Inside the Slammer Worm

by: David Moore

 

Presented by: Pedro I. Valencia

Overview

n     Basic definition.

n     Differences between virus and worms.

n     Slammer Worm  (how it works, damages caused, solution, what the author did wrong)

n     What happened at CSUN?

n     The good side of the worm.

n     Conclusion

n     References

n     Questions

 

 

What is a Worm???

n    A worm is a self-replicating virus that does not alter files but resides in active memory and duplicates itself. Worms use parts of an operating system that are automatic and usually invisible to the user. It is common for worms to be noticed only when their uncontrolled replication consumes system resources, slowing or halting other tasks. (www.whatis.com)

Differences between virus and worms

n    Virus

-Need a host file.

-Make their presence known by presenting text, video, and audio messages.

-Typically take up computer memory used by legitimate programs, causing erratic behavior leading to system crashes.

-Many are bug-ridden, bugs may cause system crash and data loss.

Difference between virus and worm

n     Worm:

-Program that replicate itself from system to system without the use of a host file.

-They generally exist inside of other files, often Word or Excel documents.

-Worm releases a document that already has the "worm" macro inside the document.

-The entire document will travel from computer to computer, so the entire document should be considered the worm.

Slammer Worm

n     Also known as Sapphire and SQL Hell.

n     Fastest computer worm in history.

-Infected more than 90% of vulnerable hosts within 10 minutes.

-In about 3 minutes reached its full scanning rate of more than 55 million scans/second.

n     Stuart Staniford, Vern Paxson, and Nicholas Weaver, had predicted on theoretical grounds; Slammer provided the first real-world demonstration of a high-speed worms capabilities.

 

 

How it worked?

n     On January 25th 2003 at about 5:30 AM (GMT) the worm was released.

n     It spread by infecting copies of Microsoft SQL Server and SQL Server Desktop Engine on computer accessible through the Internet.

n     Not through e-mail attachments, as done before.

n     Used Internet port 1434 (SQL monitor port)

The Damage

How Slammer Works

n    Doubling it size every 8.5 seconds, it produces massive levels of network traffic as it scans random IP addresses looking for other vulnerable SQL servers.

n    Spreading at exponentially rate, but eventually the infection slowed as the worms continually retry infected or immune addresses.

How Slammer Works

n     Slammer owes its speed to UDP. UDP can carry a message in a single one way packet. With out having to have a sender and receiver acknowledgments like TCP. Microsoft's SQL Server 2000 has UDP, which was exploited by Slammer worm.

n     SQL code comes built into other programs Microsoft sells, therefore many victims didnt even realize they were running SQL.

How Slammer Works

n    It took advantage of a common software bug, buffer overflow. Buffer overflow is when data string is written into memory without its length being checked by the program. If the string is too long, the tail end of the data overwrites the programs own code.

 

Step by Step

n     1. Get Inside: Slammer masquerades as a single UDP packet, one that would normally be a harmless request to find a specific database service. The first byte in the string -04- tells SQL Server that the data following it is the name of the online database being sought. Microsofts tech specs say that this name be at most 16 bytes long and end in a telltale 00. But in the Slammer packet, the bytes run on, so there is no 00 among them. Therefore, SQL software pastes the whole thing into memory.

Step by Step cont

n    2. Reprogram the Machine: The first thing the computer does after opening Slammers too long UDP request is overwrite its own stack with new instructions that Slammer has disguised as a routine query. The computer reprograms itself without realizing it.

Step by Step cont

n    3. Choose Victims at Random: Slammer generates a random IP address, targeting another computer that could be anywhere on the Internet. It looks up the number of milliseconds that have elapsed on the CPUs system clock since it was booted and interprets the number as an IP address.

Step by Step cont

n    4. Replicate: Once the packet is created and addressed, it gets stuffed. Slammer points to its own code as the data to send. The infected computer writes out a new copy of the worm and licks the UDP stamp.

Step by Step cont

n    5. Repeat: After sending off the first packet, Slammer loops around immediately to send another to a different computer. It doesnt waste a single millisecond. Instead of making another call to the system clock to get the time, it just shuffles the bits of the IP address already in memory to create a new one.

Slammers bug

n      The author tried using a linear congruent parameterization:

 

                        x = (x * a + b) mod m

                         

                          x = new pseudo random number

                          x = last pseudo random number

                          m = range of the result

                          a and b = constants.

                                   

     Using this formula, linear congruent generators are very efficient, and good distributional properties.

 

 

 

 

Slammers Bug

n     Slammers author tried implementing Microsofts:

        x = (x * 214013 + 2531011) mod 2^32

 

1. Substitute a different value for the 2531011 increment value. Error in converting to a negative number. The negative constant would eliminate any null characters from the worms code. The result, is that the increment is always even.

Slammers Bug

n    Second mistake, the misuse of an OR instead of XOR, to clear an important register, leaving the registers previous contents intact.

n    Comparing values, eEye was able to detect the worm.

 

How the Internet Responded

n    Within an hour, filtering of UDP packets addressed to port 1434 were filtered through router or firewall

n    Users initially noticed slower browsing and e-mail delivery as a result of the increased Internet traffic, but generally experienced no other damage to their system.

Problems Caused by Slammer

n     Networks across Asia, Europe and the Americas were effectively shut down.

n     B of A customers could not withdraw money from its 13,000 ATMs.

n     Continental Airlines, agents reverted to the old fashioned way, using phones, and pen and paper to record reservations and electronic tickets. Causing flight delays and some cancellations.

n     Economically, London-based market intelligence firm Mi2g said worm caused between $950 million and $1.2 billion in lost productivity plus $750 million and $1 billion cost of cleanup. Being number 9 on the companys list of the most costly malicious code, behind Code Red ($2.6 billion), LoveLetter ($8.8 billion), and Klez ($9.0 billion).

What happened at CSUN?

n    Prevented faculty and students from retrieving e-mail, accessing the web and off-campus services such as PeopleSoft.

n    At Channel Islands, not able to use the photo ID systems. Students had to wait until Wednesday.

CSUN cont

n     Steven Fitzgerald, chief technology officer and computer science professor, said not many computer were infected. But it only takes one to cause a huge problem.

n     For example, traffic was localized.

n     Attempt to scan for infected computers, software caused even more problems for Internet data pipelines by disrupting network communication. Traffic on freeway, send police causes for traffic.

 

The Good Side

n    The author didnt add code that would have caused lost of data or disrupting files, it only caused a huge Internet traffic.

n    For example, B of A customers money and personal information had not been at risk.

The Cause of Everything

n     The attack occurred on January of 2003. On July 2002, Microsoft had offered the free patch to fix the trouble spot, which Slammer exploited.

 

n     Are network administrators to blame for not updating on time???

 

n     Or are there too many bugs that need to be solved before software can be released???

Conclusions

n     Slammer worm was an fast, effective, and efficient attack.

n     However, it didnt attack financial institutions, etc, but it attacked customers (not getting money from ATMs, airplanes couldnt fly).

n     Microsoft new about the problem and released the patch on time,  but who is to blame for this type of problems?

n     Fortunately, Slammer just caused the Internet to slow down and not any other damage to computers.

 

References

Inside the Slammer Worm

                David Moore, IEEE Security & Privacy.

 

Professor Steven Fitzgerald.

                Computer Science Professor & Chief Technology Officer at CSUN

 

Slammer worm faster ever, doubling in 8.5 seconds.

                William Selway, Bloomberg News, February 6th, 2003.

                http://www.detnews.com/2003/technology/0302/06/technology-78167.htm

 

Worm like virus snakes university computers.

                Hanna Goldhaber.

                http://sundial.csun.edu/sun/03s/news/02/03/worm.goldhaber.html

 

Computer worm grounds flights, blocks ATMs.

                Daniel Sieberg, January 26, 2003.

                http://www.cnn.com/technology

 

Slammed!

                Paul Boutin, July 2003

                http://www.wired.com/wired/archive/11.07/slammer_pr.html

 

The SQL Slammer Worm Incident.

        http://www.q1labs.com, February 7th, 2003.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Questions???