Slammer (2003): You shall not Pass!

sql server

Viruses, whether virtual or real, have impacted our lives. If the virus is well known, more likely it caused a lot of damage and grief to people around the world. Virtual viruses, like worms and trojans, have been known to corrupt or steal sensitive information from one’s computer. Here is one of the most well known computer viruses in the last century:

Slammer Worm/ SQL Worm/ Sapphire Worm (2003)

In January 2003, the fast-spreading Slammer proved that an Internet worm could disrupt private and public services, a harbinger for future mayhem. Slammer works by releasing a deluge of network packets, units of data transmitted over the Internet, bringing the Internet on many servers to a near screeching halt. Through a classic denial of service attack, Slammer had a quite real effect on key services. Among its list of victims: Bank of America’s ATMs, a 911 emergency response system in Washington State, and perhaps most disturbingly, a nuclear plant in Ohio.

The SQL slammer worm is a computer virus (technically, a computer worm) that caused a denial of service on some Internet hosts and dramatically slowed down general Internet traffic, starting at 05:30 UTC on January 25, 2003. It spread rapidly, infecting most of its 75,000 victims within 10 minutes. Although titled “SQL slammer worm”, the program did not use the SQL language; it exploited two buffer overflow bugs in Microsoft’s flagship SQL Server database product.

How does it work? (taken from this website)

  1. Slammer masquerades as a single UDP packet, one that would normally be a harmless request to find a specific database service. The first byte in the string – 04 – tells SQL Server that the data following it is the name of the online database being sought. Microsoft’s tech specs dictate that this name be at most 16 bytes long and end in a telltale 00. But in the Slammer packet, the bytes run on, craftily coded so there is no 00 among them. As a result, the SQL software pastes the whole thing into memory.
  2. The initial string of 01 characters spills past the 128 bytes of memory reserved for the SQL Server request and into the computer’s stack next door. “Stack” is programmer-speak for an orderly list of information the computer shuffles to remind itself what to do next, like tidy paperwork on a desk. The first thing the computer does after opening Slammer’s too-long UDP “request” is overwrite its own stack with new instructions that Slammer has disguised as a routine query. The computer reprograms itself without realizing it.
  3. Slammer generates a random IP address, targeting another computer that could be anywhere on the Internet. To randomize, Slammer deploys a time-honored programmer’s trick: It looks up the number of milliseconds that have elapsed on the CPU’s system clock since it was booted and interprets the number as an IP address.
  4. The envelope is addressed, now it just needs to be stuffed. Slammer points to its own code as the data to send. The infected computer writes out a new copy of the worm and licks the UDP stamp.
  5. After sending off the first tainted packet, Slammer loops around immediately to send another to a different computer.

The Slammer virus made an impression and proving to the Internet Security community, and the Internet community in general, that computer worms can still cause a lot damage and mayhem.

Share this:

Leave a Reply