Memories of the Slammer worm – ten years later

Ten years ago to the day, we published an FAQ about a computer worm called Slammer.

If you were involved in IT back in 2003, whether you had anything to do with computer security or not, I’m sure you remember it.

W32/SQLSlam-A is a network worm which spreads entirely in memory. The worm infects the process space of Microsoft SQL Server 2000 by exploiting what is known as a buffer overflow. This allows W32/SQLSlam-A to begin running as part of your SQL server. Once running, the worm tries to send itself from your server to as many other internet sites as it can, until you stop it by shutting down your SQL server process. (The worm actually goes into what is known as an "infinite loop", so it will never stop spreading of its own accord.)

There are surprisingly many questions that we posed and answered back then in the FAQ which are still well worth bearing in mind today.

Why could outsiders connect directly to my SQL servers from outside? (Ask yourself. Why indeed?)

Why wasn’t I told about this catastrophic vulnerability? (You were. It had been patched six months earlier by Microsoft.)

Why did my change control committee insist on waiting so long before doing nothing anyway? (There’s no answer to that.)

Why do I have to reboot my servers to clean up properly? (For the same reason you usually stop eating once you spot rat droppings in your hamburger.)

Slammer led to a lively outpouring of scholarly analyses and apocalyptic headlines, such as this one from the venerable PC World (itself now just short of 30 years old):

The first notable thing about this headline is that it wasn’t hyperbole. The second is that it’s still true, ten years on.

We haven’t seen a computer virus infection as rampantly virulent and ubiquitous since.

There was Blaster, of course, which appeared later in 2003, and Sasser in 2004.

Both of these were also true network-crawling worms that could leap from PC to PC without any user intervention: no need to click on a link, for example, or to glance at an email, or even to be working at your PC in the first place.

Those viruses caused massive trouble for longer than Slammer. But Slammer, like Roy Batty in the film Blade Runner, was the light that burned twice as bright for half as long.

Slammer was twice as bright for various reasons, notably:

The entire virus was under 400 bytes long. It fitted into a single UDP packet that fitted into a single transmission unit of just about any network technology.

There wasn’t much to go wrong in delivery. No packet fragmentation, no TCP handshake, no connection setup overhead, no download of a second-stage component, no file to write to disk, no sandbox to escape, no need to inject into a second process.

Many victim computers were corporate SQL servers, so the worm quickly acquired a lot of CPU power and network connectivity to help it acquire a lot more CPU and network energy.

(In network worms, as in social media, nothing breeds success quite like success.)

The virus thrived on SQL servers but also worked on MSDE (now SQL Express), Microsoft’s SQL Desktop Engine, that was part of many end-user products.

Back in 2003, lots of users wouldn’t have patched their PCs against this SQL vulnerability even if they’d seen the alert from Microsoft. MS02-039 was headlined:

Buffer Overruns in SQL Server 2000 Resolution Service Could Enable Code Execution

It simply doesn’t sound like something that would affect a home PC, or needed careful attention from home users, but millions of privately-owned computers (which were still commonly unfirewalled or unNATted back then) contributed to the epidemic.

Fortunately, Slammer burned half as long almost as a side-effect of its double-brightness:

The rapid spread produced so much network traffic, and bogged so many SQL servers down, that it was self-limiting. Badly-affected systems simply couldn’t be ignored.

Applying the patch required a reboot, which instantly purged the virus from your system at the same time as preventing it returning. The community built up collective immunity pretty quickly.

The burning question, ten years on, is, “Could it happen again?”

What do you think?

Are we more resilient on the whole? Are we better at emergency response?

Or are we shielded from a recurrence of Slammer simply because today’s attackers are more savvy, and don’t like drawing attention to themselves quite so dramatically?