Computer worms are one of the biggest menaces to computer and Internet users today. They make copies of themselves and spread from one computer to the next, often doing nothing more harmful than taking up bandwidth space but sometimes coming with “payloads” that delete or encrypt files on hard drives or other such destructive and malicious problems. The sole focus of this article will be to look at a particular worm known as “Slammer.”
SQL Slammer in 2003
Just ten years ago, the Slammer worm caused a denial of Internet service wherever it went—and it spread across multiple networks infecting more than 75,000 computers within a space of just ten minutes! It did this by generating IP addresses at random and sending itself off to those machines; however, the computers would not be infected unless they were unfortunate enough to belong to a host that was running Microsoft SQL in its unpatched form, in which case more copies of the worm were born and spread to other places on the Web. Likewise, home computers–unless they had the MSDE program installed on them–were unlikely to be infected. A number of routers crashed when they would normally either stop Internet traffic temporarily or else just be delayed.
And ten years later…
When Slammer first struck, this Web news site Naked Security called it “the fastest spreading worm yet.” And it still holds that record today. One of the chief reasons for this was that it had a length of no more than 400 bytes, a length that enabled it to fit itself effortlessly into a single UDP (User Datagram Protocol) packet, with very little indeed that might interfere with its being delivered.
Consequences of the Slammer
One important development that took place in the wake of the Slammer attack was that Microsoft took a whole new approach to the problem of security. Those who worked for Microsoft searched through the codes of SQL Server and Yukon (which was then in the process of being developed) to find any flaws that it might contain. They also began to use patching more often–before the Slammer attack, only ten percent of all SQL servers had been patched, but after it happened, more than ninety percent were patched. The attack also led researchers to radically alter the way in which they handled exploit code and advisories. A similar effect has occurred in the technologies that measure buffer length and the triggers on them.
Is it coming back?
Now that we have examined the Slammer worm attack and its aftermath in detail, the question that remains to be answered is: Could it be, or is it, striking again? The answer depends in large part on what perspective you are using. It could be that computer users have become more resilient on hearing the news about the worm, and thus much better at responding to emergencies than they were before. On the other hand, maybe it is the attackers who have become more savvy, and thus better at not drawing attention to themselves. Then, again, the worm itself was quite self-limiting, burning out quickly as a direct result of its rapid spread. The upside of malicious attacks is that new ways are created to match them.
This article was written by Jake Simmons. He is a blogger for CLEARinternetdeals.net . He enjoys writing articles about internet security and related topics.