Analysis of the W 32 Slammer Worm Mikhail
- Slides: 17
Analysis of the W 32. Slammer Worm Mikhail Akhmeteli
W 32. Slammer Overview n n n Aliases: SQL Slammer, Saphire, W 32. SQLExp. Worm Released: January 25, 2003, at about 5: 30 a. m. (GMT) Fastest worm in history Spread world-wide in under 10 minutes Doubled infections every 8. 5 seconds 376 bytes long
Overview (continued) n n n Platform: Microsoft SQL Server 2000 Vulnerability: Buffer overflow Patch available for 6 months Propagation: Single UDP packet Features: Memory resident, handcoded in assembly
Direct Damage n n Infected between 75, 000 and 160, 000 systems Disabled SQL Server databases on infected machines Saturated world networks with traffic Disrupted Internet connectivity worldwide
Effective Damage n n South Korea was taken off-line Disrupted financial institutions Airline delays and cancellations Affected many U. S. government and commercial websites
Specific Damage n n n 13, 000 Bank of America ATMs stopped working Continental Airlines flights were cancelled and delayed; ticketing system was inundated with traffic. Airport selfcheck-in kiosks stopped working Activated Cisco router bugs at Internet backbones
Propagation Technique n n n Single UDP packet Targets port 1434 (Microsoft-SQL-Monitor) Causes buffer overflow Continuously sends itself via UDP packets to pseudo-random IP addresses, including broadcast and multicast addresses Does not check whether target machines exist
Recovery n n Disconnect from network Reboot the machine, or restart SQL Server Block port 1434 at external firewall Install patch
Propagation Speed n n Infected 90% of vulnerable machines within 10 minutes Doubled infections every 8. 5 seconds Achieved 55 million scans per second Two orders of magnitude faster than Code Red
Propagation Speed Source: http: //www. caida. org/analysis/security/sapphire/
Infections 30 Minutes After Release Source: http: //www. caida. org/analysis/security/sapphire/
Propagation Analysis n n Rapid spread made timely defense impossible Rapid spread caused worm copies to compete Bandwidth limited, not latency limited (doesn’t wait to establish connection) Easy to stop at firewall
Possible Variations n n n Could have attacked HTTP or DNS servers Could have gone dormant Could have forged source port to DNS resolution
Worm Composition n n 376 bytes long Less than 300 bytes of executable code 404 byte UDP packets, including headers Composed of 4 functional sections
Worm Functions n n Reconstructs session from buffer overflow Obtains (and verifies!) Windows API function addresses Initializes pseudo-random number generator and socket structures Continuously generates random IP addresses and sends UDP data-grams of itself
Packet Capture Buffer Overflow Reconstruct session Get Windows API addresses Initialize PRNG and socket Send Packets 01/27 -15: 46: 47. 167917 206. 204. 21. 154: 1087 -> 24. 59. 36. 157: 1434 04 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 DC C 9 B 0 42 EB 0 E 01 01 42 01 70 AE 42 90 90 68 B 0 42 B 8 01 01 31 C 9 B 1 18 50 E 2 FD 01 01 05 50 89 E 5 51 68 2 E 64 6 C 6 C 68 65 32 68 6 B 65 72 6 E 51 68 6 F 75 6 E 74 68 69 43 68 47 65 74 54 66 B 9 6 C 6 C 51 68 33 32 68 77 73 32 5 F 66 B 9 65 74 51 68 73 6 F 63 B 9 74 6 F 51 68 73 65 6 E 64 BE 18 10 AE 42 D 4 50 FF 16 50 8 D 45 E 0 50 8 D 45 F 0 50 FF BE 10 10 AE 42 8 B 1 E 8 B 03 3 D 55 8 B EC 51 BE 1 C 10 AE 42 FF 16 FF D 0 31 C 9 51 51 50 03 01 04 9 B 81 F 1 01 01 51 8 D 45 CC 45 C 0 50 FF 16 6 A 11 6 A 02 FF D 0 50 C 4 50 8 B 45 C 0 50 FF 16 89 C 6 09 DB 81 F 3 D 9 FF 8 B 45 B 4 8 D 0 C 40 8 D 14 88 C 1 E 2 04 C 1 E 2 08 29 C 2 8 D 04 90 01 D 8 89 45 B 4 6 A 45 B 0 50 31 C 9 51 66 81 F 1 78 01 51 8 D 45 8 B 45 AC 50 FF D 6 EB CA 01 01 01 70 DC 35 6 C 63 2 E 6 B 8 D 16 74 81 50 8 D 3 C 01 10 03 01 01 01 AE C 9 01 33 6 B 64 66 45 50 05 F 1 8 B 45 61 C 2 8 D 50 . . . . . . B. . p. B. . . . h. . . B. . . 1. . . P. . 5. . P. . Qh. dllhel 3 2 hkern. Qhounthick Ch. Get. Tf. ll. Qh 32. d hws 2_f. et. Qhsockf. to. Qhsend. . B. E. P. . B. . =U. . Qt. . . B. . 1. QQP. . . Q. E. P. . j. j. j. . . P. E. P. . . . <a. . . E. . . @. . . ). . . . E. j. . E. P 1. Qf. . x. Q. E. P. . Selections from Disassembled code (by e. Eye Digital Security) push 42 B 0 C 9 DCh ; [RET] sqlsort. dll -> jmp esp. . ; Load strings. . call dword ptr [esi] ; Get. Proc. Address() call eax; Get. Tick. Count(). . call esi; sendto()
References n e. Eye Digital Security. http: //www. eeye. com/html/Research/Flash/sapphire. txt n Cooperative Association for Internet Data Analysis (CAIDA) http: //www. caida. org/outreach/papers/2003/sapphire. html n Internet Storm Center. http: //isc. incidents. org/analysis. html? id=180 n The Washington Post. http: //www. washingtonpost. com/wp-dyn/articles/A 469282003 Jan 26. html n C|NET News. com. -1001 -982135. html http: //news. com/2100
Sql slammer worm bytes
Glasgow thang điểm
Frog dissection frog scienstructable template
Mikhail bashkanov
Dr mikhail gelfenbeyn
Mikhail feigelman
Mikhail vasilyevich lomonosov
Michail tswett
Difference between isocratic and gradient elution
Mikhail gelfand
Mikhail tswett
Mikhail tswett
Mikhail matveev
Mikhail gofman
Mikhail bulgakov spouse
Proton spin
Mikhail tswett cromatografia
Cyperm
