Analysis of the W32'Slammer Worm

1
Analysis of the W32.Slammer Worm

• Mikhail Akhmeteli

2
W32.Slammer Overview

• Aliases SQL Slammer, Saphire,
  W32.SQLExp.Worm
• Released January 25, 2003, at about 530
  a.m. (GMT)
• Fastest worm in history
• Spread world-wide in under 10 minutes
• Doubled infections every 8.5 seconds
• 376 bytes long

3
Overview (continued)

• Platform Microsoft SQL Server 2000
• Vulnerability Buffer overflow
• Patch available for 6 months
• Propagation Single UDP packet
• Features Memory resident, hand-coded in assembly

4
Direct Damage

• Infected between 75,000 and 160,000 systems
• Disabled SQL Server databases on infected
  machines
• Saturated world networks with traffic
• Disrupted Internet connectivity world-wide

5
Effective Damage

• South Korea was taken off-line
• Disrupted financial institutions
• Airline delays and cancellations
• Affected many U.S. government and commercial
  websites

6
Specific Damage

• 13,000 Bank of America ATMs stopped working
• Continental Airlines flights were cancelled and
  delayed ticketing system was inundated with
  traffic. Airport self-check-in kiosks stopped
  working
• Activated Cisco router bugs at Internet backbones

7
Propagation Technique

• Single UDP packet
• Targets port 1434 (Microsoft-SQL-Monitor)
• Causes buffer overflow
• Continuously sends itself via UDP packets to
  pseudo-random IP addresses, including broadcast
  and multicast addresses
• Does not check whether target machines exist

8
Recovery

• Disconnect from network
• Reboot the machine, or restart SQL Server
• Block port 1434 at external firewall
• Install patch

9
Propagation Speed

• Infected 90 of vulnerable machines within 10
  minutes
• Doubled infections every 8.5 seconds
• Achieved 55 million scans per second
• Two orders of magnitude faster than Code Red

10
Propagation Speed
Source http//www.caida.org/analysis/security/sap
phire/
11
Infections 30 Minutes After Release
Source http//www.caida.org/analysis/security/sap
phire/
12
Propagation Analysis

• Rapid spread made timely defense impossible
• Rapid spread caused worm copies to compete
• Bandwidth limited, not latency limited (doesnt
  wait to establish connection)
• Easy to stop at firewall

13
Possible Variations

• Could have attacked HTTP or DNS servers
• Could have gone dormant
• Could have forged source port to DNS resolution

14
Worm Composition

• 376 bytes long
• Less than 300 bytes of executable code
• 404 byte UDP packets, including headers
• Composed of 4 functional sections

15
Worm Functions

• Reconstructs session from buffer overflow
• Obtains (and verifies!) Windows API function
  addresses
• Initializes pseudo-random number generator and
  socket structures
• Continuously generates random IP addresses and
  sends UDP data-grams of itself

16
Packet Capture
Buffer Overflow
Reconstruct session
Get Windows API addresses
Initialize PRNG and socket
Send Packets
17
References

• eEye Digital Security. http//www.eeye.com/html/Re
  search/Flash/sapphire.txt
• Cooperative Association for Internet Data
  Analysis (CAIDA) http//www.caida.org/outreach/pap
  ers/2003/sapphire/sapphire.html
• Internet Storm Center. http//isc.incidents.org/an
  alysis.html?id180
• The Washington Post. http//www.washingtonpost.co
  m/wp-dyn/articles/A46928-2003Jan26.html
• CNET News.com. http//news.com.com/2100-1001-98
  2135.html