Slammer Worm in information Security

Slammer Worm is known as sapphire, Helkern, etc. This is the fastest spreading worm in the year 2003 and some called this a ‘Worhol worm’. It was discovered on 25 January but some traces were found to be similar on 20 January. It generated a massive amount of network packets that lead to the overloading of servers and slowing down the traffic of the network. This Worm does not save itself in any memory and it does not create or modify files in the system. It affects only those which have Microsoft SQL server 2000 or MSDE 2000 running on the system. This worm can affect the devices if the software like Microsoft Biztalk Server, etc that has silently installed MSDE 2000 or Microsoft SQL server 2000 in the system. It took 15 minutes for this worm to spread worldwide and infected over three lakhs and fifty-eight thousand. Many DNS servers went down and experienced massive packet loss because of the bandwidth this worm consumed.

Interesting facts:

• It infected a greater percent of computers within 10 minutes.
• Almost all Windows systems were affected due to the slammer worm.
• The worm affected the private leased network and caused service interruption in the financial institution.

Who created this virus? What is the history of this virus?

It was originally discovered by a security expert David Litchfield. In the year 2002 Microsoft had released a patch that could fix this worm. As many people did not try to fix this weakness, in 2003 seventy-five thousand servers were infected. Many ATMs would not work for the consumers and the damage was just getting worse. So on 25 January 2003, this worm caused a global internet slowdown. Now many people were reporting that they were getting 911 calls and were also responsible for many canceled flights.

Functions of the slammer worm –

• This generates a massive amount of network packets that lead to the overloading of servers. Later it slows down the internet connections.
• It does affect any system, but it affects those systems that have Microsoft SQL Server 2000 (i.e; SQL Server 2000 Enterprise Edition and Standard Edition, SQL Server 2000 Evaluation version, and SQL Server 2000 Developer Edition, SQL Server 2000 Personal Edition) or MSDE 2000 running.

Effects of this worm –

• It slows down the network connections because it generated a massive amount of network packets that lead to the overloading of servers.
• It has functionality that can block the network.
• It has the capacity to slow or block the server.
• This worm can make the email service fail.
• This Worm can increase the traffic through the UDP port 1434.
• This Worm does not save itself in any memory and it does not create or modify files in the system.
• It only affects those who have Microsoft SQL Server 2000 running on the system.

Case study:

There was one country where the worm had affected. Some Koreans claimed that their entire infrastructure knocked out and billions of won were lost. Some companies like SK Telecom and ISP KT Freetel Corp had also lost their internet connections. This sort of thing happened in South Korea because of the slammer worm.

The way this worm infects the system –

• 1. It goes to computer memory.
• 2. It then loads some API functions to generate an Ip address and infect other machines.
• 3. It starts sending multiple packets that contain the code of this worm and it results in a DDOS attack on the port.

Prevention of the worm –

• The worm can be removed by rebooting an infected system.
• We should use some antivirus like Mcafee, Symantec, Trend Micro which have these removal tools to remove this type of virus.