Fact Tuff

Slammer Worm – Worst Virus over a decade

Slammer Worm – The Worst Virus in the history

On Saturday 25th January a brand new pc worm attacked the world disrupting many thousands of systems and decelerating net traffic to a crawl. The most recent virus known as the Slammer or Sapphire worm transmitted thousands of packets (large bundled amounts of information) from infected systems, taking advantage of a best-known software package flaw in Microsoft SQL Server.

On Monday, Jan 27th, Bank of America declared that several customers were unable to withdraw cash from its 3000 ATM machines as a result of technical issues caused by the Slammer worm. Service was totally rebuilt inside for 48 hours. The nation’s largest residential mortgage firm, a nationwide monetary firm., declared that customers were unable to create payments or check loan data through Tuesday morning.

Slammer worm- The most destructive worm of decade
Slammer Worm Image credits: Pixabay

How the Slammer Worm comes

The worm wanted out vulnerable computers victimization Microsoft’s SQL Server 2000 software package. Just like the earlier Code earthworm, that unfolds in the Gregorian calendar month 2001, the Slammer may be a memory-resident worm and doesn’t write to disk storage. Also, just like Code Red, computers are often shielded from the worm by putting in a patch provided by Microsoft. Microsoft detected the flaw in Gregorian calendar month 2002 and shortly afterward began giving a free patch to guard systems running SQL Server.

In an associate degree ironic twist, the New York Times reportable that Microsoft admitted that a number of the company’s machines had gone unpatched which its MSN net service additionally had important slowdowns because of the Slammer worm.

FBI and security consultants believe the worm originated in China, as several Asian countries were the earliest to report issues and knowledgeable the foremost severe outages. The offensive software package scanned for victim computers therefore haphazardly and sharply that it quickly destroyed several of the Internet’s largest information pipelines, deceleration email, and internet water sport around the globe.

As of 13th January, security consultants report that the congestion from the web attack had virtually fully cleared. Currently the duty of investigation its supply is fully swung. However, the attack unfolds therefore quickly and used such few packets that it should be not possible for researchers to isolate the particular purpose of origin.

Slammer worm
Image Credits: Pixabay

Even though the Slammer wasn’t designed to infect information, or injury system software package, or applications resident on desktops and servers, it did represent a severe denial of service attack that price scores of bucks to corporations heavily obsessed with on-net traffic. It additionally underscored the very fact that the majority of corporations square measure still extraordinarily prone to malicious or terrorist attacks via the web. Computer political economy estimates that the damages caused by the Slammer worm worldwide can exceed $750 million.

Story of January 2003

Of course, the story of Slammer started abundant ahead of that. On my behalf, it began on the twenty-second of might 2002. Myself, my brother Mark ANd fellow co-founders of NGSSoftware Chris Anley and Sherief Hammad were on a consumer engagement for a bank in Frankfurt, Germany.

The guy who’d employed the US, we’ll decision him man M., wished US to unleash bloody hell on his SQL Servers. They have fastened down extraordinarily aptly and it might need one thing unaccustomed to penetrate them in order that was my task. Having detected a tool known as SQLPing, written by Chip Andrews, I wished to understand what it did therefore I downloaded it and discharged it off against one in every one of the targets in my mini-lab.

Using Network Monitor I captured the traffic and detected that every one it did was merely send one computer memory unit packet with a price of 0x02 to UDP port 1434 on the SQL Server. Well, the plain question was what happens if we tend to send one computer memory unit with a price of 0x01 – or 0x00 for that matter and every one the opposite values up to 0xFF (255)? I quickly wrote a brief C program to research this. Once compiled, I discharged it off against my SQL Server and by packet 0x08 the SQL Server had died. currently, that actually grabbed my attention.

I restarted the server and this point started debugging it. On computer memory unit 0x08 the SQL Server crashed once more and that i disassembled the code to figure out what was occurring. During this explicit case, a decision to the strtok() C perform was created trying to find a colon character within the user-equipped knowledge however, there being none, the perform came back NULL.

The fault within the code wasn’t checking the comeback worth of strtok() that, all going well, returns a pointer to the “token” exploring for. The code in SQL Server assumed a legitimate pointer was came back and also the next line of code tried to use this NULL pointer that caused the crash.

So, next, I adjusted my very little C program to send 0x083A – computer memory unit 0x08 followed by a colon. The server still crashed at this point within the atom() perform. atoi() take a string variable and convert it into a correct variety and by not providing one in my send string server crashed once more. i used to be commencing to see what was occurring here – SQL server was trying to find a hostname followed by a port variety separated by a colon. therefore I gave it precisely that – however with an excessively long hostname ANd – bang – an exploitable heap overflow occurred.

But instead of merely stopping there ANd writing an exploit I went back and re-examined the code and located a variety of different flaws. For instance, if you send 0x0A because the 1st computer memory unit to a SQL Server’s UDP port 1434 it’ll respond with 0x0A to your supply port. Thus, by spoofing the science address of 1 SQL Server ANd setting the supply port to 1434 and sacking an 0x0A to a different SQL Server they’ll begin hammer one another with 0x0As in an exceedingly storm of “pings”.

Another bug and this is often the key one as way as Slammer worries, happens once the primary computer memory unit is 0x04. something, when the 0x04 is shipped to the sprint(), performs within the method of building a written account key to open. The sprint() perform takes input and formats it as output into a destination buffer. within the case of SQL Server, this is often a hard and fast-sized buffer on the stack, and this results in a classic stack primarily based buffer overflow – one that was trivial to take advantage of.

Coding an exploit up I sent a duplicate of it to the Microsoft Security Response Center ([email protected]) with a brief write from my findings then proceeded to possess all of our client’s SQL Servers.

Microsoft was extraordinarily responsive and that they well-read ME that they had reproduced the problems and were acting on a patch. I asked them if it might be alright to discuss these flaws at the coming Black Hat Security Briefings and that they aforementioned they’d have the patch prepared in time and gave me the task. Surely Black Hat came and Microsoft shipped the patch.

Throughout the conference, I warned that if folks failed to install this patch that these flaws may be the vector for succeeding massive worm. Six months later somebody took what I aforementioned tried me right. They took quite that although.

As a part of the presentation, I demoed my proof of construct code showing however simple it had been to take advantage of the flaw. Whoever wrote Slammer used my code as a guide and, at the time, this very gave me pause for concern. Slammer took down elements of the web as a result of it unfold therefore quickly, indirectly inflicting a denial of service attack and, in sure elements of the planet, this wreaked mayhem with essential services. for instance, in Washington state, the 911 emergency services system went down.

While they reverted to smart recent paper and pen, this could’ve caused real issues for real folks and it had been a touch of a get-up entail me at the time. For me, what had been a fun, intellectual pursuit suddenly had real consequences and that i had to rigorously take into account however I’d locomote once publication details of any longer security flaws I found.

They nearly catch the one who wrote Slammer however I do have a noteworthy theory on this. One or two of years when Slammer was discharged I used to be asked by Microsoft whether or not, in my opinion, it had been written to be as tiny as potential then I took a deeper inspect the code. I all over it had not. for instance, a part of the code set the ECX register to the worth 0x9B040103 and it will therefore victimization the subsequent instructions:

Machine code                Assembly code
33 C9                               xor   ecx,ecx
81 F1 03 01 04 9B         xor   ecx,9B040103h

This could be replaced with the shorter:

B9 03 01 04 9B              mov   ecx, 0x9B040103

We can see that the strategy that Slammer uses is three bytes longer than it has to be however that’s not what’s fascinating. what’s fascinating is that half the Slammer code uses the XOR methodology to line register values whereas the remainder of the code uses the MOV methodology.

Coders typically have designs they keep on with and, within the same method that radio operators throughout the second warfare may well be recognized by their distinctive vogue, or fist, a programmer may well be recognized by their vogue and that they would tend to not switch between mistreatment XOR and MOV; and what’s fascinating regarding Slammer is that there area unit a minimum of 2 designs at play here suggesting that there’s over one author. however, that’s simply a theory.

As I write this in 2010, Slammer remains out there, nearly eight years when unharness, still doing the rounds, thus to talk. This can be at the worst Associate in Nursing annoyance as, as luck would have it, Slammer had no harmful payload however it will counsel that their area unit still unpatched SQL and MSDE installs out there.

This can be unbelievable to Pine Tree State however unpatched systems area units undoubtedly few and much between. One positive side of Slammer was the impact it had on a fix – before Slammer I’d guesstimate, from the results of penetration tests so on, that nine out of ten SQL Servers were unpatched. Instantly when Slammer this reversed effort 1oud of ten unpatched. The fix was 100% effective in preventing reinfection so, in its own ironic method, Slammer helped build the web that small bit safer.

Slammer Worm
Image credits : Pixabay

Another positive impact Slammer had was the ocean amendment it helped cause at Microsoft as way as security was involved. As I hear it, all development of Yukon (SQL Server 2005) was placed on hold and everybody on the SQL team went back to SQL Server 2000 and pored through the code searching for flaws. and so they did a similar for living Yukon code.

Doing this paid back large dividends for Microsoft. the primary major flaw to be found in SQL Server 2005 visited three years when its unharness – a heap overflow found by Brett Moore, triggered by a gap in a corrupted computer file with the RESTORE TSQL command. Thus far SQL Server 2008 has had zero problems. giant the least bit for a corporation long thought of as the scapegoat of the safety world.


As it happens, Slammer came one year and ten days when Bill Gate’s Trustworthy Computing memoranda thus it might appear that Microsoft was already on the correct path and they’d have gotten to the current state of affairs while not the wee nudge from Slammer.

David Litchfield was the co-founder of NGSSoftware, a computer code security and consulting company within the U.K., and could be a recognized professional on info security. He recently supported v3rity, a developer of breach-investigation computer code for info compromises, and he’s the author of many books on security, together with The Oracle Hacker’s book of facts.

Share This Article

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *