Do some research on the SQL Slammer worm Please include a lo

Do some research on the SQL Slammer worm. Please include a lot of info on prevention opportunities that were missed and the propagation speed.

Solution

The SQL slammer worm is a computer virus that caused a denial of service on some Internet hosts and dramatically slowed down general Internet traffic, starting at 05:30 UTC on January 25, 2003. It spread rapidly, infecting most of its 75,000 victims within 10 minutes. Although titled \"SQL slammer worm\", the program did not use the SQL language; Other names include W32.SQLExp.Worm, DDOS.SQLP1434.A, the Sapphire Worm, SQL_HEL, and W32/SQLSlammer.

What can you do according to Microsoft to protect against slammer worm?

Download SQL Server 2000 SP3a or MSDE 2000 SP2.Install the following SQL Server 2000 Security Tools:SQL ScanSQL CheckSQL Critical Update

These tools allow you to scan instances of SQL Server 2000 or MSDE 2000 on your corporate network, detect security vulnerabilities, check a single machine, and apply security update MS02-061 to any vulnerable system.

How does slammer work?

1- Get Inside
Slammer masquerades as a single UDP packet, one that would normally be a harmless request to find a specific database service. The first byte in the string - 04 - tells SQL Server that the data following it is the name of the online database being sought. Microsoft\'s tech specs dictate that this name be at most 16 bytes long and end in a telltale 00. But in the Slammer packet, the bytes run on, craftily coded so there is no 00 among them. As a result, the SQL software pastes the whole thing into memory.

2- Reprogram the Machine
The initial string of 01 characters spills past the 128 bytes of memory reserved for the SQL Server request and into the computer\'s stack next door. \"Stack\" is programmer-speak for an orderly list of information the computer shuffles to remind itself what to do next, like tidy paperwork on a desk. The first thing the computer does after opening Slammer\'s too-long UDP \"request\" is overwrite its own stack with new instructions that Slammer has disguised as a routine query. The computer reprograms itself without realizing it.

3 - Choose Victims at Random
Slammer generates a random IP address, targeting another computer that could be anywhere on the Internet.

4 - Replicate
The envelope is addressed, now it just needs to be stuffed. Slammer points to its own code as the data to send. The infected computer writes out a new copy of the worm and licks the UDP stamp.

5- Repeat
After sending off the first tainted packet, Slammer loops around immediately to send another to a different computer. It doesn\'t waste a single millisecond. Instead of making another call to the system clock to get the time, it just shuffles the bits of the IP address already in memory to create a new one. Slammer\'s one bug is buried here: The reshuffling leaves a few digits in the address unchanged. It hardly matters, though, since the computer is now spewing packets as fast as its network cable can carry them away. Slammer commandeered just 75,000 SQL machines. But because it replicated so fast, the worm was able to take down millions more, kicking them offline with a flood of meaningless traffic.

What can you do to get rid of worm:

Since the worm does not infect any files, an infected machine can be cleaned by simply rebooting the machine. However, it will soon get re-infected if the machine is connected to the network without applying relevant patches for MS SQL Server.