SQL slammer (computer worm)

From Wikipedia, the free encyclopedia

The SQL slammer worm is a computer worm that caused a denial of service on some Internet hosts and dramatically slowed down general Internet traffic, starting at 05:30 UTC on January 25, 2003. It spread rapidly, infecting most of its 75,000 victims within ten minutes. W3 Media's Senior Web Developer and Technical Manager Ben Koshy has been credited with being the first person to identify the so-called 'Slammer' virus. Although titled "SQL slammer worm", the program did not use the SQL language; it exploited two buffer overflow bugs in Microsoft's flagship SQL Server and Desktop Engine database products, for which patches had been released six months earlier in MS02-039 and MS02-061. Other names include W32.SQLExp.Worm, DDOS.SQLP1434.A, the Sapphire Worm, SQL_HEL, and W32/SQLSlammer.

Contents 1 Impact 2 Technical details 3 See also 4 External links

[edit] Impact

Sites monitoring the traffic of the Internet such as Internet Storm Center reported significant slowdowns globally, resembling the impact of the Code Red worm in the summer of 2001.

Yonhap news agency in South Korea reported that Internet services had been shut down for hours on Saturday, January 25, 2003 nationwide. The impact was mitigated by the fact that it occurred over the weekend.

The same attack was reported throughout most of Asia, Europe, and North America. Anti-virus software maker Symantec estimated that at least 22,000 systems were affected worldwide.

The Microsoft SQL Server Desktop Engine (MSDE) was affected by the worm and that increased the number of the systems affected. This, together with many home users unaware they have MSDE installed, worsened the impact of this worm. Also, if a computer running MSDE was infected with this worm via the Internet and then connected to a Virtual Private Network, the SQL Servers inside the NAT can be infected.

[edit] Technical details

The worm is a small (376 bytes) piece of code that does little other than generate random IP addresses and send itself out to those addresses. If a selected address happens to belong to a host that is running an unpatched copy of Microsoft SQL Server Resolution Service, the host immediately becomes infected and begins spraying the Internet with more copies of the worm program.

Home PCs are generally not vulnerable to this worm unless they have MSDE installed. The worm is so small that it does not contain code to write itself to disk, so it only stays in memory, and it is easy to remove. For example, Symantec provides a free removal utility (see external link below), or it can even be removed by restarting SQL Server (although the machine would likely be immediately reinfected).

The worm was made possible by a software security vulnerability in SQL Server first reported by Microsoft on July 24, 2002. A patch had been available from Microsoft for six months prior to the worm's launch, but many installations had not been patched -- including some at Microsoft.

The slowdown was caused by the collapse of numerous routers under the burden of extremely high bombardment traffic from infected servers. Normally, when traffic is too high for routers to handle, the routers are supposed to delay or temporarily stop network traffic. Instead, some routers crashed (became unusable), and the "neighbor" routers would notice that these routers had stopped and should not be contacted (aka "removed from the routing table"). Routers started sending notices to this effect to other routers they knew about. The flood of routing table update notices caused some additional routers to fail, compounding the problem. Eventually the crashed routers' maintainers restarted them, causing them to announce their status, leading to another wave of routing table updates. Soon a significant portion of Internet bandwidth was consumed by routers communicating with each other to update their routing tables, and ordinary data traffic slowed down or in some cases stopped altogether. Ironically because the SQL slammer worm was so small in size, sometimes it was able to get through and legitimate traffic was not.

SQL Slammer was the first observed example of a "Warhol worm" -- a fast-propagating Internet infection of the sort first hypothesized in 2002 in a paper by Nicholas Weaver. Two key aspects contributed to SQL Slammer's rapid propagation. The worm infected new hosts over UDP, and the entire worm (only 376 bytes) fit inside a single packet. As a result, no connection was necessary for an infected host to attempt to infect another machine. Each infected host could instead simply "fire and forget" packets as rapidly as possible (generally hundreds per second).

[edit] See also

• Notable computer viruses and worms

[edit] External links

News:

• BBC NEWS Technology Virus-like attack hits web traffic
• MS SQL Server Worm Wreaking Havoc
• Wired 11.07: Slammed! A layman's explanation of the Slammer code.

Announcement:

• Microsoft Security Bulletin MS02-039 and Patch
• CERT Advisory CA-2003-04
• Symantec Security Response - W32.SQLExp.Worm

Analysis

• Report of CAIDA-coordinated study of SQL Slammer/Sapphire
• Warhol Worms: The Potential for Very Fast Internet Plagues by Nicholas C. Weaver

Technical details

• Worm code disassembled
• Multiple Vulnerabilities in Microsoft SQL Server - Carnegie-Mellon Software Engineering Institute
• Internet Storm Center