Ten years ago to the day, we published an FAQ about a computer worm called Slammer.
If you were involved in IT back in 2003, whether you had anything to do with computer security or not, I’m sure you remember it.
W32/SQLSlam-A is a network worm which spreads entirely in memory. The worm infects the process space of Microsoft SQL Server 2000 by exploiting what is known as a buffer overflow. This allows W32/SQLSlam-A to begin running as part of your SQL server. Once running, the worm tries to send itself from your server to as many other internet sites as it can, until you stop it by shutting down your SQL server process. (The worm actually goes into what is known as an "infinite loop", so it will never stop spreading of its own accord.)
There are surprisingly many questions that we posed and answered back then in the FAQ which are still well worth bearing in mind today.
Why could outsiders connect directly to my SQL servers from outside? (Ask yourself. Why indeed?)
Why wasn’t I told about this catastrophic vulnerability? (You were. It had been patched six months earlier by Microsoft.)
Why did my change control committee insist on waiting so long before doing nothing anyway? (There’s no answer to that.)
Why do I have to reboot my servers to clean up properly? (For the same reason you usually stop eating once you spot rat droppings in your hamburger.)
Slammer led to a lively outpouring of scholarly analyses and apocalyptic headlines, such as this one from the venerable PC World (itself now just short of 30 years old):
The first notable thing about this headline is that it wasn’t hyperbole. The second is that it’s still true, ten years on.
We haven’t seen a computer virus infection as rampantly virulent and ubiquitous since.
There was Blaster, of course, which appeared later in 2003, and Sasser in 2004.
Both of these were also true network-crawling worms that could leap from PC to PC without any user intervention: no need to click on a link, for example, or to glance at an email, or even to be working at your PC in the first place.
Those viruses caused massive trouble for longer than Slammer. But Slammer, like Roy Batty in the film Blade Runner, was the light that burned twice as bright for half as long.
Slammer was twice as bright for various reasons, notably:
The entire virus was under 400 bytes long. It fitted into a single UDP packet that fitted into a single transmission unit of just about any network technology.
There wasn’t much to go wrong in delivery. No packet fragmentation, no TCP handshake, no connection setup overhead, no download of a second-stage component, no file to write to disk, no sandbox to escape, no need to inject into a second process.
Many victim computers were corporate SQL servers, so the worm quickly acquired a lot of CPU power and network connectivity to help it acquire a lot more CPU and network energy.
(In network worms, as in social media, nothing breeds success quite like success.)
The virus thrived on SQL servers but also worked on MSDE (now SQL Express), Microsoft’s SQL Desktop Engine, that was part of many end-user products.
Back in 2003, lots of users wouldn’t have patched their PCs against this SQL vulnerability even if they’d seen the alert from Microsoft. MS02-039 was headlined:
Buffer Overruns in SQL Server 2000 Resolution Service Could Enable Code Execution
It simply doesn’t sound like something that would affect a home PC, or needed careful attention from home users, but millions of privately-owned computers (which were still commonly unfirewalled or unNATted back then) contributed to the epidemic.
Fortunately, Slammer burned half as long almost as a side-effect of its double-brightness:
The rapid spread produced so much network traffic, and bogged so many SQL servers down, that it was self-limiting. Badly-affected systems simply couldn’t be ignored.
Applying the patch required a reboot, which instantly purged the virus from your system at the same time as preventing it returning. The community built up collective immunity pretty quickly.
The burning question, ten years on, is, “Could it happen again?”
What do you think?
Are we more resilient on the whole? Are we better at emergency response?
Or are we shielded from a recurrence of Slammer simply because today’s attackers are more savvy, and don’t like drawing attention to themselves quite so dramatically?
7 comments on “Memories of the Slammer worm – ten years later”
It appears that Slammer didn't seem to call any attention to itself by showing you links in an e-mail,or requiring you to download an attachment.It just quietly sniffed out and exploited a vulnerability in your system.In that case,I believe we are still vulnerable to infections similar to Slammer.
Quote: "The rapid spread produced so much network traffic, and bogged so many SQL servers down, that it was self-limiting. Badly-affected systems simply couldn't be ignored."
Today's antivirus software (not just Sophos; I'm most familiar with a competitor) bogs a system down so much and is so chatty that users wouldn't be able to detect a rogue process like Slammer was even running.
Perhaps a bit of an OTT claim, don't you think?
I'm pretty sure you'll find that the amount of traffic generated by Slammer from an infected server was orders of magnitude higher than the "chattiness" you claim for today's anti-virus.
In a document written at the time of Slammer, for example, researchers at Indiana Uni described how they were able to saturate a 100Mbit/sec connection with a single infected SQL server:
CAIDA's paper from the same period noted a similar result, measuring a outgoing rate of 26,000 connection attempts per second from a single infected server (Slammer's UDP infection loop) with 100Mbit/sec. The limiting factor was the network, not the CPU:
I'd be interested to see your data showing a computer protected by Sophos Anti-Virus (or one of our competitors, though I'm obviously most familiar with our product) generating 26,000 UDP requests per second, even on a modern gigabit network, which it would need to do to make Slammer's side-effects unnoticeable…
At the risk of bumping and old article…
Leave several of tabs open in a browser on different web pages that have ads. You won’t believe the amount of traffic that those generate. I don’t have exact figures, but it makes me think it’s a conspiracy between the ISP’s with data caps and website owners/advertisers…
The jerks who seek the perks of notoriety usually do not care about any other consequences. They do it Because They Can™. If one of them can figure out a way to do it again, s/he will do it. Betting against that would be tantamount to betting against an aspect of human nature that is not likely to change anytime soon. I take no great joy in making that observation, but I believe it's a realistic one.
As long as we have Java and Oracles focus on doing it 'tiny piece by tiny piece after being publically ashamed', its granted that it could happen at any time again at least technically.
Practically I don't think that many people would want to try it nowadays as the cyber crime hunting is much more sophisticated and with such an uncontrolled spread it generates uncontrollable risk too.
It will happen again, my guess is the next event will leverage P2P networks used for crypto-currencies. In the war between implementations like bitcoin-core and bitcoin-classic, people are spinning up thousands of nodes on cloud servers in an attempt to make it look like their choice is the popular choice.
These are nodes that intentionally accept non TLS connections from IP addresses they don’t have a reason to trust.
Sooner or later, an exploit in one of them will be discovered that allows a worm that both spreads to other vulnerable nodes and at the same time participates in a DOS attack – possibly by forging block headers it broadcasts that cause peers to request blocks that don’t exist or validate but clog the network with garbage data that is then sent in response.