SQL Slammer or SQHell Worm

1
SQL Slammer or SQ-Hell Worm

• Most damaging Web attack in past 18 months

2
Human Failure

• Exploitation of a flaw in the Microsoft SQL
  server software.
• A patch was announced last July, but most
  database supervisors did not install it
• Takes many hours
• May not work properly
• Exploited the Microsoft SQL 2000 Web servers

3
Affect on ISU

• Attacked 20 SQL servers on campus
• Shut down dial-up services
• Disrupted Web surfing
• E-mail disrupted and dramatically slowed
• Halted Webfolio system

4
Timeline

• Started spreading Saturday morning through
  network servers
• Infected over 150,000 servers each searching
  for another IP address to infect
• Brought under control Sunday
• Things mostly back to normal by Monday
• May strike again and cause problems this week or
  longer

5
Affects

• Jammed e-mail servers
• Made downloading files or e-mail attachments
  impossible
• Overloaded the WWW
• Knocked entire countries off the Internet

6
U.S.A and Canada Impact

• Closed down ATMs (Bank of America, Interact)
• Newspapers couldnt be published
• E-commerce and Web sites shut down Amazon,
  Mapquest
• Helpdesks
• Airlines (Continental)
• Department of Defense (DoD computers hard hit)

7
Worms Wrath KoreaOne of the Worlds most
Wired Countries

• Korea high use of broadband Internet services
  was particularly vulnerable
• 860,000 of damage by Sunday
• All e-commerce ceased just days before Korean
  Lunar New Year holiday (biggest sales days in
  Korea)
• Thousands of Internet cafes sat empty

8
Packets

• Standard that breaks the data up into tiny
  packets of information before sending them to
  their destination
• Data flood caused by worm crowds out these data
  packets
• 20 of data packets lost
• Resulted in data have to be resent
• Causing even more Internet traffic

9
Pirated SQL Software Impact South Korea

• 49,000 of 52,000 SQL customers updated software
  and took security measures
• 100,000 illegal copies of the SQL program (double
  that of its legal sales) were not updated causing
  most of the problems

10
Characteristics

• Similar to Code Red virus 2001 work designed to
  attach the White House Web site
• Did not delete files or harm computers but
  overwhelmed systems with massive numbers of
  requests for information.
• Tiny size 376 bytes
• Took only two hours to reach its saturation
  point, vs. a day and a half for the Code Red worm

11
Worm vs. Virus

• Worms move from one computer to another without
  the help of human interaction
• Viruses go from file to file within a specific
  computer and damage or destroy files and/or the
  fixed disk.
• Slammer was not a denial of service (Dos) worm,
  but a saturation worm.