
	Where results make sense

Topic: SQL slammer worm

Related Topics

Warhol worm

Sasser worm

Blaster worm

Morris worm

Notable computer viruses and worms

Sobig worm

Code Red worm

Mydoom

Sircam

Internet Storm Center

Sven Jaschan

Melissa worm

List of computer viruses

VBScript

CIH virus

In the News (Mon 21 Dec 09)

Northern Trust

Marvin Harrison

Peter Chernin

Gary Locke

Match Play

Penelope Cruz

Mickey Rourke

AR Rahman

Danny Boyle

Hugh Jackman

	SQL slammer worm
		The SQL slammer worm is a computer virus (technically, a "worm program") that caused a denial of service on some Internet hosts and dramatically slowed down general Internet traffic, starting at 05:30 UTC on January 25, 2003.
		The worm continuously sends traffic to randomly generated IP addresses, attempting to send itself to hosts that are running the Microsoft SQL Server Resolution Service, causing them to spray the Internet with more copies of the worm program.
		SQL Slammer was the first observed example of a "Warhol worm" -- a fast-propagating Internet infection of the sort first hypothesized in 2002 in a paper by Nicholas Weaver.
	www.ebroadcast.com.au /lookup/encyclopedia/w3/W32.SQLExp.Worm.html (526 words)

	F-Secure Computer Virus Information Pages: Slammer
		The worm code is 376 bytes in size which suggests that is was written and hand optimized using the Assembly language.
		When the SQL server receives the malicious request the overrun in the server's buffer allows the worm code to be executed.
		Since the worm does not reach the disk on the infected computer it disappears when the server is restarted.
	www.f-secure.com /v-descs/mssqlm.shtml (968 words)

	Reference.com/Encyclopedia/SQL slammer (computer worm)
		The SQL slammer worm is a computer worm that caused a denial of service on some Internet hosts and dramatically slowed down general Internet traffic, starting at 05:30 UTC on January 25, 2003.
		The Microsoft SQL Server Desktop Engine (MSDE) was affected by the worm and that increased the number of the systems affected.
		The worm is a small (376 bytes) piece of code that does little other than generate random IP addresses and send itself out to those addresses.
	www.reference.com /browse/wiki/SQL_slammer_(computer_worm) (796 words)

	Cool Solutions: Are you an SQL Slammer Survivor? Tell us about it... (Site not responding. Last check: 2007-11-02)
		SQL Slammer spreads by scanning the Internet for vulnerable systems, and it is this scanning activity that has degraded service across the entire Internet.
		The SQL Slammer worm spread throughout the Internet late on Jan. 24, and the sheer quantity of data produced by infected servers clogged the electronic arteries of company networks, downed banks networks and ATMs and slowed some people's access to the Internet.
		Many security experts argue, however, that while SQL Slammer is easier to clean up, the worm was worse overall than Code Red--which attacked more servers but didn't affect infrastructure, such as financial systems.
	www.novell.com /coolsolutions/feature/3330.html (463 words)

	Wired 11.07: Slammed!
		Slammer's attack was ruthless and quick, spreading hundreds of times faster than the Code Red virus or Nimda worm.
		Slammer's code is a set of instructions as simple as "Lather, rinse, repeat." The program itself is only 376 bytes, not much longer than this paragraph.
		Slammer masquerades as a single UDP packet, one that would normally be a harmless request to find a specific database service.
	www.wired.com /wired/archive/11.07/slammer.html (1076 words)

	CERT Advisory CA-2003-04 MS-SQL Server Worm
		This worm is being referred to as the SQLSlammer, W32.Slammer, and Sapphire worm.
		Activity of this worm is readily identifiable on a network by the presence of 376-byte UDP packets.
		SQL Server 2000 and MSDE 2000 both have the vulnerability documented in VU#484891.
	www.cert.org /advisories/CA-2003-04.html (880 words)

	SQL Slammer Worm Spread Worldwide in 10 Minutes - HardwareGeeks.com A Community For the Sophisticated Geek or Geekette
		It only took 10 minutes for the SQL Slammer worm to race across the globe and wreak havoc on the Internet two weeks ago, making it the fastest-spreading computer infection ever seen, researchers said on Tuesday.
		The worm, which nearly cut off Web access in South Korea and shut down some U.S. bank teller machines, doubled the number of computers it infected every 8.5 seconds in the first minute of its appearance, said a computer security research group led by the Cooperative Association for Internet Data Analysis.
		The worm, which exploited a flaw in Microsoft Corp.'s MSFT.O SQL (pronounced 'sequel') Server database software, caused damage by rapidly replicating itself and clogging the pipelines of the global data network.
	www.hardwaregeeks.com /board/showthread.php?p=77489 (563 words)

	Image and Data Manager
		The Slammer Worm virus which spread across the Internet over the weekend could be a hint towards information management problems to come.
		SQL Slammer was first reported on Saturday, 25 January 2003 when Chris Rouland and Dan Ingevaldson of Internet Security System (ISS) discovered the worm.
		SQL Slammer has been able to spread so successfully because it exploits SQL Servers that have not received the patch MS02-039 from Microsoft.
	www.idm.net.au /story.asp?id=4151 (548 words)

	SQL Slammer worm wreaks havoc on Internet - ZDNet UK
		SQL Slammer's code instructs the Microsoft SQL Server to go into an endless loop, continually sending out data to other computers, in effect performing a denial of service attack, F-Secure said, comparing the slowdown to the impact of the Code Red virus, which brought internet traffic to a halt in the summer of 2001.
		The worm has been rated as critical by Microsoft and by antivirus companies because of the damage it has caused, although it is not thought to damage data on infected machines.
		SQL uses a keep-alive mechanism to distinguish between active and passive instances, but the flaw means that if a particular data packet is sent to the SQL Server 2000 keep-alive function, it will reply to the sender with an identical packet.
	news.zdnet.co.uk /security/0,1000000189,2129330,00.htm (1080 words)

	U.S. Military and SQL Slammer Smoking Guns
		In late January, Net Census reported the major role of the U.S. military in the recent SQL Slammer worm attack on the internet in an exclusive story.
		The 66% SQL vulnerability of certain U.S. military networks mixed with the penchant for rapid fire of the attack ammunition -- udp packets -- was a near perfect match of scanning ammo with funneling victim.
		In January, Net Census reported that the worm crisis was managed by shutting down computers on a massive scale and that most of this shutdown was done by the U.S. military.
	www.angelfire.com /space/netcensus/shutdown.html (1656 words)

	Print - SQL Server Magazine UPDATE, January 30, 2003
		The so-called SQL Slammer worm, which is credited with bringing vast portions of the Internet to its knees over the weekend, targets a known SQL Server 2000 security vulnerability that the company first fixed last summer.
		Since SQL Slammer hit, however, Microsoft has made it easier to patch SQL Server by using a standard executable update that doesn't require administrators to copy files manually, as earlier patches did.
		SQL Server Magazine University (SSMU) Web seminar instructors are tried-and-true people you've come to know and trust through their articles and insights published in SQL Server Magazine.
	www.sqlmag.com /Articles/Print.cfm?ArticleID=37856 (2982 words)

	PC World - Slammer Was Fastest Spreading Worm Yet (Site not responding. Last check: 2007-11-02)
		A just-completed study into the Slammer worm that hit the Internet a week ago has concluded what many people already suspected: Slammer represented a significant milestone in the evolution of worms and was by far the fastest spreading worm yet seen.
		Slammer generated random IP addresses and dispatched itself to those addresses without scanning to find out whether the target machine was running either of the two pieces of software that were vulnerable to attack: Microsoft's SQL Server 2000 database and Microsoft SQL Server 2000 Data Engine.
		Spread of the worm eventually began to slow because bandwidth from infected machines to the Internet could not support the exponential growth in IP packets being generated, the report said.
	www.pcworld.com /news/article/0,aid,109163,00.asp (713 words)

	SQL Slammer Lessons - MonitorWare
		The worm spread through a several-month old vulnerability in Microsoft SQL Server 2000 and its little brother, MSDE 2000 (the MSDE is a stripped down, cost free version of Microsoft SQL Server for use by application developers).
		In contrast to the "real" SQL server, which typically (hopefully) is set up and administrated by a skilled administrator, the MSDE is often used on desktops.
		Remember, this is a first and quick effort to analyze the effects of the SQL Slammer worm.
	www.monitorware.com /Common/en/Articles/SQLSlammer-Learnings.php (3073 words)

	Geek.com Geek News - "SQL Slammer" worm wreaks havoc worldwide
		Even worse, for the attack to succeed the worm must have been able to access SQL Server directly, either through a firewall or due to the lack of one entirely.
		This means that the thousands of compromised SQL Servers generating all this traffic were both (a) unpatched, unsecured installs, and (b) had little or no firewall protection from the public Internet.
		SQL Server patches in the past had to be downloaded, extracted from a zip file, and manually put in place.
	www.geek.com /news/geeknews/2003Jan/sec20030127018346.htm (1419 words)

	GRC \| SQL Sapphire / SQL-Hell / Slammer (Site not responding. Last check: 2007-11-02)
		Since the worm lives only in the system's RAM memory and does not modify any system files, "disinfection" of an infected system is as simple as a system reboot.
		Thanks to the worm's use of the "connectionless" UDP protocol, the receipt of a single packet was all that was necessary.
		We are fortunate that the worm spreads by UDP protocol over port 1434, because this traffic can be readily filtered and blocked at any level of the Internet without negative side effects.
	www.grc.com /worms/25-01-03.htm (570 words)

	ATMs, ISPs hit by Slammer worm spread \| The Register
		The bandwidth-crunching Slammer worm caused all manner of damage since its appearance on the Net in the early hours of Saturday morning.
		Although Slammer is not destructive to an infected host (like Code Red it only exists in memory), it generates a damaging level of network traffic when it scans for additional targets.
		Since Slammer spreads on UDP port 1434, users are been urged to update firewall or router tables to block this traffic as a workaround, prior to putting patches in place.
	www.theregister.co.uk /2003/01/27/atms_isps_hit_by_slammer (704 words)

	MOREnet: Security (Site not responding. Last check: 2007-11-02)
		A new worm known as the SQL Slammer Worm was discovered on January 24, 2003.
		While this may cause some interruption of SQL use, many MOREnet networks were simply unavailable on the morning of Saturday, January 25, 2003 due to traffic from this worm.
		According to Symantec, since the SQL Slammer Worm is only resident in memory and is not written to disk, (http://securityresponse.symantec.com/avcenter/venc/data/w32.sqlexp.worm.html) this worm is not detectable using virus definitions.
	www.more.net /security/advisories/2003/030125.html (891 words)

	Damage control \| CNET News.com
		The SQL Slammer worm took a toll on networks in several large companies and municipalities, starting early on a recent Saturday.
		Although the worm caused roughly $1 billion in damage by some estimates, its most significant casualty may be the perception that companies can remain secure by keeping up with software patches and other protective updates.
		Slammer was still able to swamp the company's internal network at its San Mateo headquarters, limiting use of e-mail and other resources for more than 24 hours while security teams hunted down infected servers.
	news.com.com /2009-1001-983540.html (1810 words)

	W32/SQLSlammer.worm
		Due to a decrease in prevalence of this worm, as a result of the number of vulnerable systems being patched, and firewalls being configured to block UDP Port 1434, the risk assessment has been lowered to Medium.
		Once the worm gets control on the target computer it loads WS2_32.DLL and starts to continually send itself to port 1434/udp of randomly selected IP targets in an infinite loop.The IP of a victim is constructed using 'GetTickCount' API and is purely random (no skew towards the local subnet, for example).
		Alternatively, we have made available a new version of Stinger designed to locate the worm in memory on infected SQL servers, and shut down the SQL processes.
	vil.nai.com /vil/content/v_99992.htm (1107 words)

	PC World - Slammer Worm Slaps Net Down, But Not Out
		Slammer's speed in spreading itself recalls another worm that rampaged through the Net: Code Red, a scourge that appeared in mid-2001 and infected hundreds of thousands of servers.
		Slammer is "similar in terms of speed, but nowhere near as destructive" as Code Red, Ohlsson said.
		The worm is "certainly on the same level" as Code Red in terms of the threat it poses, said AVERT's Gullotto.
	www.pcworld.com /news/article/0,aid,108988,00.asp (890 words)

	SQL Worm
		For the worm to have had such a widespread and significant effect on the Internet as a whole, it must be the case that thousands of SQL servers, in all their various guises, were either exposed directly, i.e.
		In many instances the database engine is actually on the web server, the system architect believing that a simplified snapshot of the corporate database located there is significantly safer that allowing the web server to connect directly to the main database itself.
		This is innefective as a countermeasure; the risk is brought about by the connectivity at the SQL level.
	www.ecommnet.co.uk /articles/sqlworm2.asp (374 words)

	Symantec Security Response - W32.SQLExp.Worm
		Symantec Security Response strongly recommends that all the users of either Microsoft SQL Server 2000 or MSDE 2000 audit their computers for the vulnerabilities that are referred to in Microsoft Security Bulletin MS02-039 and Microsoft Security Bulletin MS02-061.
		Because the worm resides in memory only and is not written to disk, the virus definitions do not detect this threat.
		Because the worm does not selectively attack the hosts in the local subnet, large amounts of traffic are the result.
	www.sarc.com /avcenter/venc/data/w32.sqlexp.worm.html (1001 words)

	Review of "SQL Slammer Worm"
		The Tampa Library's MS SQL servers are not vulnerable to this worm, which exploits a 6 month old vulnerability specific only to MS SQL (other RDBMS' are not susceptible); in spite of this, yesterday between 8am and 10am, three of our four MS SQL servers had their software updated.
		It does no damage to the file system (in other words, it writes out no files, and therefore isn't considered a virus per se), and, after a reboot, the violated server can be considered clean (but not protected from future attacks).
		This appears to be a proof of concept worm - it could very well be something that someone was thinking, "Let's see what happens," and didn't realize it would cause this much trouble.
	www.lib.usf.edu /pipermail/lib-talk/2003-January/000010.html (499 words)

	SQL Slammer: How it works--prevent it \| Tech News on ZDNet
		The SQL worm itself is file-less and resides only in memory, much as Code Red.
		SQL Slammer targets systems running MS SQL Server 2000 and/or systems running Microsoft Desktop Engine (MSDE) 2000, which is included in Visual Studio.Net, Asp.net Web Matrix Tool, Office XP Developer Edition, MSDN Universal and Enterprise, Microsoft Access, and Microsoft Application Center 2000.
		The underlying Server Resolution service buffer overrun flaw exploited by SQL Slammer was first reported in June 2002 and patched in MS02-039.
	news.zdnet.com /2100-1009_22-982226.html (624 words)

	MS-SQL Slammer Traffic Analysis
		We analyze the worm traffic rate, source infection rate and lifetime, source domain distribution, source and destination distribution within the IP address space and per-host contribution to packet totals.
		Details of the "MS-SQL Slammer" worm and defensive actions are given in [1], [2], [3].
		While the worm infected the majority of hosts within 10 minutes [4], we see 0-10 packets from new sources every 5 minutes (a new source is the source IP of a worm packet that we have not observed thus far in our week's traffic collection).
	momo.lcs.mit.edu /slammer (1221 words)

	U.S. Military Role in SQL Slammer Worm Attack
		Before the recent SQL Slammer worm activity, Net Census estimates about 4.7 million SQL servers on TCP port 1433 worldwide, based on two data sets using different methods of random sampling.
		For perspective on this value, SQL servers are about as common as directory name servers (DNS) on the planet.
		The U.S. armed forces not only played a major helpful role in stemming the internet traffic jam caused by the SQL Slammer worm, but also may be largely responsible for the uncharacteristically rapid spread of the worm due to inadvisable internet practices documented by Net Census.
	www.angelfire.com /space/netcensus/sqlslam.html (1741 words)

	- W32/SQL SLAMMER.WORM
		This worm causes increased traffic on UDP port 1434 and spreads between SQL
		SQL Servers running Service Pack 3 are not affected.
		This worm does not exist as a file on your system.
	www.lionsliedekerke.be /forum/topic.asp?TOPIC_ID=160 (153 words)

	CNN.com - Computer worm grounds flights, blocks ATMs - Jan. 26, 2003
		Worms of this nature are often precursors to a different type of attack called "distributed denial of service." In that case, computers infected with a worm or other program are directed to send a flood of information to a specific Internet location and force it off-line.
		"[Saturday's worm] is the recruitment of soldiers, not telling the soldiers where to aim their guns," Paller said.
		If the vulnerability in the SQL software is not patched, Paller said, it is possible that a future denial of service attack could harness the "zombie" machines created Saturday.
	www.cnn.com /2003/TECH/internet/01/25/internet.attack/index.html (878 words)

Try your search on: Qwika (all wikis)