Slammer worm

posted Jun 09, 2003

Maresh had spent two years in front of the console, but, he says, "I had never seen anything like that." Fifty-five million meaningless database server requests were traversing the globe - and one of Akamai's Hong Kong locations was caught in the crossfire. Maresh was the first person on earth to spot the Internet worm that came to be known as Slammer. [Tomalak's Realm]

Pretty interesting piece. I remember when the "Warhol worm" idea was being mocked; Slammer technically wasn't such a worm but it got pretty close to implementing it and it didn't even take the pre-scan steps outlined in the Warhol worm paper.

This actually provides an interesting study for the Warhol worm concept. Slammer was 376 bytes. That's not much. About all the author could jam into the 376 bytes was the code to replicate itself, and it was buggy at that. Any more serious worm which actually was going to do something other then suck bandwidth would of necessity be larger, which would necessarily slow the growth of the worm exponentially as it increased in size.

The good news is that getting such results probably still requires programming in assembly language, which isn't exactly rare but isn't common either. The bad news is that the constraining factor on the worm's growth is transmission time, not raw size, so as the Internet gets faster it gets progressively more vulnerable to this sort of thing.

In a couple more years, one could imagine a 10KB payload, which is easily enough to do just about any one or two malicious things you could think of, and a general virus kit that has a Warhol-style virus framework already loaded into it.

End of the Internet? Nah, the admins will also adapt and prevent it from rocking our world too often. Still, really useful security may become necessary, as turning a security flaw into a Warhol worm approaches zero effort; preventing those flaws entirely is going to get more important.


Site Links


All Posts