slow to patch known vulnerabilities until after a new worm or virus that exploits them is already circulating, according to Litchfield.
"People buy Microsoft products and throw them on their network. These people are not informed about security or don't think about it. So it's only really when things are reported in the popular press that people take notice," Litchfield said.
While the new Microsoft tools may help administrators patch for Slammer, there are other known vulnerabilities in SQL Server and other Microsoft products that, like Slammer, enable attackers to take control of critical systems without needing to supply log-in or password information, according to Litchfield.
Administrators should be searching their network for those vulnerabilities as well if they don't want to fall victim to the next Slammer-like threat, Litchfield said.
As the world's largest software maker, Microsoft has come under scrutiny for security vulnerabilities in its widely used products.
The recent Slammer worm took advantage of one such security hole and the ubiquity of Microsoft's SQL Server database software to become the fastest-spreading computer virus ever, according to a study conducted by the Cooperative Association for Internet Data Analysis along with other organizations (see story).
According to that study, the number of machines infected with Slammer doubled roughly every 8.5 seconds in the first minutes of the outbreak. That's more than 250 times faster than Code Red, which hit in mid-2001 and had a doubling time of 37 minutes, according to the report.