Forgot your password?
typodupeerror
Security IT

10 Years After SQL Slammer 58

Posted by Soulskill
from the lesson-learned dept.
Trailrunner7 writes "Ten years ago today, on Jan. 25, 2003, a new worm took the Internet by storm, infecting thousands of servers running Microsoft's SQL Server software every minute. The worm, which became known as SQL Slammer, eventually became the fastest-spreading worm ever and helped change the way Microsoft approached security and reshaped the way many researchers handled advisories and exploit code. This is the inside story of SQL Slammer, told by David Litchfield, the researcher who found the bug and wrote the exploit code that was later taken by Slammer's authors and used as part of the worm."
This discussion has been archived. No new comments can be posted.

10 Years After SQL Slammer

Comments Filter:
  • by xxxJonBoyxxx (565205) on Friday January 25, 2013 @04:23PM (#42694879)

    Kind of hard to believe that ten years ago it was quite common for people to still have their SQL Servers hooked up the Internet with no firewall or firewall rules that permitted direct connections to the control port. Good luck finding that configuration today...

    • by h4rr4r (612664) on Friday January 25, 2013 @04:29PM (#42694955)

      There are still tons of them.

      I have heard such a setup suggesting in the past 12 months by a customer to make life easier for them. We did not do that.

    • by gstoddart (321705) on Friday January 25, 2013 @05:03PM (#42695295) Homepage

      My guess is it's far more common than you'd think. A lot of software is really awful when it comes to security, and a lot of places don't do much better.

      I ran into a piece of software about 3-4 years back which lived in the DMZ to provide access to internal servers. The software in question stored passwords in plain text in the registry -- we're talking the admin password for the production database. I screamed bloody murder at how big of a risk that was, but eventually got told to STFU. Thankfully, it was a short contract and I wasn't around much longer.

      You might be shocked to find out how often security is secondary to cost and convenience. I'm betting loads of people here on Slashdot have encountered things like this.

      Look at all the stories we've seen about SCADA [slashdot.org] devices being on the internet -- people are regularly putting mission critical stuff directly onto the internet with no good security.

      • The problem is that decent security is often too "costly" or "difficult" for the end user.
        I'd love to implement great security for every customer we have but it's always up to them and how much "trouble" they want to get through using their network (even if it isn't really).
        The only thing I don't like is IT companies setting up a customer with a shoddy network in the first place.
        • by khasim (1285) <brandioch.conner@gmail.com> on Friday January 25, 2013 @05:34PM (#42695721)

          I'd love to implement great security for every customer we have but it's always up to them and how much "trouble" they want to get through using their network (even if it isn't really).

          That's the real problem. It will always be easier to NOT do something than it will be to do something.

          And NOT doing something will, 99%+ of the time, will be less expensive than doing something.

          It is only when that less-than-1%-of-the-time event hits that "something" gets done. And even then the 'something" is usually a panic reaction and NOT real security.

      • by Shoten (260439)

        My guess is it's far more common than you'd think. A lot of software is really awful when it comes to security, and a lot of places don't do much better.

        I ran into a piece of software about 3-4 years back which lived in the DMZ to provide access to internal servers. The software in question stored passwords in plain text in the registry -- we're talking the admin password for the production database. I screamed bloody murder at how big of a risk that was, but eventually got told to STFU. Thankfully, it was a short contract and I wasn't around much longer.

        You might be shocked to find out how often security is secondary to cost and convenience. I'm betting loads of people here on Slashdot have encountered things like this.

        Look at all the stories we've seen about SCADA [slashdot.org] devices being on the internet -- people are regularly putting mission critical stuff directly onto the internet with no good security.

        With the exception of the password storage using clear text, what you're describing has nothing to do with software insecurity but everything to do with architecture insecurity. SCADA devices, database servers, or any "back office" infrastructure that is exposed broadly to the Internet without a genuine business case for anyone and their dog to have direct access to it is a bad idea. It's not about the software, in that case, it's about how the infrastructure is designed to contain it (or not). And the r

        • > And the really odd thing is that it's usually WAY easier to address this kind of insecurity than it is to fix problems in software, especially COTS products. You just have to try. Yes, it costs a bit, but it's not exactly exotic and it's not all that expensive. Firewalls are cheap, faster than ever and not terribly difficult to manage anymore.

          No, it's usually WAY difficult to address this "architecture" insecurity as you put it. I really don't understand why you're even mentioning firewall costs at al

    • You'll see all kinds of ancient exploits still being tried by machines around the world.

      At one place I worked, the contractors who came in to install the VoIP system also connected one of the Win2K3 servers directly to the Internet so that they could manage the VoIP system "easier". And that was back around 2010.

      Never underestimate the power of laziness and stupidity.

      • by dbIII (701233)
        2012 and I had one clown that wanted us to forward the telnet port in from the internet to the phone system he was installing and keep it open forever so he could configure it remotely. Of course there was no password, and of course the username was something obvious. I wonder how many places are giving script kiddies free phone calls thanks to that clown.
        It was almost his last install and last day breathing. He took a can of drink into the server room and had it sitting on a large UPS of quite a few kW
    • by Synerg1y (2169962)
      It's mostly done through injecting the pointer via a web application nowadays to create a SQL injection attack. Works especially well on retards who use dSQL, never have a seen a dumber implementation of SQL, or such a large compelling reason not to use it.
  • by rastakid (648791) on Friday January 25, 2013 @04:25PM (#42694915) Homepage Journal

    Slashdot does it again.

  • Can't get my head around this... why would you want to run MSSQL every minute? It's not that unstable.

  • Google Cache Version (Score:5, Informative)

    by Anonymous Coward on Friday January 25, 2013 @04:38PM (#42695061)
  • by Cid Highwind (9258) on Friday January 25, 2013 @04:42PM (#42695081) Homepage

    So this guy "wrote the exploit code that was later taken by Slammer's authors and used as part of the worm", and he's not dead or serving an eleventy hojillion year federal prison sentence?

    Times change indeed...

    • by eap (91469) on Friday January 25, 2013 @05:00PM (#42695271) Journal

      So this guy "wrote the exploit code that was later taken by Slammer's authors and used as part of the worm", and he's not dead or serving an eleventy hojillion year federal prison sentence?

      Times change indeed...

      The article mentions he was paid by a company in Germany to penetrate their heavily-fortified SQL Server installations. This is when he developed the exploit code. Presumably it's not illegal for a company to pay you to security test its systems.

      He also took the steps of communicating the exploit to Microsoft before releasing the code. He even asked their permission before divulging the code, and didn't do so until MS had released a fully corrective patch.

      You're right, however, he'd be in jail if it happened today.

      • by sycodon (149926)

        One has to ask, why would he release the code?
        What was the point?
        What was the benefit?

    • by gmuslera (3436)
      Authorities weren't aware yet. Now he probably will be jailed till next century, along with Randall Munroe [xkcd.com].
  • by nweaver (113078) on Friday January 25, 2013 @04:47PM (#42695139) Homepage

    We (David Moore, Vern Paxson, Stefan Savage, Colleen Shannon, Stuart Staniford, and myself) did the analysis of how it spread, including showing how it infected all the vulnerable systems in 10 minutes, and detailing flaws in the random number generator.

    Our article eventually appeared in IEEE Security & Privacy [ieee.org].

    • by cusco (717999)
      I remember that being a very busy week for my boss and myself. Take the machine off the network, back up the database, remove MSDE, whack everything referring to SQL in the registry and all the folders since MSDE didn't clean up after itself very well, reboot, reinstall MSDE, apply patch, restore database, plug back into the network, leave our list of security recommendations to the customer, go to the next site. Wash, rinse, repeat.
      • by yuhong (1378501)

        Why would removal and reinstallation of MSDE be required?

        • by cusco (717999)
          We tried just rebuilding MSDE a couple of times and it didn't get rid of it consistently. Brute force worked every time, so better to spend the extra time on five customers than have to go back and re-do your work on one or two of them. There were some situations where we couldn't, and my boss took care of those to make sure that it was done correctly and Slammer was gone.
    • by Anonymous Coward

      It'll cost me 31 dollars to read that article. I think I'll pass.

    • I didn't know. So here's a Non paywalled copy [berkeley.edu].

      • by Dagger2 (1177377)

        Thank you.

        This also saves me the effort of working out what it means when it asks me for "US£31.00".

  • by A Friendly Troll (1017492) on Friday January 25, 2013 @05:17PM (#42695513)

    Letting a DB server out on the internet is moronic by itself, but not having installed a patch [microsoft.com] that was available 6 months before the worm started spreading, well, that's even worse.

    The worst thing of all, however, is that Microsoft *itself* had unpatched instances of SQL Server out on the net and they themselves got pwned.

    • by yuhong (1378501)

      Yea, at that time Windows Update and SUS did not cover anything other than Windows itself. In fact, at that time SQL Server hotfixes and updates did not even have an installer. You had to use manual file copy to install them, and this included manual version checking if you installed more than one of them. Needless to say, when WSUS and Microsoft Update was created in mid-2005, SQL Server was included.

      • by yuhong (1378501)

        And of course not only does post SQL Server 2000 SP3 hotfixes have an installer, but the original patch was repackaged with it too.

    • That's a little harsh. At the time of slammer, I was feeling superior as I had rolled that patch out when it was released. It was then that I discovered the horror of MSDE installed, unpatched on user PCs and various application servers.
  • Ten years down the line, does it run on Linux yet?

  • I can remember back then when the campus network was put to a halt when a single laptop overloaded the poor Cisco router connected to the internet with too much requests. It took us quite some time to isolate the problem when we were using hubs and unmanaged switches. It was quite dramatic when I stormed the room in a middle of a presentation and pulled the UTP plug out of the computer! :)

    I can also remember the Nimda worm back then when it infected a part of the network. Good thing we were using higher e

The first version always gets thrown away.

Working...