Memories of the Slammer worm - ten years later

Filed Under: Featured, Malware, Vulnerability

Ten years ago to the day, we published an FAQ about a computer worm called Slammer.

If you were involved in IT back in 2003, whether you had anything to do with computer security or not, I'm sure you remember it.

W32/SQLSlam-A is a network worm which spreads entirely in memory. The worm infects the process space of Microsoft SQL Server 2000 by exploiting what is known as a buffer overflow. This allows W32/SQLSlam-A to begin running as part of your SQL server. Once running, the worm tries to send itself from your server to as many other internet sites as it can, until you stop it by shutting down your SQL server process. (The worm actually goes into what is known as an "infinite loop", so it will never stop spreading of its own accord.)

There are surprisingly many questions that we posed and answered back then in the FAQ which are still well worth bearing in mind today.

Why could outsiders connect directly to my SQL servers from outside? (Ask yourself. Why indeed?)

Why wasn't I told about this catastrophic vulnerability? (You were. It had been patched six months earlier by Microsoft.)

Why did my change control committee insist on waiting so long before doing nothing anyway? (There's no answer to that.)

Why do I have to reboot my servers to clean up properly? (For the same reason you usually stop eating once you spot rat droppings in your hamburger.)

Slammer led to a lively outpouring of scholarly analyses and apocalyptic headlines, such as this one from the venerable PC World (itself now just short of 30 years old):

The first notable thing about this headline is that it wasn't hyperbole. The second is that it's still true, ten years on.

We haven't seen a computer virus infection as rampantly virulent and ubiquitous since.

There was Blaster, of course, which appeared later in 2003, and Sasser in 2004.

Both of these were also true network-crawling worms that could leap from PC to PC without any user intervention: no need to click on a link, for example, or to glance at an email, or even to be working at your PC in the first place.

Those viruses caused massive trouble for longer than Slammer. But Slammer, like Roy Batty in the film Blade Runner, was the light that burned twice as bright for half as long.

Slammer was twice as bright for various reasons, notably:

The entire virus was under 400 bytes long. It fitted into a single UDP packet that fitted into a single transmission unit of just about any network technology.

There wasn't much to go wrong in delivery. No packet fragmentation, no TCP handshake, no connection setup overhead, no download of a second-stage component, no file to write to disk, no sandbox to escape, no need to inject into a second process.

Many victim computers were corporate SQL servers, so the worm quickly acquired a lot of CPU power and network connectivity to help it acquire a lot more CPU and network energy.

(In network worms, as in social media, nothing breeds success quite like success.)

The virus thrived on SQL servers but also worked on MSDE (now SQL Express), Microsoft's SQL Desktop Engine, that was part of many end-user products.

Back in 2003, lots of users wouldn't have patched their PCs against this SQL vulnerability even if they'd seen the alert from Microsoft. MS02-039 was headlined:

Buffer Overruns in SQL Server 2000 Resolution Service Could Enable Code Execution

It simply doesn't sound like something that would affect a home PC, or needed careful attention from home users, but millions of privately-owned computers (which were still commonly unfirewalled or unNATted back then) contributed to the epidemic.

Fortunately, Slammer burned half as long almost as a side-effect of its double-brightness:

The rapid spread produced so much network traffic, and bogged so many SQL servers down, that it was self-limiting. Badly-affected systems simply couldn't be ignored.

Applying the patch required a reboot, which instantly purged the virus from your system at the same time as preventing it returning. The community built up collective immunity pretty quickly.

The burning question, ten years on, is, "Could it happen again?"

What do you think?

Are we more resilient on the whole? Are we better at emergency response?

Or are we shielded from a recurrence of Slammer simply because today's attackers are more savvy, and don't like drawing attention to themselves quite so dramatically?

, , , , ,

You might like

5 Responses to Memories of the Slammer worm - ten years later

  1. Freida Gray · 444 days ago

    It appears that Slammer didn't seem to call any attention to itself by showing you links in an e-mail,or requiring you to download an attachment.It just quietly sniffed out and exploited a vulnerability in your system.In that case,I believe we are still vulnerable to infections similar to Slammer.

  2. Larry M · 444 days ago

    Quote: "The rapid spread produced so much network traffic, and bogged so many SQL servers down, that it was self-limiting. Badly-affected systems simply couldn't be ignored."

    Today's antivirus software (not just Sophos; I'm most familiar with a competitor) bogs a system down so much and is so chatty that users wouldn't be able to detect a rogue process like Slammer was even running.

    • Paul Ducklin · 443 days ago

      Perhaps a bit of an OTT claim, don't you think?

      I'm pretty sure you'll find that the amount of traffic generated by Slammer from an infected server was orders of magnitude higher than the "chattiness" you claim for today's anti-virus.

      In a document written at the time of Slammer, for example, researchers at Indiana Uni described how they were able to saturate a 100Mbit/sec connection with a single infected SQL server:

      http://paintsquirrel.ucs.indiana.edu/pdf/SLAMMER....

      CAIDA's paper from the same period noted a similar result, measuring a outgoing rate of 26,000 connection attempts per second from a single infected server (Slammer's UDP infection loop) with 100Mbit/sec. The limiting factor was the network, not the CPU:

      http://www.caida.org/publications/papers/2003/sap...

      I'd be interested to see your data showing a computer protected by Sophos Anti-Virus (or one of our competitors, though I'm obviously most familiar with our product) generating 26,000 UDP requests per second, even on a modern gigabit network, which it would need to do to make Slammer's side-effects unnoticeable...

  3. Nigel · 443 days ago

    The jerks who seek the perks of notoriety usually do not care about any other consequences. They do it Because They Can™. If one of them can figure out a way to do it again, s/he will do it. Betting against that would be tantamount to betting against an aspect of human nature that is not likely to change anytime soon. I take no great joy in making that observation, but I believe it's a realistic one.

  4. Marc · 443 days ago

    As long as we have Java and Oracles focus on doing it 'tiny piece by tiny piece after being publically ashamed', its granted that it could happen at any time again at least technically.

    Practically I don't think that many people would want to try it nowadays as the cyber crime hunting is much more sophisticated and with such an uncontrolled spread it generates uncontrollable risk too.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog