A posting from Peter Kaminski to a mailing list (with permission):
It's a thing of terrorbeauty, this Slammer/Sapphire/W32.SQLExp.Worm. Weighing in at 376 bytes of assembly language code, it is shorter than some email signature blocks. Shorter than the next paragraph.
It fits entirely within one UDP packet. The packet goes into a Microsoft SQL Server box, and boom, the machine turns into a zombie, spewing the same packet back out at random IP addresses, over and over and over and over, running in a tight 23-instruction loop, cycling fast enough to fill the network it's connected to with the tiny replicates of itself directed anywhere and everywhere on the net.
Here are some more links:
cstone's annotated disassembly
archived version of the Matrix graph
the slashdot thread
NGSSoftware advisory on the Microsoft SQL Server exploit, 2002-07-25
Posted
by D. Weinberger at January 26, 2003 10:35 AM
Comments
What mailing list?
Posted by: steve | January 28, 2003 02:44 PM
A private mailing list. But Pete blogged this entry at http://www.istori.com/log/archives/00000221.html
Posted by: David Weinberger | January 28, 2003 04:33 PM
Thanks!
Posted by: steve | January 29, 2003 10:23 AM