| Name | SQL Slammer |
| Additional Names | DDOS.SQLP1434.A, Helkern, SQLSlammer, Slammer (computer worm), SQL slammer worm, Sapphire worm, Slammer, W32.SQLExp.Worm |
| Type of Malware | Virus |
| Location – Country of Origin | United States |
| Date of initial activity | 2003 |
| Motivation | To take advantage of a buffer overflow vulnerability in Microsoft SQL Server 2000 to replicate and shut down essential services. |
| Attack Vectors | Email attachments, Network shares, File sharing websites, Drive-by downloads |
| Targeted System | Microsoft SQL Server 2000 |
Overview
SQL Slammer was the fastest spreading computer worm in history, and surprisingly nothing has beat it since it attempted to connect to every computer it could find over MS-SQL UDP port 1434 and unpatched MS-SQL server.
Targets
Random scanning — selects IP addresses at random to infect, eventually finding all susceptible hosts.
Tools/ Techniques Used
Sends itself to the SQL Server Resolution Service, which listens on UDP port 1434. Takes advantage of a buffer overflow vulnerability that allows a portion of system memory to be overwritten. When the worm does this, it runs in the same security context as the SQL Server service. Calls the Windows API function, GetTickCount, and uses the result as a seed to randomly generate IP addresses. Opens a socket on the infected computer and attempts to repeatedly send itself to UDP port 1434 on the IP addresses it has generated, by using an ephemeral source port. Because the worm does not selectively attack the hosts in the local subnet, large amounts of traffic are the result.
Impact / Significant Attacks
The worm caused a denial of service on some internet hosts and dramatically slowed down general Internet traffic, starting at 05:30 UTC on January 25, 2003. It spread rapidly, infecting most of its 75,000 victims within ten minutes.
