How Slammer Works

The Slammer worm exploits a previously disclosed vulnerability in Microsoft SQL Server 2000 and the Microsoft SQL Server Desktop Engine (MSDE), a redistributable version of the SQL database engine. MSDE is often installed by desktop applications from Microsoft, such as Office Professional or Developer and Visual Studio .NET, by other vendors, and by several Microsoft server-based applications, including Application Center 2000, Host Integration Server 2000, and Operations Manager 2000. Although the Slammer worm does not appear to cause permanent damage to infected systems, it did result in a huge spike in network traffic, which is why service was degraded on the Internet and other networks, even impacting services such as automated teller machines.

The Slammer worm generates random IP addresses and then attempts to propagate itself to those addresses. Because of the small size of the worm (376 bytes) and because it does not attempt to “scan” or otherwise determine if the target machine is vulnerable before attempting to propagate, Slammer generates more network traffic than the similar Code Red worm, which infected systems in the summer of 2001, and propagates much more quickly—the number of Slammer-infected systems doubled every 8.5 seconds, compared with 37 minutes for Code Red. As more vulnerable systems are discovered, the number of machines scanning the network increases at a phenomenal rate.