1 / 17

Analysis of the W32.Slammer Worm

Analysis of the W32.Slammer Worm. Mikhail Akhmeteli. W32.Slammer Overview. Aliases: SQL Slammer, Saphire, W32.SQLExp.Worm Released: January 25, 2003, at about 5:30 a.m. (GMT) Fastest worm in history Spread world-wide in under 10 minutes Doubled infections every 8.5 seconds

arlais
Download Presentation

Analysis of the W32.Slammer Worm

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Analysis of the W32.Slammer Worm Mikhail Akhmeteli

  2. W32.Slammer Overview • Aliases: SQL Slammer, Saphire, W32.SQLExp.Worm • Released: January 25, 2003, at about 5:30 a.m. (GMT) • Fastest worm in history • Spread world-wide in under 10 minutes • Doubled infections every 8.5 seconds • 376 bytes long

  3. Overview (continued) • Platform: Microsoft SQL Server 2000 • Vulnerability: Buffer overflow • Patch available for 6 months • Propagation: Single UDP packet • Features: Memory resident, hand-coded in assembly

  4. Direct Damage • Infected between 75,000 and 160,000 systems • Disabled SQL Server databases on infected machines • Saturated world networks with traffic • Disrupted Internet connectivity world-wide

  5. Effective Damage • South Korea was taken off-line • Disrupted financial institutions • Airline delays and cancellations • Affected many U.S. government and commercial websites

  6. Specific Damage • 13,000 Bank of America ATMs stopped working • Continental Airlines flights were cancelled and delayed; ticketing system was inundated with traffic. Airport self-check-in kiosks stopped working • Activated Cisco router bugs at Internet backbones

  7. Propagation Technique • Single UDP packet • Targets port 1434 (Microsoft-SQL-Monitor) • Causes buffer overflow • Continuously sends itself via UDP packets to pseudo-random IP addresses, including broadcast and multicast addresses • Does not check whether target machines exist

  8. Recovery • Disconnect from network • Reboot the machine, or restart SQL Server • Block port 1434 at external firewall • Install patch

  9. Propagation Speed • Infected 90% of vulnerable machines within 10 minutes • Doubled infections every 8.5 seconds • Achieved 55 million scans per second • Two orders of magnitude faster than Code Red

  10. Propagation Speed Source: http://www.caida.org/analysis/security/sapphire/

  11. Infections 30 Minutes After Release Source: http://www.caida.org/analysis/security/sapphire/

  12. Propagation Analysis • Rapid spread made timely defense impossible • Rapid spread caused worm copies to compete • Bandwidth limited, not latency limited (doesn’t wait to establish connection) • Easy to stop at firewall

  13. Possible Variations • Could have attacked HTTP or DNS servers • Could have gone dormant • Could have forged source port to DNS resolution

  14. Worm Composition • 376 bytes long • Less than 300 bytes of executable code • 404 byte UDP packets, including headers • Composed of 4 functional sections

  15. Worm Functions • Reconstructs session from buffer overflow • Obtains (and verifies!) Windows API function addresses • Initializes pseudo-random number generator and socket structures • Continuously generates random IP addresses and sends UDP data-grams of itself

  16. Packet Capture Buffer Overflow Reconstruct session Get Windows API addresses Initialize PRNG and socket Send Packets

  17. References • eEye Digital Security. http://www.eeye.com/html/Research/Flash/sapphire.txt • Cooperative Association for Internet Data Analysis (CAIDA) http://www.caida.org/outreach/papers/2003/sapphire/sapphire.html • Internet Storm Center. http://isc.incidents.org/analysis.html?id=180 • The Washington Post. http://www.washingtonpost.com/wp-dyn/articles/A46928-2003Jan26.html • C|NET News.com. http://news.com.com/2100-1001-982135.html

More Related