"Helkern" - 376 Bytes That Shook The World
25 Jan 2003
Kaspersky Lab, an international data security software developer, is warning users to look our for the new Internet-worm "Helkern" (also known as "Slammer" or "Sapphire") that infects servers running under the popular Web-enabled database Microsoft SQL Server 2000. The extremely small size of the worm (only 376 bytes), a unique technology it employs for penetrating target computers and an extraordinarily high spreading speed allow us to proclaim "Helkern" one of the biggest dangers threatening the normal operation of the Internet to come along in years. There have already been reports of serious disruptions to Internet functioning in South Korea, Australia and New Zealand.
It is possible to say the worm has caused one of the largest virus outbreaks in history that has affected user from all corners of the globe: messages describing infections from "Helkern" are being received from Europe, the United States and Eastern Asia.
"Helkern" belongs to the "fileless" worms category. This type of malicious programs performs all operations (including infection and spreading) exclusively in the computer's operating memory without using any permanent or temporary files. These features seriously complicate the detection and disinfection of such worms using contemporary anti-virus technologies (on-demand and on-access scanners). The first malicious code of this type, "CodeRed"
, was discovered on July 20, 2001. At that time it caused a wide-scale outbreak infecting dozens of thousands of systems around the world. Up until now, with the exception of "CodeRed", "fileless" worms had not shown themselves.
"Helkern" infects only computers running Microsoft SQL Server 2000, a multi-functional database system widely used primarily on Web-servers. To home users of any Windows version without the installion of Microsoft SQL Server the worm poses no threat.
"Helkern" exploits a security breach ("Buffer Overrun") in Microsoft SQL Server that was first detected in July, 2002. To accomplish the "buffer overrun" exploit the worm sends a special request to a target computer. When the request is processed the system automatically executes the worm's code contained in this request. In this way a malefactor can run malicious code without a user's knowledge.
Next, "Helkern" initiates its spreading routine. This process features the extremely rapid sending of the worm's copies to other Internet users: "Helkern" starts an endless spawning loop that many times increases network traffic. "Within just 3 hours from the start of the outbreak began we have detected more than 20 thousand attempts by "Helkern" to penetrate our network, - says Igor Mitiurin, Head of the Information Security Department at Russlavbank, a major Russian financial institution, - Fortunately all these penetration attempts were successfully blocked thanks to our implementation of an effective information security policy that includes the timely installation of security patches for all software used in our corporate network."
Nowadays Microsoft SQL Server is one of the acknowledged leaders in the Web-enabled database market and is used on hundreds of thousands of computers the world over. These events show that many of these systems still contain the security breach allowing infection at the hands of "Helkern". "Helkern" is a real threat that can cause serious interruption to the workings of Internet because the worm generates a huge amount of redundant network traffic that jams data transmission channels. Moreover, in the future, there is a possibility that such attacks will happen with increasing frequency. These circumstances underline the necessity to develop a new approach confronting Internet virus outbreaks. Contemporary technologies have shown a low effectiveness when dealing with such challenges," said Eugene Kaspersky, Head of Anti-Virus Research for Kaspersky Lab.
Besides generating a large volume of redundant network traffic "Helkern" carries no other malicious payload (including destructive payload). Nevertheless Kaspersky Lab urges users to install the patch for buffer overruns in SQL Server 2000. You may access the patch, which is available free of charge on the Microsoft Web-site, by clicking here
A description of "Helkern" in the Kaspersky Virus Encyclopedia: http://www.viruslist.com/eng/viruslist.html?id=59159
A description of the Microsoft SQL Server security breach (Microsoft Security Bulletin MS02-039): http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS02-039.asp>
Kaspersky Anti-Virus database updates: http://www.kaspersky.com/updates.html