Security Protection – Harry Waldron MVP Rotating Header Image

January 27th, 2013:

SQL Slammer Worm – 10th anniversary of dangerous attack

I remember this attack and thankfully we had fortified all servers at work in advance with the key security patches. Also, there was not a dangerous payload, other than lost down time for corporations.  This attack, Blaster, and other similar worms illustrated the danger of not patching.  Corporate servers could get infected simply by being on the Internet with an open port and unpatched software.  This particular exploit caused folks to become more proactive in Patch Management, as it created a major Internet and business disruption.  I believe it is also still running today on a few unpatched servers.

http://www.f-secure.com/weblog/archives/00002491.html

QUOTE: F-Secure warns the computer users about new Internet worm known as Slammer. The worm generates massive amounts of network packets, overloading internet servers. This slows down all internet functions such as sending e-mail or surfing the net.  The worm was first detected in the Internet on January 25, 2003 around 5:30 GMT. After this the worm quickly spread worldwide to generate one of the biggest attacks against internet ever. According to reports, several large web sites and mail servers became unavailable.

Slammer infects only Windows 2000 servers running Microsoft SQL Server, and is therefore not a threat to the end user machines. However, its functions are still visible to the end users by the way it blocks the network traffic.  The worm uses UDP port 1434 to exploit a buffer overflow in MS SQL server. The worm is extremely small, only 376 bytes in size. It has no other functionality than to spread further, but the spreading process is so aggressive that the worm generates extreme loads.  As the worm does not infect any files, an infected machine can be cleaned simply by rebooting the machine. However, if the machine is connected to the network without applying SP2 or SP3 patches for MS SQL Server, it will soon get reinfected.