154:"). Routers started sending notices to this effect to other routers they knew about. The flood of routing table update notices caused some additional routers to fail, compounding the problem. Eventually the crashed routers' maintainers restarted them, causing them to announce their status, leading to another wave of routing table updates. Soon a significant portion of Internet bandwidth was consumed by routers communicating with each other to update their routing tables, and ordinary data traffic slowed or in some cases stopped altogether. Because the SQL Slammer worm was so small in size, sometimes it was able to get through when legitimate traffic was not.
118:, who had initially discovered the buffer overflow vulnerability that the worm exploited. It is a small piece of code that does little other than generate random IP addresses and send itself out to those addresses. If a selected address happens to belong to a host that is running an unpatched copy of
129:
are generally not vulnerable to this worm unless they have MSDE installed. The worm is so small that it does not contain code to write itself to disk, so it only stays in memory, and it is easy to remove. For example, Symantec provides a free of charge removal utility, or it can even be removed by
193:
security mailing list entitled "MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434!" at 07:11:41 UTC on 25 January 2003. Similar reports were posted by Robert Boyle at 08:35 UTC and Ben Koshy at 10:28 UTC An early analysis released by
Symantec is timestamped 07:45
145:
under the burden of extremely high bombardment traffic from infected servers. Normally, when traffic is too high for routers to handle, the routers are supposed to delay or temporarily stop network traffic. Instead, some routers
137:
in SQL Server first reported by
Microsoft on 24 July 2002. A patch had been available from Microsoft for six months prior to the worm's launch, but many installations had not been patched – including many at Microsoft.
164:
protocol, and the entire worm (only 376 bytes) fits inside a single packet. As a result, each infected host could simply "fire and forget" packets as rapidly as possible.
215:
122:
Resolution
Service listening on UDP port 1434, the host immediately becomes infected and begins spraying the Internet with more copies of the worm program.
530:
80:. It also crashed routers around the world, causing even more slowdowns. It spread rapidly, infecting most of its 75,000 victims within 10 minutes.
621:
369:
342:
953:
595:
395:
150:(became unusable), and the "neighbour" routers would notice that these routers had stopped and should not be contacted (aka "removed from the
979:
974:
786:
141:
The worm began to be noticed early on 25 January 2003 as it slowed systems worldwide. The slowdown was caused by the collapse of numerous
969:
871:
716:
1187:
866:
674:
545:
IEEE Security and
Privacy Magazine, David Moore, Vern Paxson, Stefan Savage, Colleen Shannon, Stuart Staniford, and Nicholas Weaver
555:
803:
497:
1326:
588:
798:
726:
491:
102:
The most infected regions were Europe, North
America, and Asia (including East Asia and southern Asia (India)) etc.
96:
1058:
897:
219:
134:
473:
1331:
626:
616:
581:
523:
180:
Other names include W32.SQLExp.Worm, DDOS.SQLP1434.A, the
Sapphire Worm, SQL_HEL, W32/SQLSlammer and Helkern.
1336:
1321:
690:
278:
813:
793:
158:
99:(CVE-2002-0649) patch had been released six months earlier, many organizations had not yet applied it.
989:
373:
346:
157:
Two key aspects contributed to SQL Slammer's rapid propagation. The worm infected new hosts over the
439:
402:
1063:
1011:
823:
1130:
1089:
838:
300:
1156:
1151:
742:
721:
233:
161:
1244:
1146:
1120:
861:
1182:
695:
119:
88:
8:
887:
478:
111:
1005:
658:
142:
420:
401:. DeepSight™ Threat Management System Threat Analysis. 28 January 2003. Archived from
781:
711:
542:
517:
130:
restarting SQL Server (although the machine would likely be reinfected immediately).
126:
69:
53:
468:
747:
259:
115:
77:
1270:
932:
912:
892:
882:
565:
559:
84:
1296:
1239:
1203:
999:
818:
1315:
1260:
1042:
907:
833:
151:
65:
30:
1234:
922:
917:
768:
319:
1208:
927:
856:
776:
189:
Public disclosure began with
Michael Bacarella posting a message to the
1213:
828:
753:
652:
573:
1286:
1265:
449:. Lecture Notes in Computer Science. Vol. 2965. pp. 26–50.
1291:
1218:
1177:
1125:
1037:
937:
808:
73:
1110:
1022:
190:
437:
110:
The worm was based on proof of concept code demonstrated at the
1161:
902:
848:
1115:
1068:
1073:
279:"Slammer: Why security benefits from proof of concept code"
92:
425:
CAIDA (Cooperative
Association for Internet Data Analysis)
502:
Carnegie Mellon
University Software Engineering Institute
447:
469:
BBC NEWS Technology Virus-like attack hits web traffic
320:"MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434!"
445:. In Calzarossa, Maria Carla; Gelenbe, Erol (eds.).
260:"SQL Slammer Virus (Harbinger of things to come)"
1313:
568:- Carnegie-Mellon Software Engineering Institute
566:Multiple Vulnerabilities in Microsoft SQL Server
504:. Archived from the original on 1 February 2003
498:"CERT Advisory CA-2003-04: MS-SQL Server Worm"
492:Microsoft Security Bulletin MS02-039 and Patch
589:
370:"Peace of Mind Through Integrity and Insight"
343:"Peace of Mind Through Integrity and Insight"
531:Symantec Security Response - W32.SQLExp.Worm
481:A layman's explanation of the Slammer code.
438:Serazzi, Giuseppe; Zanero, Stefano (2004).
596:
582:
421:"The Spread of the Sapphire/Slammer Worm"
317:
675:Sony BMG copy protection rootkit scandal
603:
418:
257:
1314:
318:Bacarella, Michael (25 January 2003).
276:
76:hosts and dramatically slowed general
577:
367:
340:
372:. Neohapsis Archives. Archived from
345:. Neohapsis Archives. Archived from
105:
440:"Computer Virus Propagation Models"
13:
14:
1348:
474:MS SQL Server Worm Wreaking Havoc
457:
396:"SQLExp SQL Server Worm Analysis"
341:Boyle, Robert (25 January 2003).
301:"Microsoft Attacked By Worm, Too"
258:Mezquita, Ty (12 February 2020).
277:Leyden, John (6 February 2003).
133:The worm was made possible by a
95:database products. Although the
431:
412:
388:
183:
135:software security vulnerability
368:Koshy, Ben (25 January 2003).
361:
334:
311:
293:
270:
251:
226:
208:
174:
1:
201:
1006:Kaminsky DNS cache poisoning
750:(findings published in 2010)
562: (archived 22 July 2011)
7:
10:
1353:
419:Moore, David; et al.
216:"Symantec W32.SQLExp.Worm"
1327:Denial-of-service attacks
1279:
1253:
1227:
1196:
1170:
1139:
1098:
1082:
1051:
1030:
1021:
988:
962:
946:
847:
767:
735:
704:
683:
667:
645:
638:
609:
522:: CS1 maint: unfit URL (
49:
44:
36:
26:
21:
167:
83:The program exploited a
727:US military cyberattack
717:Cyberattacks on Georgia
691:Cyberattacks on Estonia
543:Inside the Slammer Worm
722:Sarah Palin email hack
556:Worm code disassembled
862:Jeanson James Ancheta
479:Wired 11.07: Slammed!
234:"CVE - CVE-2002-0649"
1332:Hacking in the 2000s
696:Operation: Bot Roast
604:Hacking in the 2000s
222:on 10 November 2006.
120:Microsoft SQL Server
1337:Cybercrime in India
1322:Exploit-based worms
376:on 19 February 2009
349:on 19 February 2009
112:Black Hat Briefings
87:bug in Microsoft's
659:Operation Firewall
16:2003 computer worm
1309:
1308:
1305:
1304:
787:associated events
763:
762:
712:Project Chanology
633:
632:
550:Technical details
106:Technical details
70:denial of service
59:
58:
54:Microsoft Windows
45:Technical details
1344:
1028:
1027:
879:str0ke (milw0rm)
748:Operation Aurora
643:
642:
612:
611:
598:
591:
584:
575:
574:
527:
521:
513:
511:
509:
451:
450:
444:
435:
429:
428:
416:
410:
409:
408:on 7 March 2003.
407:
400:
392:
386:
385:
383:
381:
365:
359:
358:
356:
354:
338:
332:
331:
329:
327:
315:
309:
308:
297:
291:
290:
288:
286:
274:
268:
267:
255:
249:
248:
246:
244:
230:
224:
223:
218:. Archived from
212:
195:
187:
181:
178:
116:David Litchfield
78:Internet traffic
19:
18:
1352:
1351:
1347:
1346:
1345:
1343:
1342:
1341:
1312:
1311:
1310:
1301:
1275:
1249:
1223:
1192:
1166:
1135:
1094:
1078:
1059:Anna Kournikova
1047:
1017:
992:
990:Vulnerabilities
984:
958:
942:
933:Dmitry Sklyarov
913:Albert Gonzalez
843:
759:
731:
700:
679:
663:
634:
605:
602:
560:Wayback Machine
515:
514:
507:
505:
496:
460:
455:
454:
442:
436:
432:
417:
413:
405:
398:
394:
393:
389:
379:
377:
366:
362:
352:
350:
339:
335:
325:
323:
316:
312:
299:
298:
294:
284:
282:
275:
271:
256:
252:
242:
240:
232:
231:
227:
214:
213:
209:
204:
199:
198:
188:
184:
179:
175:
170:
108:
85:buffer overflow
17:
12:
11:
5:
1350:
1340:
1339:
1334:
1329:
1324:
1307:
1306:
1303:
1302:
1300:
1299:
1294:
1289:
1283:
1281:
1277:
1276:
1274:
1273:
1268:
1263:
1257:
1255:
1251:
1250:
1248:
1247:
1245:Black Energy 1
1242:
1237:
1231:
1229:
1225:
1224:
1222:
1221:
1216:
1211:
1206:
1200:
1198:
1194:
1193:
1191:
1190:
1185:
1180:
1174:
1172:
1168:
1167:
1165:
1164:
1159:
1154:
1149:
1143:
1141:
1137:
1136:
1134:
1133:
1128:
1123:
1118:
1113:
1108:
1102:
1100:
1096:
1095:
1093:
1092:
1086:
1084:
1080:
1079:
1077:
1076:
1071:
1066:
1061:
1055:
1053:
1049:
1048:
1046:
1045:
1040:
1034:
1032:
1025:
1019:
1018:
1016:
1015:
1009:
1003:
1000:Shatter attack
996:
994:
986:
985:
983:
982:
977:
972:
966:
964:
963:Hacking forums
960:
959:
957:
956:
950:
948:
944:
943:
941:
940:
935:
930:
925:
920:
915:
910:
905:
900:
895:
890:
885:
880:
877:
874:
869:
864:
859:
853:
851:
845:
844:
842:
841:
836:
831:
826:
821:
819:PLA Unit 61398
816:
811:
806:
801:
796:
791:
790:
789:
779:
773:
771:
765:
764:
761:
760:
758:
757:
751:
745:
743:Operation Troy
739:
737:
733:
732:
730:
729:
724:
719:
714:
708:
706:
702:
701:
699:
698:
693:
687:
685:
681:
680:
678:
677:
671:
669:
665:
664:
662:
661:
656:
649:
647:
640:
636:
635:
631:
630:
624:
619:
610:
607:
606:
601:
600:
593:
586:
578:
570:
569:
563:
552:
551:
547:
546:
539:
538:
534:
533:
528:
494:
488:
487:
483:
482:
476:
471:
465:
464:
459:
458:External links
456:
453:
452:
430:
411:
387:
360:
333:
310:
292:
269:
250:
225:
206:
205:
203:
200:
197:
196:
182:
172:
171:
169:
166:
107:
104:
93:Desktop Engine
68:that caused a
57:
56:
51:
47:
46:
42:
41:
38:
34:
33:
28:
24:
23:
15:
9:
6:
4:
3:
2:
1349:
1338:
1335:
1333:
1330:
1328:
1325:
1323:
1320:
1319:
1317:
1298:
1295:
1293:
1290:
1288:
1285:
1284:
1282:
1278:
1272:
1269:
1267:
1264:
1262:
1259:
1258:
1256:
1252:
1246:
1243:
1241:
1238:
1236:
1233:
1232:
1230:
1226:
1220:
1217:
1215:
1212:
1210:
1207:
1205:
1202:
1201:
1199:
1195:
1189:
1186:
1184:
1181:
1179:
1176:
1175:
1173:
1169:
1163:
1160:
1158:
1155:
1153:
1150:
1148:
1145:
1144:
1142:
1138:
1132:
1129:
1127:
1124:
1122:
1119:
1117:
1114:
1112:
1109:
1107:
1104:
1103:
1101:
1097:
1091:
1088:
1087:
1085:
1081:
1075:
1072:
1070:
1067:
1065:
1062:
1060:
1057:
1056:
1054:
1050:
1044:
1041:
1039:
1036:
1035:
1033:
1029:
1026:
1024:
1020:
1013:
1010:
1007:
1004:
1001:
998:
997:
995:
991:
987:
981:
978:
976:
973:
971:
968:
967:
965:
961:
955:
952:
951:
949:
945:
939:
936:
934:
931:
929:
926:
924:
921:
919:
916:
914:
911:
909:
906:
904:
901:
899:
896:
894:
891:
889:
886:
884:
881:
878:
875:
873:
870:
868:
865:
863:
860:
858:
855:
854:
852:
850:
846:
840:
837:
835:
834:World of Hell
832:
830:
827:
825:
822:
820:
817:
815:
812:
810:
807:
805:
802:
800:
797:
795:
792:
788:
785:
784:
783:
780:
778:
775:
774:
772:
770:
766:
755:
752:
749:
746:
744:
741:
740:
738:
734:
728:
725:
723:
720:
718:
715:
713:
710:
709:
707:
703:
697:
694:
692:
689:
688:
686:
682:
676:
673:
672:
670:
666:
660:
657:
654:
651:
650:
648:
644:
641:
637:
629: →
628:
625:
623:
620:
618:
615:←
614:
613:
608:
599:
594:
592:
587:
585:
580:
579:
576:
572:
567:
564:
561:
557:
554:
553:
549:
548:
544:
541:
540:
536:
535:
532:
529:
525:
519:
503:
499:
495:
493:
490:
489:
485:
484:
480:
477:
475:
472:
470:
467:
466:
462:
461:
448:
441:
434:
426:
422:
415:
404:
397:
391:
375:
371:
364:
348:
344:
337:
321:
314:
306:
302:
296:
280:
273:
265:
261:
254:
239:
238:cve.mitre.org
235:
229:
221:
217:
211:
207:
192:
186:
177:
173:
165:
163:
160:
155:
153:
152:routing table
149:
144:
139:
136:
131:
128:
123:
121:
117:
113:
103:
100:
98:
94:
90:
86:
81:
79:
75:
71:
67:
66:computer worm
63:
55:
52:
48:
43:
39:
35:
32:
31:Computer worm
29:
25:
20:
1188:Sony rootkit
1105:
954:Bluehell IRC
923:Dan Kaminsky
918:Sven Jaschan
571:
508:22 September
506:. Retrieved
501:
486:Announcement
446:
433:
424:
414:
403:the original
390:
378:. Retrieved
374:the original
363:
351:. Retrieved
347:the original
336:
324:. Retrieved
313:
304:
295:
283:. Retrieved
272:
263:
253:
241:. Retrieved
237:
228:
220:the original
210:
185:
176:
156:
147:
140:
132:
124:
109:
101:
82:
61:
60:
1106:SQL Slammer
928:Samy Kamkar
849:Individuals
814:Level Seven
777:Ac1db1tch3z
756:(2008–2010)
655:(2003–2006)
380:29 November
353:29 November
326:29 November
285:29 November
243:7 September
159:sessionless
62:SQL Slammer
22:SQL Slammer
1316:Categories
993:discovered
980:darksun.ws
975:unkn0wn.eu
883:Lil Hacker
829:ShadowCrew
754:WebcamGate
653:Titan Rain
281:. Register
202:References
89:SQL Server
64:is a 2003
1287:Conficker
1266:Agent.btz
794:Avalanche
782:Anonymous
639:Incidents
322:. Bugtraq
264:CyberHoot
1292:Koobface
1271:Mariposa
1219:Stration
1214:Clickbot
1178:PGPCoder
1126:Graybird
1064:Code Red
1038:ILOVEYOU
1012:sslstrip
970:ryan1918
947:Darknets
938:Stakkato
876:Digerati
872:Dshocker
839:Sandworm
809:GhostNet
622:Timeline
537:Analysis
518:cite web
97:MS02-039
74:Internet
72:on some
50:Platform
1297:Waledac
1204:Rustock
1131:Blaster
1111:Welchia
1043:Pikachu
1023:Malware
893:camZero
558:at the
191:Bugtraq
148:crashed
143:routers
1261:Asprox
1162:Mydoom
1157:Sasser
1152:NetSky
1090:Simile
1014:(2009)
1008:(2008)
1002:(2002)
908:diabl0
903:Cyxymu
898:Coolio
867:SilenZ
769:Groups
37:Origin
1235:Storm
1147:Bagle
1121:Gruel
1116:Sobig
1069:Nimda
857:AKill
804:0x1fe
627:2010s
617:1990s
443:(PDF)
406:(PDF)
399:(PDF)
305:Wired
168:Notes
125:Home
1280:2009
1254:2008
1240:ZeuS
1228:2007
1209:ZLOB
1197:2006
1183:Samy
1171:2005
1140:2004
1099:2003
1083:2002
1074:Klez
1052:2001
1031:2000
888:BadB
799:GNAA
736:2009
705:2008
684:2007
668:2005
646:2004
524:link
510:2019
463:News
382:2008
355:2008
328:2012
287:2008
245:2023
194:GMT.
91:and
40:2003
27:Type
824:RBN
162:UDP
127:PCs
114:by
1318::
520:}}
516:{{
500:.
423:.
303:.
262:.
236:.
597:e
590:t
583:v
526:)
512:.
427:.
384:.
357:.
330:.
307:.
289:.
266:.
247:.
Text is available under the Creative Commons Attribution-ShareAlike License. Additional terms may apply.