Worm exposes laziness in the IT department

More than 120,000 computers became infected by a worm over the weekend which brought the internet to a standstill for many and caused chaos on corporate networks.

The small but malicious Sapphire worm rapidly exploited a six-month-old flaw in Microsoft SQL Server database software.

Johannes Ullrich, director of the security information site Incidents.org, said the infection underscores a dirty secret in the IT industry, that software bugs are still commonplace and administrators are slow to fix even widely publicised problems.

Ullrich said: "Companies should have been ready for [the worm]. That patch should have been applied - it's six months old now."

In the past Microsoft has come in for fierce criticism over breaches of its security but this incident has seen security experts apportion the bulk of the blame on administrators who have failed to patch their software.

Marc Maiffret, chief hacking officer for security software firm eEye Digital Security, said: "I don't think people can really hold Microsoft at fault for this worm."

While Microsoft did release flawed software, they fixed that flaw many months ago, he said. "Customers have been able to protect themselves," he added.

For a variety of reasons, however, companies with Microsoft SQL Server software didn't apply the patches. Moreover, the affected companies also had vulnerable servers that were accessible via the internet, a disaster waiting to happen.

Maiffret added: "Some administrators might be at fault but then some corporate managers might be at fault for understaffing, under-budgeting, and under-empowering their IT staff to be able to handle the security of their network."

The worm takes advantage of a flaw in how Microsoft SQL Server handles certain input. By sending a specially crafted data packet over the internet, the worm can remotely compromise additional systems and spread copies of itself. The worm doesn't create files and doesn't delete data. Rather, it resides in memory and tries to spread as quickly as possible.

It's so successful at rapidly sending data, however, that it overloaded many networks and overwhelmed many types of network hardware, effectively cutting off some companies from the internet.

In the US the worm disrupted more than 13,000 Bank of America cash machines, and late Saturday the company was still warning online customers of possible slowdowns in accessing their accounts. "We are currently experiencing problems that may cause online banking to operate more slowly than normal," the message stated. The company could not be reached for comment on Sunday.

PeopleSoft was among several Fortune 100 companies that had had network issues on Saturday, according to data provided by internet watcher Netcraft.org.

Steve Lipner, director of security assurance for Microsoft,. said: "The problem was that this was a particularly malicious piece of code. If it got a hold of one machine, it hammered away at the network. In a big organisation, it's really hard to say that every point of access is protected."

Any database vulnerable to the worm could have been attacked by hackers bent on stealing data any time in the last six months. Many SQL databases hold customer data, and the worm highlighted that the data hasn't been safe, said Ullrich.

"If you had a vulnerable server, then it's possible that you could have been compromised in the past half-year," he said.

With Fortune 100 companies and online retailers among those that may be cleaning their systems of such a worm, the question may not be whether data has been leaked, but how much.