SQL slammer worm

The SQL slammer worm is a computer worm that caused a denial of service on some Internet hosts and dramatically slowed down general Internet traffic, starting at 05:30 UTC on January 25, 2003. It spread rapidly, infecting most of its 75,000 victims within 10 minutes. Although titled "SQL slammer worm", the program did not use the SQL language; it exploited two buffer overflow bugs in Microsoft's flagship SQL Server database product. Other names include W32.SQLExp.Worm, DDOS.SQLP1434.A, the Sapphire Worm, SQL_HEL, and W32/SQLSlammer.

Contents

1 Impact 2 Technical details 3 See also 4 External links

Impact

Sites monitoring the traffic of the Internet such as Internet Storm Center reported significant slowdowns globally, resembling the impact of the Code Red worm in the summer of 2001.

Yonhap news agency in South Korea reported on the Internet services had been shut down for hours on Saturday, January 25, 2003 nationwide. The impact was mitigated by the fact that it occurred over the weekend.

The same attack was reported throughout most of Asia, Europe, and North America. Anti-virus software maker Symantec estimated that at least 22,000 systems were affected worldwide. Though some reports indicated that the root nameservers had been brought down, this was not true.

Technical details

The worm continuously sends traffic to randomly generated IP addresses, attempting to send itself to hosts that are running the Microsoft SQL Server Resolution Service, causing them to spray the Internet with more copies of the worm program.

Home PCs are generally not vulnerable to this worm, as they are usually not running SQL Server. The worm stays only in memory and not in disk space, so it is easy to remove. For example, Symantec provides a free removal utility (see external link below).

The worm was made possible by a software security vulnerability in SQL Server first reported by Microsoft on July 24, 2002. A patch had been available from Microsoft for six months prior to the worm's launch, but many installations had not been patched -- including some at Microsoft.

The slowdown was caused by the fact that several routers collapsed under the burden of extremely high bombardment traffic from infected servers. Normally, when this happens, the routers are supposed to slow down traffic. Instead, some routers crashed, and the notice that these routers had stopped and should be removed from the routing tables of all other routers started to propagate throughout the Internet (flooding). When the routers eventually came back to the network after being restarted, the routing tables had to be updated again in the same fashion. Soon a significant portion of Internet bandwidth was consumed by routers communicating with each other to update their routing tables, and ordinary data traffic slowed down or in some cases stopped altogether.

SQL Slammer was the first observed example of a "Warhol worm" -- a fast-propagating Internet infection of the sort first hypothesized in 2002 in a paper by Nicholas Weaver.

See also

• Notable computer viruses and worms

External links

News:

• BBC NEWS Technology Virus-like attack hits web traffic (http://news.bbc.co.uk/2/hi/technology/2693925.stm)
• MS SQL Server Worm Wreaking Havoc (http://slashdot.org/article.pl?sid=03/01/25/1245206&mode=flat&tid=109)
• Wired 11.07: Slammed! (http://www.wired.com/wired/archive/11.07/slammer.html) A laymen's explanation of the Slammer code.

Announcement:

• Microsoft Security Bulletin MS02-039 and Patch (http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS02-039.asp)
• Symantec Security Response - W32.SQLExp.Worm (http://securityresponse.symantec.com/avcenter/venc/data/w32.sqlexp.worm.html)

Analysis

• report of CAIDA-coordinated study of SQL Slammer/Sapphire (http://www.caida.org/analysis/security/sapphire/)
• Warhol Worms: The Potential for Very Fast Internet Plagues (http://www.cs.berkeley.edu/~nweaver/warhol.html) by Nicholas C. Weaver

Technical Details

• Worm code disassembled (http://www.eeye.com/html/Research/Flash/sapphire.txt)
• Multiple Vulnerabilities in Microsoft SQL Server (http://www.cert.org/advisories/CA-2002-22.html) - Carnegie-Mellon Software Engineering Institute
• Internet Storm Center (http://isc.incidents.org/)fr:Ver SQL Slammer

pl:SQL Slammer