SQL Slammer: Difference between revisions

From Wikipedia, the free encyclopedia
Jump to navigation Jump to search
VisualWikitext
imported>Robert the Devil
brevity
 
imported>GreenC bot
 
Line 1: Line 1:
{{Short description|2003 computer worm}}
{{Short description|2003 computer worm}}
{{Use dmy dates|date=September 2017}}
{{Infobox malware
{{Infobox malware
| common_name          = SQL Slammer
| common_name          = SQL Slammer
Line 52: Line 53:
The program exploited a [[buffer overflow]] bug in Microsoft's [[Microsoft SQL Server|SQL Server]] and [[MSDE|Desktop Engine]] database products. Although the [https://docs.microsoft.com/en-us/security-updates/securitybulletins/2002/ms02-039 MS02-039] (CVE-2002-0649)<ref>{{Cite web |title=CVE - CVE-2002-0649 |url=https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0649 |access-date=2023-09-07 |website=cve.mitre.org}}</ref> patch had been released six months earlier, many organizations had not yet applied it.
The program exploited a [[buffer overflow]] bug in Microsoft's [[Microsoft SQL Server|SQL Server]] and [[MSDE|Desktop Engine]] database products. Although the [https://docs.microsoft.com/en-us/security-updates/securitybulletins/2002/ms02-039 MS02-039] (CVE-2002-0649)<ref>{{Cite web |title=CVE - CVE-2002-0649 |url=https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0649 |access-date=2023-09-07 |website=cve.mitre.org}}</ref> patch had been released six months earlier, many organizations had not yet applied it.


The most infected regions were Europe, North America, and Asia (including East Asia and India).<ref>{{cite web |last1=Mezquita |first1=Ty |title=SQL Slammer Virus (Harbinger of things to come) |url=https://cyberhoot.com/cybrary/sql-slammer-virus/ |website=CyberHoot |date=12 February 2020}}</ref>
==Technical details==  
 
==Technical details==
The worm was based on proof of concept code demonstrated at the [[Black Hat Briefings]] by [[David Litchfield]], who had initially discovered the buffer overflow vulnerability that the worm exploited.<ref>{{cite news|first=John |last=Leyden|url=https://www.theregister.co.uk/2003/02/06/slammer_why_security_benefits/ |title=Slammer: Why security benefits from proof of concept code |publisher=Register | date=6 February 2003 |access-date=2008-11-29}}</ref> It is a small piece of code that does little other than generate random IP addresses and send itself out to those addresses. If a selected address happens to belong to a host that is running an unpatched copy of [[Microsoft SQL Server]] Resolution Service listening on UDP port 1434, the host immediately becomes infected and begins spraying the Internet with more copies of the worm program.
The worm was based on proof of concept code demonstrated at the [[Black Hat Briefings]] by [[David Litchfield]], who had initially discovered the buffer overflow vulnerability that the worm exploited.<ref>{{cite news|first=John |last=Leyden|url=https://www.theregister.co.uk/2003/02/06/slammer_why_security_benefits/ |title=Slammer: Why security benefits from proof of concept code |publisher=Register | date=6 February 2003 |access-date=2008-11-29}}</ref> It is a small piece of code that does little other than generate random IP addresses and send itself out to those addresses. If a selected address happens to belong to a host that is running an unpatched copy of [[Microsoft SQL Server]] Resolution Service listening on UDP port 1434, the host immediately becomes infected and begins spraying the Internet with more copies of the worm program.


Home [[Personal Computer|PC]]s are generally not vulnerable to this worm unless they have MSDE installed. The worm is so small that it does not contain code to write itself to disk, so it only stays in memory, and it is easy to remove. For example, Symantec provides a free of charge removal utility, or it can even be removed by restarting SQL Server (although the machine would likely be reinfected immediately).
Home [[Personal Computer|PC]]s are generally not vulnerable to this worm unless they have MSDE installed. The worm is so small that it does not contain code to write itself to disk, so it only stays in memory, and it is easy to remove. For example, Symantec provides a free of charge removal utility, or it can even be removed by restarting SQL Server (although the machine would likely be reinfected immediately).


The worm was made possible by a [[software security vulnerability]] in SQL Server first reported by Microsoft on 24 July 2002. A patch had been available from Microsoft for six months prior to the worm's launch, but many installations had not been patched – including many at Microsoft.<ref>{{cite magazine|url=https://www.wired.com/2003/01/microsoft-attacked-by-worm-too/ |title=Microsoft Attacked By Worm, Too|magazine=Wired}}</ref>
The worm was made possible by a software [[vulnerability (computer security)|security vulnerability]] in SQL Server first reported by Microsoft on 24 July 2002. A patch had been available from Microsoft for six months prior to the worm's launch, but many installations had not been patched – including many at Microsoft.<ref>{{cite magazine|url=https://www.wired.com/2003/01/microsoft-attacked-by-worm-too/ |title=Microsoft Attacked By Worm, Too|magazine=Wired}}</ref>


The worm began to be noticed early on 25 January 2003{{efn|Public disclosure began with Michael Bacarella posting a message to the [[Bugtraq]] security mailing list entitled "MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434!"<ref>{{cite web|first=Michael |last=Bacarella |url=http://seclists.org/bugtraq/2003/Jan/221 |title=MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434! |publisher=Bugtraq |date=25 January 2003 |access-date=2012-11-29}}</ref> at 07:11:41 UTC on 25 January 2003. Similar reports were posted by Robert Boyle at 08:35 UTC<ref>{{cite web |first=Robert |last=Boyle |url=http://archives.neohapsis.com/archives/ntbugtraq/2003-q1/0011.html |title=Peace of Mind Through Integrity and Insight |publisher=Neohapsis Archives |date=25 January 2003 |access-date=2008-11-29 |archive-url=https://web.archive.org/web/20090219072838/http://archives.neohapsis.com/archives/ntbugtraq/2003-q1/0011.html |archive-date=19 February 2009 |df=dmy-all }}</ref> and Ben Koshy at 10:28 UTC<ref>{{cite web |first=Ben |last=Koshy |url=http://archives.neohapsis.com/archives/ntbugtraq/2003-q1/0010.html |title=Peace of Mind Through Integrity and Insight |publisher=Neohapsis Archives |date=25 January 2003 |access-date=2008-11-29 |archive-url=https://web.archive.org/web/20090219072809/http://archives.neohapsis.com/archives/ntbugtraq/2003-q1/0010.html |archive-date=19 February 2009 |df=dmy-all }}</ref> An early analysis released by Symantec is timestamped 07:45 GMT.<ref>{{cite web|url=http://securityresponse.symantec.com/avcenter/Analysis-SQLExp.pdf |archive-url=https://web.archive.org/web/20030307233701/http://securityresponse.symantec.com/avcenter/Analysis-SQLExp.pdf |url-status=dead |archive-date=7 March 2003 |publisher=DeepSight™ Threat Management System Threat Analysis |title=SQLExp SQL Server Worm Analysis |date=Jan 28, 2003}}</ref>}} as it slowed systems worldwide. The slowdown was caused by the collapse of numerous [[router (computing)|router]]s under the burden of extremely high bombardment traffic from infected servers. Normally, when traffic is too high for routers to handle, the routers are supposed to delay or temporarily stop network traffic. Instead, some routers ''crashed'' (became unusable), and the "neighbour" routers would notice that these routers had stopped and should not be contacted (aka "removed from the [[routing table]]"). Routers started sending notices to this effect to other routers they knew about. The flood of routing table update notices caused some additional routers to fail, compounding the problem. Eventually the crashed routers' maintainers restarted them, causing them to announce their status, leading to another wave of routing table updates. Soon a significant portion of Internet bandwidth was consumed by routers communicating with each other to update their routing tables, and ordinary data traffic slowed or in some cases stopped altogether. Because the SQL Slammer worm was so small in size, sometimes it was able to get through when legitimate traffic was not.
The worm began to be noticed early on 25 January 2003{{efn|Public disclosure began with Michael Bacarella posting a message to the [[Bugtraq]] security mailing list entitled "MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434!"<ref>{{cite web|first=Michael |last=Bacarella |url=http://seclists.org/bugtraq/2003/Jan/221 |title=MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434! |publisher=Bugtraq |date=25 January 2003 |access-date=2012-11-29}}</ref> at 07:11:41 UTC on 25 January 2003. Similar reports were posted by Robert Boyle at 08:35 UTC<ref>{{cite web |first=Robert |last=Boyle |url=http://archives.neohapsis.com/archives/ntbugtraq/2003-q1/0011.html |title=Peace of Mind Through Integrity and Insight |publisher=Neohapsis Archives |date=25 January 2003 |access-date=2008-11-29 |archive-url=https://web.archive.org/web/20090219072838/http://archives.neohapsis.com/archives/ntbugtraq/2003-q1/0011.html |archive-date=19 February 2009 |df=dmy-all }}</ref> and Ben Koshy at 10:28 UTC<ref>{{cite web |first=Ben |last=Koshy |url=http://archives.neohapsis.com/archives/ntbugtraq/2003-q1/0010.html |title=Peace of Mind Through Integrity and Insight |publisher=Neohapsis Archives |date=25 January 2003 |access-date=2008-11-29 |archive-url=https://web.archive.org/web/20090219072809/http://archives.neohapsis.com/archives/ntbugtraq/2003-q1/0010.html |archive-date=19 February 2009 |df=dmy-all }}</ref> An early analysis released by Symantec is timestamped 07:45 GMT.<ref>{{cite web|url=http://securityresponse.symantec.com/avcenter/Analysis-SQLExp.pdf |archive-url=https://web.archive.org/web/20030307233701/http://securityresponse.symantec.com/avcenter/Analysis-SQLExp.pdf |url-status=dead |archive-date=7 March 2003 |publisher=DeepSight™ Threat Management System Threat Analysis |title=SQLExp SQL Server Worm Analysis |date=Jan 28, 2003}}</ref>}} as it slowed systems worldwide. The slowdown was caused by the collapse of numerous [[router (computing)|router]]s under the burden of extremely high bombardment traffic from infected servers. Normally, when traffic is too high for routers to handle, the routers are supposed to delay or temporarily stop network traffic. Instead, some routers ''crashed'' (became unusable), and the "neighbour" routers would notice that these routers had stopped and should not be contacted (aka "removed from the [[routing table]]"). Routers started sending notices to this effect to other routers they knew about. The flood of routing table update notices caused some additional routers to fail, compounding the problem. Eventually the crashed routers' maintainers restarted them, causing them to announce their status, leading to another wave of routing table updates. Soon a significant portion of Internet bandwidth was consumed by routers communicating with each other to update their routing tables, and ordinary data traffic slowed or in some cases stopped altogether. Because the SQL Slammer worm was so small in size, sometimes it got through even when legitimate traffic could not.


Two key aspects contributed to SQL Slammer's rapid propagation. The worm infected new hosts over the [[Session (computer science)|sessionless]] [[User Datagram Protocol|UDP]] protocol, and the entire worm (only 376 bytes) fits inside a single packet.<ref>{{cite web|author=Moore, David|title=The Spread of the Sapphire/Slammer Worm|work=CAIDA (Cooperative Association for Internet Data Analysis)|url=https://www.caida.org/catalog/papers/2003_sapphire/|display-authors=etal}}</ref><ref>{{cite book|author1=Serazzi, Giuseppe |author2=Zanero, Stefano|chapter=Computer Virus Propagation Models|editor1=Calzarossa, Maria Carla |editor2=Gelenbe, Erol|title=Performance Tools and Applications to Networked Systems|series=Lecture Notes in Computer Science|volume=2965|year=2004|pages=26–50|chapter-url=http://home.deib.polimi.it/zanero/papers/zanero-serazzi-virus.pdf}}</ref> As a result, each infected host could simply "fire and forget" packets as rapidly as possible.
Two key aspects contributed to SQL Slammer's rapid propagation. The worm infected new hosts over the [[Session (computer science)|sessionless]] [[User Datagram Protocol|UDP]] protocol, and the entire worm (only 376 bytes) fits inside a single packet.<ref>{{cite web|author=Moore, David|title=The Spread of the Sapphire/Slammer Worm|work=CAIDA (Cooperative Association for Internet Data Analysis)|url=https://www.caida.org/catalog/papers/2003_sapphire/|display-authors=etal}}</ref><ref>{{cite book|author1=Serazzi, Giuseppe |author2=Zanero, Stefano|chapter=Computer Virus Propagation Models|editor1=Calzarossa, Maria Carla |editor2=Gelenbe, Erol|title=Performance Tools and Applications to Networked Systems|series=Lecture Notes in Computer Science|volume=2965|year=2004|pages=26–50|chapter-url=http://home.deib.polimi.it/zanero/papers/zanero-serazzi-virus.pdf}}</ref> Each infected host would simply "fire and forget" packets as rapidly as possible.


==Notes==
==Notes==  
{{notelist}}
{{notelist}}


==References==
==References==  
{{Reflist}}
{{Reflist}}


==External links==
==External links==  
;News
;News
*[http://news.bbc.co.uk/2/hi/technology/2693925.stm BBC NEWS Technology Virus-like attack hits web traffic]
*[https://news.bbc.co.uk/2/hi/technology/2693925.stm BBC NEWS Technology Virus-like attack hits web traffic]
*[http://slashdot.org/article.pl?sid=03/01/25/1245206&mode=flat&tid=109 MS SQL Server Worm Wreaking Havoc]
*[http://slashdot.org/article.pl?sid=03/01/25/1245206&mode=flat&tid=109 MS SQL Server Worm Wreaking Havoc]
*[https://www.wired.com/wired/archive/11.07/slammer.html Wired 11.07: Slammed!] A layman's explanation of the Slammer code.
*[https://www.wired.com/wired/archive/11.07/slammer.html Wired 11.07: Slammed!] A layman's explanation of the Slammer code.
Line 88: Line 87:
*{{webarchive |url=https://web.archive.org/web/20110722191923/http://www.eeye.com/html/Research/Flash/sapphire.txt |date=22 July 2011 |title=Worm code disassembled }}
*{{webarchive |url=https://web.archive.org/web/20110722191923/http://www.eeye.com/html/Research/Flash/sapphire.txt |date=22 July 2011 |title=Worm code disassembled }}
*[http://www.cert.org/advisories/CA-2002-22.html Multiple Vulnerabilities in Microsoft SQL Server] - Carnegie-Mellon Software Engineering Institute
*[http://www.cert.org/advisories/CA-2002-22.html Multiple Vulnerabilities in Microsoft SQL Server] - Carnegie-Mellon Software Engineering Institute
{{Use dmy dates|date=September 2017}}


{{Hacking in the 2000s}}
{{Hacking in the 2000s}}


{{DEFAULTSORT:Sql Slammer}}
[[Category:Denial-of-service attacks]]
[[Category:Exploit-based worms]]
[[Category:Exploit-based worms]]
[[Category:Denial-of-service attacks]]
[[Category:Hacking in the 2000s]]
[[Category:Hacking in the 2000s]]
[[Category:Cybercrime in India]]
[[Category:Cybercrime in India]]

Latest revision as of 17:09, 16 September 2025

Template:Short description Template:Use dmy dates Script error: No such module "infobox".Script error: No such module "Check for unknown parameters". SQL SlammerTemplate:Efn is a 2003 computer worm that caused a denial of service on some Internet hosts and dramatically slowed general Internet traffic. It also crashed routers around the world, causing even more slowdowns. It spread rapidly, infecting most of its 75,000 victims within 10 minutes.

The program exploited a buffer overflow bug in Microsoft's SQL Server and Desktop Engine database products. Although the MS02-039 (CVE-2002-0649)[1] patch had been released six months earlier, many organizations had not yet applied it.

Technical details

The worm was based on proof of concept code demonstrated at the Black Hat Briefings by David Litchfield, who had initially discovered the buffer overflow vulnerability that the worm exploited.[2] It is a small piece of code that does little other than generate random IP addresses and send itself out to those addresses. If a selected address happens to belong to a host that is running an unpatched copy of Microsoft SQL Server Resolution Service listening on UDP port 1434, the host immediately becomes infected and begins spraying the Internet with more copies of the worm program.

Home PCs are generally not vulnerable to this worm unless they have MSDE installed. The worm is so small that it does not contain code to write itself to disk, so it only stays in memory, and it is easy to remove. For example, Symantec provides a free of charge removal utility, or it can even be removed by restarting SQL Server (although the machine would likely be reinfected immediately).

The worm was made possible by a software security vulnerability in SQL Server first reported by Microsoft on 24 July 2002. A patch had been available from Microsoft for six months prior to the worm's launch, but many installations had not been patched – including many at Microsoft.[3]

The worm began to be noticed early on 25 January 2003Template:Efn as it slowed systems worldwide. The slowdown was caused by the collapse of numerous routers under the burden of extremely high bombardment traffic from infected servers. Normally, when traffic is too high for routers to handle, the routers are supposed to delay or temporarily stop network traffic. Instead, some routers crashed (became unusable), and the "neighbour" routers would notice that these routers had stopped and should not be contacted (aka "removed from the routing table"). Routers started sending notices to this effect to other routers they knew about. The flood of routing table update notices caused some additional routers to fail, compounding the problem. Eventually the crashed routers' maintainers restarted them, causing them to announce their status, leading to another wave of routing table updates. Soon a significant portion of Internet bandwidth was consumed by routers communicating with each other to update their routing tables, and ordinary data traffic slowed or in some cases stopped altogether. Because the SQL Slammer worm was so small in size, sometimes it got through even when legitimate traffic could not.

Two key aspects contributed to SQL Slammer's rapid propagation. The worm infected new hosts over the sessionless UDP protocol, and the entire worm (only 376 bytes) fits inside a single packet.[4][5] Each infected host would simply "fire and forget" packets as rapidly as possible.

Notes

Template:Notelist

References

<templatestyles src="Reflist/styles.css" />

  1. Script error: No such module "citation/CS1".
  2. Script error: No such module "citation/CS1".
  3. Script error: No such module "Citation/CS1".
  4. Script error: No such module "citation/CS1".
  5. Script error: No such module "citation/CS1".

Script error: No such module "Check for unknown parameters".

External links

News
Announcement
Analysis
  • Inside the Slammer Worm IEEE Security and Privacy Magazine, David Moore, Vern Paxson, Stefan Savage, Colleen Shannon, Stuart Staniford, and Nicholas Weaver
Technical details

Template:Hacking in the 2000s

Retrieved from "http://debianws.lexgopc.com/wiki143/index.php?title=SQL_Slammer&oldid=3439041"