Slammer

Information about Slammer

Published on November 20, 2007

Author: Kiska

Source: authorstream.com

Content

Analysis of the W32.Slammer Worm:  Analysis of the W32.Slammer Worm Mikhail Akhmeteli W32.Slammer Overview:  W32.Slammer Overview Aliases: SQL Slammer, Saphire, W32.SQLExp.Worm Released: January 25, 2003, at about 5:30 a.m. (GMT) Fastest worm in history Spread world-wide in under 10 minutes Doubled infections every 8.5 seconds 376 bytes long Overview (continued):  Overview (continued) Platform: Microsoft SQL Server 2000 Vulnerability: Buffer overflow Patch available for 6 months Propagation: Single UDP packet Features: Memory resident, hand-coded in assembly Direct Damage:  Direct Damage Infected between 75,000 and 160,000 systems Disabled SQL Server databases on infected machines Saturated world networks with traffic Disrupted Internet connectivity world-wide Effective Damage:  Effective Damage South Korea was taken off-line Disrupted financial institutions Airline delays and cancellations Affected many U.S. government and commercial websites Specific Damage:  Specific Damage 13,000 Bank of America ATMs stopped working Continental Airlines flights were cancelled and delayed; ticketing system was inundated with traffic. Airport self-check-in kiosks stopped working Activated Cisco router bugs at Internet backbones Propagation Technique:  Propagation Technique Single UDP packet Targets port 1434 (Microsoft-SQL-Monitor) Causes buffer overflow Continuously sends itself via UDP packets to pseudo-random IP addresses, including broadcast and multicast addresses Does not check whether target machines exist Recovery:  Recovery Disconnect from network Reboot the machine, or restart SQL Server Block port 1434 at external firewall Install patch Propagation Speed:  Propagation Speed Infected 90% of vulnerable machines within 10 minutes Doubled infections every 8.5 seconds Achieved 55 million scans per second Two orders of magnitude faster than Code Red Propagation Speed:  Propagation Speed Source: http://www.caida.org/analysis/security/sapphire/ Infections 30 Minutes After Release:  Infections 30 Minutes After Release Source: http://www.caida.org/analysis/security/sapphire/ Propagation Analysis:  Propagation Analysis Rapid spread made timely defense impossible Rapid spread caused worm copies to compete Bandwidth limited, not latency limited (doesn’t wait to establish connection) Easy to stop at firewall Possible Variations:  Possible Variations Could have attacked HTTP or DNS servers Could have gone dormant Could have forged source port to DNS resolution Worm Composition:  Worm Composition 376 bytes long Less than 300 bytes of executable code 404 byte UDP packets, including headers Composed of 4 functional sections Worm Functions:  Worm Functions Reconstructs session from buffer overflow Obtains (and verifies!) Windows API function addresses Initializes pseudo-random number generator and socket structures Continuously generates random IP addresses and sends UDP data-grams of itself Packet Capture:  Packet Capture Reconstruct session Get Windows API addresses Initialize PRNG and socket Send Packets Buffer Overflow References:  References eEye Digital Security. http://www.eeye.com/html/Research/Flash/sapphire.txt Cooperative Association for Internet Data Analysis (CAIDA) http://www.caida.org/outreach/papers/2003/sapphire/sapphire.html Internet Storm Center. http://isc.incidents.org/analysis.html?id=180 The Washington Post. http://www.washingtonpost.com/wp-dyn/articles/A46928-2003Jan26.html C|NET News.com. http://news.com.com/2100-1001-982135.html

Related presentations


Other presentations created by Kiska

Building an Internet Gateway
26. 11. 2007
0 views

Building an Internet Gateway

group 8 chapter 11 lesson 2
01. 01. 2008
0 views

group 8 chapter 11 lesson 2

Island Research Station Update
03. 10. 2007
0 views

Island Research Station Update

presentation3
01. 12. 2007
0 views

presentation3

Apostolic Church Fathers
31. 10. 2007
0 views

Apostolic Church Fathers

Late Antiquity
31. 10. 2007
0 views

Late Antiquity

Italy jeopardy
01. 11. 2007
0 views

Italy jeopardy

SPIN KPeterson 15Mar05
07. 11. 2007
0 views

SPIN KPeterson 15Mar05

RadioLatina web
15. 11. 2007
0 views

RadioLatina web

2007 Ohio Plants and Animals
26. 11. 2007
0 views

2007 Ohio Plants and Animals

Oct1917
14. 12. 2007
0 views

Oct1917

eurasia
24. 12. 2007
0 views

eurasia

Internet History
25. 12. 2007
0 views

Internet History

Lupus
06. 12. 2007
0 views

Lupus

Ann Olsen Presentation
04. 01. 2008
0 views

Ann Olsen Presentation

S5BP0 badur
21. 11. 2007
0 views

S5BP0 badur

may 2007 research models
27. 09. 2007
0 views

may 2007 research models

Cockpit Web Tutorial
29. 11. 2007
0 views

Cockpit Web Tutorial

Jan Pieter SMP1
03. 10. 2007
0 views

Jan Pieter SMP1

MGS science results
15. 11. 2007
0 views

MGS science results

INEX2006 CSIRO
02. 11. 2007
0 views

INEX2006 CSIRO

2 07CaptBerkeyPresenta ton
06. 11. 2007
0 views

2 07CaptBerkeyPresenta ton

kitts
03. 01. 2008
0 views

kitts

pdp
05. 12. 2007
0 views

pdp

pregh pace
01. 10. 2007
0 views

pregh pace

2426 Semantics for SDI
19. 11. 2007
0 views

2426 Semantics for SDI

chapitre1
05. 01. 2008
0 views

chapitre1

talk051905
30. 10. 2007
0 views

talk051905

BQ Biocomplexity
24. 10. 2007
0 views

BQ Biocomplexity

SAC DOGS
19. 11. 2007
0 views

SAC DOGS

jitendragarg
28. 11. 2007
0 views

jitendragarg

Anderson Himmel presentation
04. 01. 2008
0 views

Anderson Himmel presentation

FlexOverview
28. 11. 2007
0 views

FlexOverview

Lec7a
08. 11. 2007
0 views

Lec7a

common forest trees invabrown
03. 01. 2008
0 views

common forest trees invabrown