Science Fair Project Encyclopedia
SQL slammer worm
The SQL slammer worm is a computer virus (technically, a computer worm) that caused a denial of service on some Internet hosts and dramatically slowed down general Internet traffic, starting at 05:30 UTC on January 25, 2003. It spread rapidly, infecting most of its 75,000 victims within 10 minutes. Although titled "SQL slammer worm", the program did not use the SQL language; it exploited two buffer overflow bugs in Microsoft's flagship SQL Server database product. Other names include W32.SQLExp.Worm, DDOS.SQLP1434.A, the Sapphire Worm, SQL_HEL, and W32/SQLSlammer.
Yonhap news agency in South Korea reported on the Internet services had been shut down for hours on Saturday, January 25, 2003 nationwide. The impact was mitigated by the fact that it occurred over the weekend.
The same attack was reported throughout most of Asia, Europe, and North America. Anti-virus software maker Symantec estimated that at least 22,000 systems were affected worldwide. Though some reports indicated that the root nameservers had been brought down, this was not true.
The worm continuously sends traffic to randomly generated IP addresses, attempting to send itself to hosts that are running the Microsoft SQL Server Resolution Service, causing them to spray the Internet with more copies of the worm program.
Home PCs are generally not vulnerable to this worm, as they are usually not running SQL Server. The worm stays only in memory and not in disk space, so it is easy to remove. For example, Symantec provides a free removal utility (see external link below).
The worm was made possible by a software security vulnerability in SQL Server first reported by Microsoft on July 24, 2002. A patch had been available from Microsoft for the past six months, but many installations had not been patched -- including some at Microsoft.
The slowdown was caused by the fact that several routers collapsed under the burden of extremely high bombardment traffic from infected servers. Normally, when this happens, the routers are supposed to slow down traffic. Instead, some routers crashed, and the notice that these routers had stopped and should be removed from the routing tables of all other routers started to propagate throughout the Internet (flooding). When the routers eventually came back to the network after being restarted, the routing tables had to be updated again in the same fashion. Soon a significant portion of Internet bandwidth was consumed by routers communicating with each other to update their routing tables, and ordinary data traffic slowed down or in some cases stopped altogether.
SQL Slammer was the first observed example of a "Warhol worm" -- a fast-propagating Internet infection of the sort first hypothesized in 2002 in a paper by Nicholas Weaver.
- BBC NEWS Technology Virus-like attack hits web traffic
- MS SQL Server Worm Wreaking Havoc
- Microsoft Fails Slammer's Security Test
- report of CAIDA-coordinated study of SQL Slammer/Sapphire
- Warhol Worms: The Potential for Very Fast Internet Plagues by Nicholas C. Weaver
- Worm code disassembled
- Multiple Vulnerabilities in Microsoft SQL Server - Carnegie-Mellon Software Engineering Institute
- Internet Storm Center
The contents of this article is licensed from www.wikipedia.org under the GNU Free Documentation License. Click here to see the transparent copy and copyright details