SQL Slammer: How it works--prevent it

The worm exploits known vulnerabilities in Microsoft SQL 2000 servers. SQL Slammer spreads by scanning the Internet for vulnerable systems.

The SQL Slammer worm (w2.SQLSlammer.worm), also known as Sapphire (F-Secure), w32.SQLexp.worm (Symantec), and Helkern (Kaspersky), exploits known vulnerabilities in Microsoft SQL 2000 servers. It has little impact on home or desktop PCs, and it does not infect Linux, Mac, or Unix systems.

SQL Slammer spreads by scanning the Internet for vulnerable systems, and it is this scanning activity that has degraded service across the entire Internet.

A patch issued by Microsoft last summer removes the buffer overflow vulnerability in SQL 2000 servers. The large number of unpatched systems, however, accounted for the worm's rapid spread across the Internet beginning at 12:30 a.m., January 25, 2003.

How it works
SQL Slammer exploits the way in which MS SQL servers process input on SQL Server Resolution Service port 1434. A specially crafted packet of only 376 bytes sent over the Internet can remotely compromise a vulnerable server. The SQL worm itself is file-less and resides only in memory, much as Code Red. It does not create or delete files but actively scans for other vulnerable MS SQL servers. The aggressive scanning done by SQL Slammer overloaded many networks on January 25, 2003, slowing Internet traffic.

SQL Slammer targets systems running MS SQL Server 2000 and/or systems running Microsoft Desktop Engine (MSDE) 2000, which is included in Visual Studio .Net, Asp.net Web Matrix Tool, Office XP Developer Edition, MSDN Universal and Enterprise, Microsoft Access, and Microsoft Application Center 2000.

The worm can be removed by rebooting an infected system, however that solution does not guard against infection again at a later time. The underlying Server Resolution service buffer overrun flaw exploited by SQL Slammer was first reported in June 2002 and patched in MS02-039. Additional information is available in the SQL Elevation of Privilege patch MS02-061. Systems already patched by installing SQL 2000 Service Pack 3 are not affected. Until a patch can be installed, system administrators may block the following SQL server ports at their firewall/gateway:

    ms-sql-s 1433/tcp #Microsoft-SQL-Server
    ms-sql-s 1433/udp #Microsoft-SQL-Server
    ms-sql-m 1434/tcp #Microsoft-SQL-Monitor
    ms-sql-m 1434/udp #Microsoft-SQL-Monitor

Vendors McAfee, Symantec, and Trend Micro have removal tools available for systems infected with SQL Slammer.

For the latest news on SQL Slammer, see this ZDNet News Focus.