Many people might have heard of the Slammer worm, but few people fully understand the root of the attack. Familiarizing yourself with Slammer's methods can help you evaluate the risk to your environment and prepare for future attacks by similar worms.
MSDE provides a code base for programmers so that they don't need to manually write base code for their products. One reason that so many systems are vulnerable to worms such as Slammer is that many IT departments don't know which applications were built using MSDE and thus which systems need to be patched.
Slammer creates a buffer overflow when SQL Monitor initiates a request to communicate with the registry, thus letting the worm execute its malicious commands in a privileged state. The infected system becomes a zombie that the worm uses to find and attack other systems. The worm makes a call to the Windows API GetTickCount function and uses the result as a seed value to generate random IP addresses, then opens a socket on the infected system and continually scans those IP addresses in an attempt to identify and infect other vulnerable systems.
One reason the original Slammer attacks occurred so quickly is that the worm uses UDP instead of TCP, so Slammer didn't need to establish a full TCP connection with each vulnerable system. The only limitation to the scanning activity and continual infection rate was the zombie's bandwidth connection to the Internet and internal servers. An infected SQL Server system could complete between 4000 and 30,000 scans per second, depending on its available bandwidth. Also, a connectionless protocol such as UDP doesn't require a three-way handshake, making it easier for the worm to bypass firewalls and spoof a UDP packet's source address and port.
Recovering and Preventing Future InfectionsSo how can you ensure that your systems are safe from this worm and others like it First, determine which of your systems are vulnerable. Several Microsoft articles list susceptible applications, which include Microsoft Application Center 2000, Office XP Professional, Project Server 2002, Visio 2002 Professional, and Visual FoxPro 7.0. (You can find a full list of products at ) Then, determine whether these systems are running an applicable security patch. To do so, look in the systems' \\mssql\\binn folder for ssnetlib.dll. Systems on which this file has a version number of 8.00.679 or later are safe; systems with earlier versions of the file aren't secure. You can also review the following components to ensure that they have the indicated version: ssmslpcn.dll version 8.00.568, dbmslpcn.dll version 8.00.568, and ssnetlib.dll version 8.00.679. Or you can use the Slammer Vulnerability Assessment Tool ( ).
Before you begin any repairs or updates, however, decide which solutions are best for your environment. Installing different security patches, hotfixes, or service packs on many machines can become confusing, so first build a matrix that lists the vulnerable systems in your environment, which susceptible product each system runs, and which patches, hotfixes, and service packs have been applied to each system. Then, compare this information with the options that Table 1 shows. The Microsoft article \"INF: SQL Server 2000 Security Update for Service Pack 2\" ( =316333) describes the updated SP2 security patch, which Microsoft refined and rereleased in Microsoft Security Bulletin MS02-061 after Slammer hit. The new version of the patch doesn't require manual configuration and doesn't cause the disruptions that the earlier version caused. You can also use the tools available in the SQL Critical Update Kit ( ) to remove the worm and patch infected systems. And of course, SQL Server 2000 SP3a ( ) contains all the fixes in both SP2 and SP1. Regardless of which path you take, make sure to install any patches and service packs on test servers before installing them on your production servers. Many patches fix one thing but break another, so test them fully before deployment.
Ready for AnythingSlammer marks an important step in the evolution of computer worms because of its simplicity and speed of infection, and the worm's success opens the door for similar but more dangerous worms. If a worm could scan and infect systems as quickly as Slammer did, then lay dormant so that its activity quickly came to a halt, identifying and cleaning the thousands of infected hosts would be a nightmare. Hindsight is twenty-twenty, but Slammer's original attack was a painful lesson of why administrators and security professionals need to stay vigilant and make sound architectural decisions. Applying patches, fortifying perimeter devices, and watching for excessive traffic to UDP port 1434 can be tiring and continual processes but really are the only protection against a worm such as Slammer, which most likely will continue to cause problems for organizations that fail to take these measures. For more information about Slammer, visit , =180, or
mydoom also known as, my.doom, W32.MyDoom@mm, Novarg, Mimail.R, Shimgapi, W32/Mydoom@MM, WORM_MYDOOM, Win32.Mydoom is a computer worm affecting Microsoft Windows. It was first sighted on January 26, 2004. It became the fastest-spreading e-mail worm ever, exceeding previous records set by the Sobig worm and ILOVEYOU, a record which as of 2023 has yet to be surpassed.
MyDoom appears to have been commissioned by e-mail spammers to send junk e-mail through infected computers. The worm contains the text message \"andy; I'm just doing my job, nothing personal, sorry,\" leading many to believe that the worm's creator was paid. Early on, several security firms expressed their belief that the worm originated from a programmer in Russia. The actual author of the worm is unknown.
The worm appeared to be a poorly sent e-mail, and most people who originally were e-mailed the worm ignored it, thinking it was spam. However, it eventually spread to infect at least 500 thousand computers across the globe.
Speculative early coverage held that the sole purpose of the worm was to perpetrate a distributed denial-of-service attack against SCO Group. 25 percent of MyDoom.A-infected hosts targeted SCO Group with a flood of traffic. Trade press conjecture, spurred on by SCO Group's own claims, held that this meant the worm was created by a Linux or open source supporter in retaliation for SCO Group's controversial legal actions and public statements against Linux. This theory was rejected immediately by security researchers. Since then, it has been likewise rejected by law enforcement agents investigating the virus, who attribute it to organized online crime gangs.
MyDoom was named by Craig Schmugar, an employee of computer security firm McAfee and one of the earliest discoverers of the worm. Schmugar chose the name after noticing the text \"mydom\" within a line of the program's code. He noted: \"It was evident early on that this would be very big. I thought having 'doom' in the name would be appropriate.\"
MyDoom is made by Lto3 and primarily transmitted via e-mail, appearing as a transmission error, with subject lines including \"Error\", \"Mail Delivery System\", \"Test\" or \"Mail Transaction Failed\" in different languages, including English and French. The mail contains an attachment that, if executed, resends the worm to e-mail addresses found in local files such as a user's address book. It also copies itself to the \"shared folder\" of peer-to-peer file sharing application Kazaa in an attempt to spread that way.
MyDoom avoids targeting e-mail addresses at certain universities, such as Rutgers, MIT, Stanford and UC Berkeley, as well as certain companies such as Microsoft and Symantec. Some early reports claimed the worm avoids all .edu addresses, but this is not the case.
A sophisticated Malware Arpit Singh CPSC 420\\n \\n \\n \\n \\n \",\" \\n \\n \\n \\n \\n \\n Unit 2 - Hardware Computer Security.\\n \\n \\n \\n \\n \",\" \\n \\n \\n \\n \\n \\n Malicious Code Brian E. Brzezicki. Malicious Code (from Chapter 13 and 11)\\n \\n \\n \\n \\n \",\" \\n \\n \\n \\n \\n \\n Understanding and Troubleshooting Your PC. Chapter 12: Maintenance and Troubleshooting Fundamentals2 Chapter Objectives \\uf0d8 In this chapter, you will learn:\\n \\n \\n \\n \\n \",\" \\n \\n \\n \\n \\n \\n Computer Network Forensics Lecture - Virus \\u00a9 Joe Cleetus Concurrent Engineering Research Center, Lane Dept of Computer Science and Engineering, WVU.\\n \\n \\n \\n \\n \",\" \\n \\n \\n \\n \\n \\n Threat to I.T Security By Otis Powers. Hacking Hacking is a big threat to society because it could expose secrets of the I.T industry that perhaps should.\\n \\n \\n \\n \\n \",\" \\n \\n \\n \\n \\n \\n 1 ISA 662 Information System Security 20 Years Of PC Viruses.\\n \\n \\n \\n \\n \",\" \\n \\n \\n \\n \\n \\n D. Beecroft Fremont High School VIRUSES.\\n \\n \\n \\n \\n \",\" \\n \\n \\n \\n \\n \\n Virus and Antivirus Team members: - Muzaffar Malik - Kiran Karki.\\n \\n \\n \\n \\n \",\" \\n \\n \\n \\n \\n \\n ITIS 1210 Introduction to Web-Based Information Systems Chapter 45 How Hackers can Cripple the Internet and Attack Your PC How Hackers can Cripple the.\\n \\n \\n \\n \\n \",\" \\n \\n \\n \\n \\n \\n CHAPTER 14 Viruses, Trojan Horses and Worms. INTRODUCTION Viruses, Trojan Horses and worm are malicious programs that can cause damage to information.\\n \\n \\n \\n \\n \",\" \\n \\n \\n \\n \\n \\n 1 Higher Computing Topic 8: Supporting Software Updated\\n \\n \\n \\n \\n \",\" \\n \\n \\n \\n \\n \\n 1 Chap 10 Virus. 2 Viruses and \\u201dMalicious Programs \\u201d Computer \\u201cViruses\\u201d and related programs have the ability to replicate themselves on an ever increasing.\\n \\n \\n \\n \\n \",\" \\n \\n \\n \\n \\n \\n Compiled & Designed by : Presentation Point Idea by: SAAD(CEO Future IT) \\u00a9 2011 Presentation Point Compiled By & Designed : Presentation Point(\\n \\n \\n \\n \\n \",\" \\n \\n \\n \\n \\n \\n Virus Detection Mechanisms Final Year Project by Chaitanya kumar CH K.S. Karthik.\\n \\n \\n \\n \\n \",\" \\n \\n \\n \\n \\n \\n Administrative: Objective: \\u2013Tutorial on Risks \\u2013Phoenix recovery Outline for today.\\n \\n \\n \\n \\n \",\" \\n