Home > Samples > Update > March 2003
          Back to associated article: Slammer Worm: Code Red Deja Vu
  How Slammer Works (Sidebar)    
   

Posted: Feb. 10, 2003

The Slammer worm exploits a previously disclosed vulnerability in Microsoft SQL Server 2000 and the Microsoft SQL Server Desktop Engine (MSDE), a redistributable version of the SQL database engine. MSDE is often installed by desktop applications from Microsoft, such as Office Professional or Developer and Visual Studio .NET, by other vendors, and by several Microsoft server-based applications, including Application Center 2000, Host Integration Server 2000, and Operations Manager 2000. Although the Slammer worm does not appear to cause permanent damage to infected systems, it did result in a huge spike in network traffic, which is why service was degraded on the Internet and other networks, even impacting services such as automated teller machines.

The Slammer worm generates random IP addresses and then attempts to propagate itself to those addresses. Because of the small size of the worm (376 bytes) and because it does not attempt to "scan" or otherwise determine if the target machine is vulnerable before attempting to propagate, Slammer generates more network traffic than the similar Code Red worm, which infected systems in the summer of 2001, and propagates much more quickly—the number of Slammer-infected systems doubled every 8.5 seconds, compared with 37 minutes for Code Red. As more vulnerable systems are discovered, the number of machines scanning the network increases at a phenomenal rate.

Microsoft had issued an individual patch to resolve the underlying buffer overflow vulnerability in June 2002, but many customers neglected to deploy this patch for a number of reasons, including the complexity of deploying the patch and the difficulty of identifying affected systems. This patch was also included as part of Service Pack 3 (SP3)—although SP3 for SQL Server was released only a few days prior to the Slammer outbreak, and SP3 for MSDE was released a few days after the appearance of the Slammer worm.

Buffer Overflow

The Slammer worm uses a buffer overflow in the SQL Resolution Service to load itself into the memory of a computer running SQL Server or MSDE 2000, and it then uses port 1434, which the SQL Resolution Service normally uses to communicate with other SQL Servers, to infect other SQL Servers.

The SQL Resolution Service, which is enabled by default, allows multiple instances of SQL Server or MSDE 2000 to exist on a single computer by providing a way for clients to query for the appropriate SQL Server instance they need.

The Slammer worm resides only in memory. It does not create or delete any files on the infected system.

Prevention

The Slammer worm can be temporarily removed by rebooting an infected computer, but the rebooted computer will probably be reinfected within a short period of time.

Another temporary solution is to turn off network ports used by the SQL Resolution Service (1433 and 1434 for TCP and UDP traffic) and the Slammer worm.

The permanent solution requires installing the patch (see Microsoft Security Bulletin MS02-039) or Microsoft SQL Server SP3.

  
Member Log On | Contact Us | About Us | Samples | Subscribe | Jobs
©Directions on Microsoft