On Saturday, 25 January 2004, a worm so fast that human response time was useless started to infect machines. This worm is known as Slammer (or Sapphire) and it successfully infected more than 90 percent of all vulnerable machines within the first 10 minutes it was released. This summary and analysis is from the article “Inside the Slammer Worm” by Moore, Paxson, Savage, Shannon, Staniford, and Weaver (who are from various universities and computer security/research corporations).
The article starts off by a short description of Slammer, a worm that takes advantage of a buffer-overflow vulnerability in both the Microsoft’s SQL Server and Microsoft SQL Server Desktop Engine. By taking advantage of this vulnerability Slammer successfully infected at least 75,000 hosts (and it is suspected even more) and caused “network outages and unforeseen consequences such as canceled airline flights, interference with elections, and ATM failures”.
The article then discusses that while Slammer had no malicious payload (there was no code to steal data, take control of the machine, etc) it caused a great deal of harm by overloading the networks it affected (by consuming all of the bandwidth so nothing could get done or crashing the network). The reason it could cause such problems despite that there was no malicious payload was that Slammer travelled incredibly fast (within 3 minutes the worm had its maximum scanning rate of “more than 55 million scans per second” and slowed down after that due to the fact that it consumed so much bandwidth). One of the reasons that Slammer was able to travel so fast was that it was very small, only 404 bytes. To get an idea of how small that is the text file containing everything written in the post so far is approximately 1,800 bytes, a little over 4 times the size of Slammer. The second reason that Slammer was so fast (especially compared to other worms) is that it spread using UDP packets and did not have to wait for a response from the machine it was trying to infect (like it would if it had used TCP packets instead).
Next the authors discuss how Slammer chooses its victims. The method used is very simple, Slammer uses a pseudo random number generator (PRNG) to generate random IP addresses to try to infect. The authors then note something very interesting; the person who programmed Slammer made two mistakes than limited the worm. Both mistakes were made in the PRNG the worm used and because of the worm only scanned a subset of IP address instead of the whole set of IP addresses (that is it only scanned some). This means that some of the hosts that Slammer could have infected were never infected since their IP addresses were never generated. Another thing to note that is mentioned later in the article is that Slammer’s UDP request was easily filtered out by network administrators and could it have exploited other vulnerabilities that would make it harder to filter. These two facts imply that had Slammer been programmed better it was have caused a much greater problem than it already had (and the problem it caused was already bad).
The final two sections recap that Slammer caused many of its problems such as “911 and ATM failures” due it consuming vast amounts of bandwidth and crashing networks (again due to its speed). The authors then note that while super fast worms were predicted in theoretical results this was the first one actually found. The authors then imply that we were lucky this time because the worm could have been programmed better. For example they suggest that it could have stopped propagation within 10 minutes and become dormant, which would leave more than 75,000 infected hosts that the programmer could control at a later point. Attacks like this would take “hours or days” to figure out and even after that “many compromised machines might never” be identified”.
One final thing to note form the article is a small side bar labeled: “Who wrote Slammer?” This short sidebar says that while we do not know who wrote slammer we do know that the programmer only had “decent, but not remarkable, x86 coding skill” since “much of the code was borrowed from a published exploit” and the additional parts the programmer added were not very complicated (and they made mistakes in the PRNG). This brings up one of my own major concerns that these articles, the source code for malware, and other techniques are available for free to anyone online and Slammer is a perfect example of a person who only has “decent” coding skill using what is available online to create a harmful worm that disrupted the internet and crashed networks. Another example, mentioned in my previous post, is that the first cyber weapon ever, Stuxnet, is also available on the internet for anyone to modify. Personally I am not sure how to fix this problem but it is one that definitely needs to be addressed.
Finally the article’s intended audience is other professors or researchers in computer security and undergraduate or graduate students who are majoring in computer science or computer security. The article makes the assumption that the reader knows about UDP and TCP packets (and how they work), PRNG, and hexadecimal representation of numbers which is a fair assumption due to the intended audience.
