IT departments wrestle with Slammer worm

IT departments worldwide worked frantically over the weekend updating their SQL Server databases to protect their networks from...

IT departments worldwide worked frantically over the weekend updating their SQL Server databases to protect their networks from the Slammer worm, one of the most powerful denial-of-service Internet attacks since Code Red in 2001.

Bank of America, one of the biggest banks in the US, was hit hard when many customers could not get money from its 13,000 cash machines for several hours.

A security notice on the Cert security site, run by Carnegie Mellon University, reported that the attack exploits a buffer-overflow in the Microsoft SQL Server "Server Resolution Service".

The service allows two SQL server databases on the same machine to check if the other is working by using the Internet ping command. Cert said an attacker can create a forged ping message, which causes the SQL Server databases to exchange messages continuously, using up server and network resources until one of the servers or network fail.

Microsoft issued a security patch for the vulnerability last July

But Russ Cooper, a security consultant who runs the popular NTBugTraq security site, said patching SQL Server was difficult as users needed to allocate time to test the patch.

Furthermore, in the case of Slammer, even though users could apply the patch Microsoft has provided, Cooper said the patch required users to install a hot fix separately described in Microsoft article Q317748 on the Microsoft Knowledgebase (

Many security experts have advised users to disable firewall port 1434. But Cooper warned that such a move might not be practical.

In a bulletin on NTBugTraq, he said that in order to manage SQL Server remotely without access to Port 1434, a system administrator would have to deploy a virtual private network or use Microsoft's Terminal Services, neither of which is as effective.

The affected Microsoft database engine is deployed not only in SQL Server but also with other programs, such as Visual Studio .net and Office XP Developer Edition. This means Slammer has the potential to spread beyond purely SQL database servers.

Security firm MessageLabs warned on its website that traditional anti-virus scanners would be unable to detect SQL Slammer since it does not write anything to the infected computer's hard disk.

Read more on Network software

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.