SQL Slammer

SQL Slammer
Monitor padlock.svg Computer security portal

SQL Slammer is a computer worm that caused a denial of service on some Internet hosts and dramatically slowed down general Internet traffic, starting at 05:30 UTC on January 25, 2003. It spread rapidly, infecting most of its 75,000 victims within ten minutes. So named by Christopher J. Rouland, the CTO of ISS, Slammer was first brought to the attention of the public by Michael Bacarella (see notes below). Although titled "SQL slammer worm", the program did not use the SQL language; it exploited a buffer overflow bug in Microsoft's flagship SQL Server and Desktop Engine database products, for which a patch had been released six months earlier in MS02-039. Other names include W32.SQLExp.Worm, DDOS.SQLP1434.A, the Sapphire Worm, SQL_HEL, W32/SQLSlammer and Helkern.[1]

Contents

Technical details

The worm was based on proof of concept code demonstrated at the Black Hat Briefings by David Litchfield, who had initially discovered the buffer overflow vulnerability that the worm exploited.[2] It is a small piece of code that does little other than generate random IP addresses and send itself out to those addresses. If a selected address happens to belong to a host that is running an unpatched copy of Microsoft SQL Server Resolution Service, the host immediately becomes infected and begins spraying the Internet with more copies of the worm program.

Home PCs are generally not vulnerable to this worm unless they have MSDE installed. The worm is so small that it does not contain code to write itself to disk, so it only stays in memory, and it is easy to remove. For example, Symantec provides a free removal utility (see external link below), or it can even be removed by restarting SQL Server (although the machine would likely be reinfected immediately).

The worm was made possible by a software security vulnerability in SQL Server first reported by Microsoft on July 24, 2002. A patch had been available from Microsoft for six months prior to the worm's launch, but many installations had not been patched – including many at Microsoft.

The slowdown was caused by the collapse of numerous routers under the burden of extremely high bombardment traffic from infected servers. Normally, when traffic is too high for routers to handle, the routers are supposed to delay or temporarily stop network traffic. Instead, some routers crashed (became unusable), and the "neighbour" routers would notice that these routers had stopped and should not be contacted (aka "removed from the routing table"). Routers started sending notices to this effect to other routers they knew about. The flood of routing table update notices caused some additional routers to fail, compounding the problem. Eventually the crashed routers' maintainers restarted them, causing them to announce their status, leading to another wave of routing table updates. Soon a significant portion of Internet bandwidth was consumed by routers communicating with each other to update their routing tables, and ordinary data traffic slowed down or in some cases stopped altogether. Ironically, because the SQL Slammer worm was so small in size, sometimes it was able to get through when legitimate traffic was not.

Two key aspects contributed to SQL Slammer's rapid propagation. The worm infected new hosts over UDP, and the entire worm (only 376 bytes) fits inside a single packet. As a result, each infected host could instead simply "fire and forget" packets as rapidly as possible (generally hundreds per second).

Notes

There is contention as to who found "Slammer" first. This is almost impossible to determine. However, in terms of who first alerted the general public, this can be attributed to Michael Bacarella who posted a message to the Bugtraq security mailing list entitled "MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434!".[3] This was sent at 08:11:41 UTC on 25 January 2003. Ben Koshy is often credited as being the first; indeed the company he worked for put out a press statement to this effect.[4] However, his alert[5] to the public, sent to the NTBugtraq mailing list was not sent until 10:28 UTC. Robert Boyle sent an alert to NTBugtraq at 08:35 UTC[6] beating Koshy but lagging behind Bacarella. ISS, through Chris Rouland, sent out alerts at 11:54 UTC[7] and 11:56 UTC[8] to the ISSForum and Vulnwatch mailing lists respectively.

References

  1. ^ "Symantec W32.SQLExp.Worm". http://www.symantec.com/security_response/writeup.jsp?docid=2003-012502-3306-99. 
  2. ^ Leyden, John (6 February 2003). "Slammer: Why security benefits from proof of concept code". Register. http://www.theregister.co.uk/2003/02/06/slammer_why_security_benefits/. Retrieved 2008-11-29. 
  3. ^ Bacarella, Michael (25 January 2003). "MS SQL Worm is Destroying Internet Block Port 1434!". Bugtraq. http://seclists.org/bugtraq/2003/Jan/0221.html. Retrieved 2008-11-29. 
  4. ^ "W3 Media's Ben Koshy first to identify Internet 'Slammer' Virus". Press Release. W3 Media. January 24, 2003. http://www.w3media.com/images/news/W3_Identify_Slammer_Virus.pdf. Retrieved 2008-11-29. 
  5. ^ Koshy, Ben (January 25, 2003). "Peace of Mind Through Integrity and Insight". Neohapsis Archives. http://archives.neohapsis.com/archives/ntbugtraq/2003-q1/0010.html. Retrieved 2008-11-29. 
  6. ^ Boyle, Robert (January 25, 2003). "Peace of Mind Through Integrity and Insight". Neohapsis Archives. http://archives.neohapsis.com/archives/ntbugtraq/2003-q1/0011.html. Retrieved 2008-11-29. 
  7. ^ "ISS Security Brief: Microsoft SQL Slammer Worm Propagation". ISSForum. 25 January 2003. http://lists.virus.org/issforum-0301/msg00099.html. Retrieved 2008-11-29. 
  8. ^ X-Force (January 25, 2003). "Peace of Mind Through Integrity and Insight". Neohapsis Archives. http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0038.html. Retrieved 2008-11-29. 

External links

News
Announcement
Analysis
  • Inside the Slammer Worm IEEE Security and Privacy Magazine, David Moore, Vern Paxson, Stefan Savage, Colleen Shannon, Stuart Staniford, and Nicholas Weaver
Technical details

Wikimedia Foundation. 2010.

Игры ⚽ Поможем сделать НИР

Look at other dictionaries:

  • SQL Slammer — ist der Name eines Computerwurms, der einen ungepatchten Microsoft SQL Server 2000 befallen kann. Er begann am 25. Januar 2003, sich zu verbreiten, und infizierte innerhalb einer halben Stunde 75.000 Opfer, den Großteil davon in den ersten 10… …   Deutsch Wikipedia

  • SQL Slammer — Slammer (aussi connu sous le nom de Sapphire) est un ver informatique se propageant grâce à une faille sur les serveurs Microsoft SQL Server. Cette faille était employée dans les milieux warez pour stocker des fichiers illégalement. Les 24 et 25… …   Wikipédia en Français

  • SQL slammer (computer worm) — The SQL slammer worm is a computer worm that caused a denial of service on some Internet hosts and dramatically slowed down general Internet traffic, starting at 05:30 UTC on January 25, 2003. It spread rapidly, infecting most of its 75,000… …   Wikipedia

  • Ver SQL Slammer — SQL Slammer Cet article fait partie de la série Programmes malveillants Virus Cabir MyDoom.A Tchernobyl …   Wikipédia en Français

  • Slammer — can refer to:*SQL slammer (computer worm) *a slang term for prison or jail *an Alabama Slammer cocktail *Sholef / Slammer, an Israeli self propelled 155mm howitzer based on a Merkava tank chassis *the non transforming tank who is a partner to… …   Wikipedia

  • SQL Server Reporting Services — (сокр. SSRS, рус. Службы отчетности SQL Server)  программная серверная система создания отчетов, разработанная корпорацией Microsoft. Она может быть использована для подготовки множества интерактивных и печатных отчетов. Система… …   Википедия

  • SQL Server Management Studio — SQL Server Management Studio  утилита из Microsoft SQL Server 2005 и более поздних версий для конфигурирования, управления и администрирования всех компонентов Microsoft SQL Server. Утилита включает скриптовый редактор и графическую… …   Википедия

  • SQL Server 2005 — Microsoft SQL Server Тип Реляционная СУБД Разработчик ОС Microsoft Windows Версия 2008 6 августа 2008 Лицензия …   Википедия

  • SQL Server 2008 — Microsoft SQL Server Тип Реляционная СУБД Разработчик ОС Microsoft Windows Версия 2008 6 августа 2008 Лицензия …   Википедия

  • SQL Server 2000 — Microsoft SQL Server Тип Реляционная СУБД Разработчик ОС Microsoft Windows Версия 2008 6 августа 2008 Лицензия …   Википедия

Share the article and excerpts

Direct link
Do a right-click on the link above
and select “Copy Link”