Slammer time - SQL worm brings net to its knees over weekend

A worm that attacks Microsoft's database software spread through the internet over the weekend, causing cash machines to stop issuing money, taking most of South Korea offline, and generally slowing down the internet.

The worm, known as SQL Slammer, takes advantage of a bug that was discovered last July in Microsoft's SQL Server database software. Although a patch has been available since then, many system administrators have failed to install the patch, leaving their computers vulnerable.

The result: chaos.

Bank of America said 13,000 of its ATMs refused to dispense cash. In South Korea, the country's largest ISP KT Corp said all almost all its customers lost their connections during the attack. Chinese computer users saw sites freeze and a dramatic slowdown in download speeds, as the worm's effects hit the internet's nameservers - the computers that translate web addresses into numerical Internet Protocol addresses. And all this in just 376 bytes of code, meaning the entire SQL Slammer worm code is about half the length of this paragraph.

Anti-virus firm F-Secure said the effects were so marked because the worm generates massive amounts of network packets, overloading servers and routers and slowing down network traffic.

"As many as five of the 13 internet root nameservers have been downed because of the outbreak," said the company in an alert.

SQL Slammer's code instructs the Microsoft SQL Server to go into an endless loop, continually sending out data to other computers, in effect performing a denial of service attack, F-Secure said, comparing the slowdown to the impact of the Code Red virus, which brought internet traffic to a halt in the summer of 2001.

The worm has been rated as critical by Microsoft and by anti-virus companies because of the damage it has caused, although it is not thought to damage data on infected machines. It does not spread through email and will not affect most home users' computers directly, said experts, although PCs that use the Microsoft SQL Server 2000 Desktop Engine, such as Visual Studio .Net and Office XP Developer Edition, are also vulnerable, according to Microsoft chief security strategist Scott Charney.

The first reported attacks of SQLSlammer were recorded around 05:30 GMT on Saturday morning, and it has been subsequently reported in many countries across the globe, said anti-virus firm Messagelabs. Unlike mass-mailing worms, SQL Slammer does not write files to a computer's hard disk but resides in memory. While this makes it easy to remove - a computer simply has to be rebooted - it also makes it difficult for anti-virus software to detect it, said Messagelabs. And as soon as a rebooted computer is reconnected to the internet, it will be vulnerable to reinfection unless it has first been patched.

Microsoft said it became aware several hours later at 00.30 Pacific time "of an internet attack causing a dramatic increase in network traffic worldwide". Calling the release of the worm a criminal act, Microsoft said it was "working around the clock to ensure our affected customer's are protected".

But even as some Microsoft executives urged companies to download patches, others admitted that this was not as easy as it sounded. Microsoft spokesman Rick Miller was quoted in USA Today as confirming that internet congestion was interfering with administrators trying to download the patch.

"The same congestion also completely prevented consumers from contacting Microsoft over the internet to unlock the anti-piracy features of its latest products, including the Windows XP and Office XP software packages," said the paper.

System administrators who are unable to download the patch should block UDP port 1434, said experts. This will prevent external attacks from exploiting the vulnerability. UDP port 1434 is used by the SQL Server Resolution Service, which provides a way for clients to find a particular instance of SQL Server on a machine.

It is this Resolution Service that contains the flaw exploited by SQL Slammer. SQL uses a keep-alive mechanism to distinguish between active and passive instances but the flaw means that if a particular data packet is sent to the SQL Server 2000 keep-alive function, it will reply to the sender with an identical packet. Under normal circumstances this is not a problem, according to Microsoft but by spoofing the source address of such a packet, it would be possible to cause two SQL Server 2000 systems to start an endless cycle of packet exchanges.

This is how SQL Slammer operates. In its original description of the flaw, Microsoft explained the sequence of events:

"Suppose there were two SQL Servers with the vulnerability, Server 1 and Server 2. Now suppose the attacker created the needed keep-alive packet and modified the source address so that it contained Server 1's address, then sent the packet to Server 2. This would initiate the exchange, because Server 2 would reply to Server 1, which would reply to Server 2, ad infinitum."

However, system administrators do appear to have acted quickly - at last. By late Saturday, the worm appeared to have passed its peak, said anti-virus firms.

Charney said the wide-spread effects of SQL Slammer could have been avoided. "The unfortunate thing about this is when you know that this was a problem and [customers] hadn't updated," Charney said, "That's a bit frustrating."

"It was a vulnerability. We knew about it but someone is exploiting it. We want our customers to be as secure as possible and install the patches."