NEWS FROM THE LAB - Friday, January 25, 2013

10th Anniversary of the Slammer Worm Posted by Mikko @ 12:28 GMT

This is how January 25th started for us, 10 years ago:

Jan 25 05:31:54 kernel: UDP Drop: IN=ppp0 SRC= DST= TTL=117 ID=30328 PROTO=UDP SPT=2201 DPT=1434 LEN=384

The above snippet is the first log we have of what become known as the Slammer worm (or Sapphire or SQL Slammer).

Slammer produced tons of network traffic. Here's an old screenshot from average.matrix.net, showing how the global packet less skyrocketed due to the worm.


Here's our original warning sent out on the worm:

F-Secure warns the computer users about new Internet worm known as Slammer. The worm generates massive amounts of network packets, overloading internet servers. This slows down all internet functions such as sending e-mail or surfing the net.

The worm was first detected in the Internet on January 25, 2003 around 5:30 GMT. After this the worm quickly spread worldwide to generate one of the biggest attacks against internet ever. According to reports, several large web sites and mail servers became unavailable.

Slammer infects only Windows 2000 servers running Microsoft SQL Server, and is therefore not a threat to the end user machines. However, its functions are still visible to the end users by the way it blocks the network traffic.

The worm uses UDP port 1434 to exploit a buffer overflow in MS SQL server. The worm is extremely small, only 376 bytes in size. It has no other functionality than to spread further, but the spreading process is so aggressive that the worm generates extreme loads.

As the worm does not infect any files, an infected machine can be cleaned simply by rebooting the machine. However, if the machine is connected to the network without applying SP2 or SP3 patches for MS SQL Server, it will soon get reinfected.

We've never seen such a small virus do so much damage so fast. Technical description and pictures of Slammer are available at https://www.f-secure.com/v-descs/mssqlm.shtml (Note: the link still works in 2013).

It's remarkable how small Slammer was. The whole worm fit into a single UDP packet. Basically, the worm would fit in 5 tweets. Here's the whole code:


Slammer was followed by Blaster and Sasser later in the year. They all produced some remarkable real-world problems:


Slammer kept us busy for several days. My old email archive had this overtime report for the first day:


So it was me, Katrin Tocheva, Gergely Erdelyi and Ero Carrera decoding Slammer on a Saturday in 2003. I hope the weather was bad… but I don't remember any more.