Tech mahindra
Tech mahindra

Decoding the Fastest Worm in Internet’s History

Posted by: Kamlesh Patil On May 11, 2011 11:55 AM

Decoding the Fastest Worm in Internet’s History

During the final stages of World War II a small atom bomb explosion caused huge devastation in the cities of Hiroshima and Nagasaki killing nearly 90,000–166,000 with loss over 200 million .Similar to this attack was the attack on MS SQL systems. The attack carried just about 376 bytes of Code causing a magnanimous destruction resulting in loss of productivity between $950 million to $1.2 billion and affecting almost 247,000 systems making it the most-costly malicious code.

Huff!!! Enough of Rajnikanth – Let’s be a bit Technophobic

Before the spread of the worm worldwide on 25th January 2003, David Litchfield along with his colleagues had identified the buffer overflow vulnerability much earlier in May 2002 which the worm exploited. His experimentation revealed that if certain packets ranging from values (0x01-0xFF) when sent to the SQL server over its UDP port 1434 resulted in collapse of the SQL server by the time it received the (0x08) packet.

He developed a C code to identify the SQL behavior when the system received the (0x08) packet. He used a strtok () function which had 2 string (inString & delimiters) as arguments. Once the first token was processed strtok was called again, at this instance it was called with a NULL pointer for the first string to indicate that the next token to be same as the original string. This process was repeated until strtok returned a NULL pointer, which indicated that no more tokens were left in the string to be returned. The MS SQL server code used the NULL pointer as an appropriate return value resulting in the crash of the system.

An attempt was made to change the function and use atoi () instead, but it too resulted in system failure. Further observation revealed that SQL server was looking for a hostname with a port number which was separated by a colon and any sequence of unregulated input which flawed this criterion resulted in the system failure. The experimentation further revealed similar bug wherein an input packet of value 0x04 followed by a colon or any value after 0x04 when sent to sprint () function would dump the value into the destination buffer. Since the MS SQL server has a fixed size of buffer on its stack it lead to the buffer overflow resulting in a system failure.

The worm did not use the SQL language for its attack but instead exploited the Buffer overflow vulnerability in Microsoft SQL-Servers .It was identified that the worm infected the system over UDP port 1434 which is service port enabled by default on MS SQL System for SQL service resolution. The code was so small that it easily fit into a packet on network traffic. The code simply generated and fired random ip-address (subnet specific) and traveled across those ip-address hanging on the system having Microsoft SQL Server Desktop Engine (MSDE) installed on them. Infected systems in turn regenerated huge IP traffic by repeating the same process on the network resulting in failure of the routers incapable handling extremely high volume of traffic causing a DOS attack. Instead of hampering the systems the worm was found to be more interested in chocking the network traffic.

These factors attributed in my incarnation. My creator was an undertaker in his past life and when he met Mankind, he had only one thing in his mind …. Choke Slam!!!!!!!!!!!!!.

Trivia – Wots my name, wots my name, wots my name????

Tags: Security
 
(*) symbol is mandatory field
Name:
* Email Address:

Comments

(*) symbol is mandatory field

Post a Comment

* First Name:
* Email Address:
URL:
Comments:
 
Image Code
* Enter Image Code

Contact Us

Archives

For further information please write to connect@techmahindra.com

For further information please write to connect@techmahindra.com