On Saturday, January 25, 2003, a worm seriously impeded Internet traffic around the world. Internet access was halted in South Korea, causing trading volume on the South Korean stock exchange to plummet. Bank of America’s ATM system was disrupted, as was telephone traffic in Finland, and clincal data at Beth Israel Deaconess Medical Center (BIDMC) in Boston.
The worm itself was small, file-less and resided only in memory. It contained no harmful “payload”, and did not create or delete files, and did not use e-mail, but actively scanned for vulnerable Microsoft SQL servers. Slammer’s aggressive scanning, using every available IP address, overloaded many networks. In fact, the worm impeded its own propagation by slowing network traffic.
Dubbed Slammer or “SQL Slammer”, and also known as Sapphire (F-Secure), w32.SQLexp.worm (Symantec), and Helkern (Kaspersky), the worm exploited known vulnerabilities in Microsoft SQL 2000 servers. It did not affect desktop PCs, Linux, Mac, or Unix systems. Slammer propagated itself in relatively small, 376 byte packets, which it would direct at SQL Server Resolution Service port 1434 on the following Microsoft SQL servers:
- SQL Server 2000 RTM
- SQL Server 2000 SP1
- SQL Server 2000 SP2
- Microsoft SQL Desktop Engine Version (MSDE) 2000
The underlying buffer overrun flaw may be patched with MS02-039, or by installing SQL 2000 Service Pack 3. System administrators could also block the following SQL server ports:
- ms-sql-s 1433/tcp #Microsoft-SQL-Server
- ms-sql-s 1433/udp #Microsoft-SQL-Server
- ms-sql-m 1434/tcp #Microsoft-SQL-Monitor
- ms-sql-m 1434/udp #Microsoft-SQL-Monitor
Among the companies affected by the SQL Slammer worm, despite existing patches supplied by Microsoft, because their systems administrators "didn't get around to it": Microsoft itself.