This article is only used for data packet learning!
1. Overview of the Slammer worm
SQL Slammer(2003) Slammer is a malicious DDOS program. Through a new infection route, it adopts a distributed blocking service attack to infect the server. It uses the weakness of SQL Server to attack port 1434 by blocking service and infects SQL Server in memory. , through the infected SQL Server and then spread a large number of denial-of-service attacks and infections, causing SQL Server to fail to work normally or crash, causing internal network congestion.
SQL SlammerAlso known as “蓝宝石(Sapphire)蠕虫"or Helkern", the size 376字节is just enough to fit into 1 network packet, allowing it to spread quickly when launched. The worm sends UDP 1434 端口发送formatted requests to , causing infected routers to start sending The malicious code caused the target to fall into a state of denial of service. It once overloaded network devices such as servers and routers with a large number of network packets, causing denial of service on tens of thousands of servers around the world.
Worms have the following characteristics:
- Use the udp protocol to spread, the spread speed is fast, and the spread area is wide
- After the worm infects the system, it only resides in memory and does not write any files on the hard disk
- Since sending a large number of udp packets will generate huge network traffic, causing DoS attacks
Affected version:
- SQL Server 2000 RTM
- SQL Server 2000 SP1
- SQL Server 2000 SP2
- Microsoft SQL Desktop Engine Version (MSDE) 2000
Symantec provides the following network detection rules:
alert udp $EXTERNAL_NET any -> $HOME_NET 1434 (msg:"W32.SQLEXP.Worm propagation";
content:"|68 2E 64 6C 6C 68 65 6C 33 32 68 6B 65 72 6E|"; content:"|04|"; offset:0;
depth:1;)
2. Data packet analysis
The packet comes from: https://wiki.wireshark.org/SampleCaptures, named tslammer.pcap
① Check the data packet and see two obvious features: send to the network host UDP target port 1434, and encapsulate itself in a 376-byte UDP data packet;
② View the hexadecimal data, the first 14 bytes are the data frame header, the next byte is the UDP header, and the next 20 bytes are the IP header, from 04 onwards are the data of the Slammer worm;
If the SQL Server Resolution Service analysis service of the SQL server is open and no patch is installed, when the SQL Server Resolution Service receives a UDP packet with the first byte of 0x04 on the UDP1434 port, the SQL monitoring thread will obtain the data and use the information to try to open the registry key-value in . Therefore, the attacker can append a large amount of character data after the UDP packet. When the SQL monitoring thread tries to open the registry key value, a stack-based buffer overflow will occur, covering part of the system content, which will cause the permissions of the SQL Server process to be lost in the system. execute arbitrary commands.
Afterwards, the Windows API function GetTickCount can be called to randomly generate IP addresses, a socket is established on the victim host, and UDP packets containing worms are sent to the generated IP addresses to make them all infected.
③ In the packet payload, some string features can be seen:
- h.dllhel32hkernQhounthickChGetTf
- hws2
- Qhsockf
- toQhsend
