ZDNet UK / News and Analysis / Security / Security Management

SQL Slammer worm wreaks havoc on Internet

By Matt Loney, ZDNet.co.uk, 26 January, 2003 10:58

Daily Newsletters

Sign up to ZDNet UK's daily newsletter.

Topics

Microsoft, code red worm, sql worm, Slammer

NEWS
A worm that attacks Microsoft's database software spread through the Internet over the weekend, causing cash machines to stop issuing money, taking most of South Korea offline, and slowing down the Internet. The worm, known as SQL Slammer, takes advantage of a bug that was discovered last July in Microsoft's SQL Server database software. Although a patch has been available since then, many system administrators have failed to install the patch, leaving their computers vulnerable. The result: chaos. Bank of America said 13,000 of its ATMs refused to dispense cash. In South Korea, the country's largest ISP KT Corp said all almost all its customers lost their connections during the attack. Chinese computer users saw sites freeze and a dramatic slowdown in download speeds, as the worm's effects hit the Internet's nameservers -- the computers that translate Web addresses into numerical Internet Protocol addresses. And all this in just 376 bytes of code, meaning the entire SQL Slammer worm code is about half the length of this paragraph. Antivirus firm F-Secure said the effects were so marked because the worm generates massive amounts of network packets, overloading servers and routers and slowing down network traffic. "As many as five of the 13 Internet root nameservers have been downed because of the outbreak," said the company in an alert. SQL Slammer's code instructs the Microsoft SQL Server to go into an endless loop, continually sending out data to other computers, in effect performing a denial of service attack, F-Secure said, comparing the slowdown to the impact of the Code Red virus, which brought internet traffic to a halt in the summer of 2001. The worm has been rated as critical by Microsoft and by antivirus companies because of the damage it has caused, although it is not thought to damage data on infected machines. It does not spread through email and will not affect most home users' computers directly, said experts, although PCs that use the Microsoft SQL Server 2000 Desktop Engine, such as Visual Studio .Net and Office XP Developer Edition, are also vulnerable, according to Microsoft chief security strategist Scott Charney. The first reported attacks of SQLSlammer were recorded around 05:30 GMT on Saturday morning, and it has been subsequently reported in many countries across the globe, said antivirus firm Messagelabs. Unlike mass-mailing worms, SQL Slammer does not write files to a computer's hard disk, but resides in memory. While this makes it easy to remove -- a computer simply has to be rebooted -- it also makes it difficult for antivirus software to detect it, said Messagelabs. And as soon as a rebooted computer is reconnected to the Internet, it will be vulnerable to reinfection unless it has first been patched. Microsoft said it became aware several hours later at 00:30 Pacific time "of an Internet attack causing a dramatic increase in network traffic worldwide." Calling the release of the worm a criminal act, Microsoft said it was "working around the clock to ensure our affected customers are protected." But even as some Microsoft executives urged companies to download patches, others admitted that this was not as easy as it sounded. Microsoft spokesman Rick Miller was quoted in USA Today as confirming that Internet congestion was interfering with administrators trying to download the patch. "The same congestion also completely prevented consumers from contacting Microsoft over the Internet to unlock the anti-piracy features of its latest products, including the Windows XP and Office XP software packages," said the paper. System administrators who are unable to download the patch should block UDP port 1434, said experts. This will prevent external attacks from exploiting the vulnerability. UDP port 1434 is used by the SQL Server Resolution Service, which provides a way for clients to find a particular instance of SQL Server on a machine. It is this Resolution Service that contains the flaw exploited by SQL Slammer. SQL uses a keep-alive mechanism to distinguish between active and passive instances, but the flaw means that if a particular data packet is sent to the SQL Server 2000 keep-alive function, it will reply to the sender with an identical packet. Under normal circumstances this is not a problem, according to Microsoft, but by spoofing the source address of such a packet, it would be possible to cause two SQL Server 2000 systems to start an endless cycle of packet exchanges. This is how SQL Slammer operates. In its original description of the flaw, Microsoft explained the sequence of events: "Suppose there were two SQL Servers with the vulnerability, Server 1 and Server 2. Now suppose the attacker created the needed keep-alive packet and modified the source address so that it contained Server 1's address, then sent the packet to Server 2. This would initiate the exchange, because Server 2 would reply to Server 1, which would reply to Server 2, ad infinitum." However, system administrators do appear to have acted quickly -- at last. By late Saturday, the worm appeared to have passed its peak, said antivirus firms. Charney said the widespread effects of SQL Slammer could have been avoided. "The unfortunate thing about this is when you know that this was a problem and they (customers) hadn't updated," Charney said, "That's a bit frustrating." "It was a vulnerability. We knew about it, but someone is exploiting it. We want our customers to be as secure as possible and install the patches." Click here to find out more about how to protect your system from the worm. Reuters contributed to this report.
For all security-related news, including updates on the latest viruses, hacking exploits and patches, check out ZDNet UK's Security News Section. Let the editors know what you think in the Mailroom.

Related stories

Microsoft patches SQL Server 2000 database

Windows XP, Office and SQL Server open to new attacks

Microsoft warns of new server vulnerabilities

Hybrid DDoS worm strikes Microsoft SQL Server

Apple releases Flashback tool for Mac OS X 10.5

Post your comment

In order to post a comment you need to be registered and logged in.

You can also log in with Facebook. Log in or create your ZDNet UK account below

  • Login

Will not be displayed with your comment

By signing up for this service, you indicate that you agree to our Terms and Conditions and have read and understood our Privacy Policy. Questions about membership? Find the answers in the Community FAQ

Get ZDNet UK's daily newsletter

Enter your email address to sign up

ZDNet UK Live

apexwm

NanWag : A Windows Server 2008 is being used because the environment that the Macs are in is a heavy Windows environment. I am proposing that...

14 minutes ago by apexwm on Windows Server 2008 drops the ball for Mac compatibility
BellamysIT

Really good article. You bring to light a few really good things. However, isn't it true that over 70% of fortune 500 companies use sharepoint?...

16 minutes ago by BellamysIT on Designing a SharePoint farm: Tiers before bedtime
annonymous2

If Piratebay is a crime then so is borrowing a dvd you purchased to a family member or a friend. Why should we not be aloud to share. Most of the...

2 hours ago by annonymous2 on UK ISPs ordered to block Pirate Bay website
NanWag

File Services For Macintosh was causing Excel to prompt for Overwriting changes or Save Another Copy because it was changing the timestamp on the...

3 hours ago by NanWag on Windows Server 2008 drops the ball for Mac compatibility
Regis Machado

creative cloud $48/month in the USA, £48/month in the UK ($79). good for the competitors

4 hours ago by Regis Machado via Facebook on Adobe move promotes piracy
Tom Espiner

Hello KosGirl, Good question. I've asked Belfius for a response. The latest post I can find on Pastebin about it is here:...

5 hours ago by Tom Espiner on Hackers hold bank to ransom over stolen data
KosGirl

Have there been any further updates to this story? I can't find any information on whether the hackers released the data or not.

6 hours ago by KosGirl on Hackers hold bank to ransom over stolen data
SandJ

I have done 7 speed tests this morning on different speed test tools. They tell me my download speed is: 12.3, 12.3, 12.3, 11.1, 12.7, 12.7, 11.7...

7 hours ago by SandJ on Watchdog: TalkTalk's broadband speed test misled users
Jack Schofield

@Mary Microsoft could always send Mozilla a spec sheet and oblige them to meet the same standards as IE. Then Mozilla can spend millions of...

10 hours ago by Jack Schofield on Windows RT browsers and the point of Windows RT
goth1csnake3

Not before time, that people making films,dvd's get whats coming to them. Well done, Virgin Media.

12 hours ago by goth1csnake3 on Virgin Media: Spotify deal will bring down piracy
Simon Bisson and Mary Branscombe

Apex - the question then is what about letting the user choose to have a tablet where they don't have to have that responsibility? why can't the...

22 hours ago by Simon Bisson and Mary Branscombe on Windows RT browsers and the point of Windows RT
Simon Bisson and Mary Branscombe

Moley, Apex, thanks; I think there's an interesting other dimension of choice - the choice to have a platform that is 'locked down' in the sense...

22 hours ago by Simon Bisson and Mary Branscombe on Mozilla accuses Microsoft of shutting Firefox out of WOA
Yellowcave

Not surprised. I once used the methods to let my firewall just notify me of breaches. Not one single logged event was genuine. Once, we all...

1 day ago by Yellowcave on Mobile porn filters catch innocent content, says report
duplex

live realy sucks in facebook becuase people hack your profile

1 day ago by duplex on Irish watchdog: Facebook privacy still falls short
Ed Macnair

If only it was that simple. When you start accessing Cloud applications you are stuck with the security model the vendor provides...........unless...

1 day ago by Ed Macnair via Facebook on IT security? You're doing it wrong!
Phil at Cloud4

Another good updaet, I have enjoyed going on the journey reading this series on SharePoint 2010 and have learned alot. Great writing.

1 day ago by Phil at Cloud4 on Designing a SharePoint farm: Tiers before bedtime
muteen

roumers of an ipad Mini, isnt that just an iTouch!?

1 day ago by muteen on Apple rebrands iPad 4G as 'Wi-Fi + Cellular' for UK
apexwm

Thanks for this article and bringing this issue to light. Unfortunately this type of activity is common not only with Adobe, but many other...

1 day ago by apexwm on Adobe move promotes piracy
Andy Bolstridge

there's a very thin line between tax avoidance and tax efficiency - earning £850 a month and claiming dividends to bring my income up to normal...

1 day ago by Andy Bolstridge via Facebook on The Idle Self-employed
Andy Bolstridge

I see that they are happy to announce these numbers.. but no-one will take any notice until they start announcing sales numbers too.

1 day ago by Andy Bolstridge via Facebook on Microsoft's score card for Smoked by Windows Phone

Latest in Security Management

Apple releases Flashback tool for Mac OS X 10.5

IPv6 security: What you need to know

SOCA raids 'e-commerce-style' card data sites

Featured white papers

8 Questions to ask about your intrusion Security Solution

HP

8 Questions to ask about your intrusion Security Solution

There is some confusion in the marketplace about intrusion security systems. Intrusion detection systems(IDS) and intrusion prevention systems (IPS) have similar... Read more

Hacktivism: Threats and reality for IT managers

ZDNet UK

Hacktivism: Threats and reality for IT managers

As high-profile breaches involving consumer data become the norm, this guide looks at where hacking is heading and what individuals can do to protect against possible attacks, from securing data to creating more secure email... Read more

Software Security delivered in the Cloud

HP

Software Security delivered in the Cloud

HP Fortify on Demand is a Security-as-a-Service (SaaS) testing solution that allows any organization to test the security of software quickly, accurately, affordably, and without any software to install or... Read more

Inside ZDNet UK

HTC One V

HTC One V

Darth Vader brought his own device...

Darth Vader brought his own device...

Dell PowerEdge T320

Dell PowerEdge T320

Gartner - Next Generation Intrusion Prevention

Gartner - Next Generation Intrusion Prevention

Top travel apps for the iPhone

Top travel apps for the iPhone

SharePoint 2010: A migration odyssey

SharePoint 2010: A migration odyssey

Ubuntu 12.04 LTS: The morning after

Ubuntu 12.04 LTS: The morning after