January 26, 2003
The Beauty of the Worm
A posting from Peter Kaminski to a mailing list (with permission):
It’s a thing of terrorbeauty, this Slammer/Sapphire/W32.SQLExp.Worm. Weighing in at 376 bytes of assembly language code, it is shorter than some email signature blocks. Shorter than the next paragraph.
It fits entirely within one UDP packet. The packet goes into a Microsoft SQL Server box, and boom, the machine turns into a zombie, spewing the same packet back out at random IP addresses, over and over and over and over, running in a tight 23-instruction loop, cycling fast enough to fill the network it’s connected to with the tiny replicates of itself directed anywhere and everywhere on the net.
Here are some more links:
cstone’s annotated disassembly
archived version of the Matrix graph
the slashdot thread
NGSSoftware advisory on the Microsoft SQL Server exploit, 2002-07-25