What the Helkern is that?

In my copious free time, I sometimes answer questions on security issues on one of those “Ask the Experts”  pages. It sometimes feels a bit like stepping into a not-quite-parallel universe, where it’s still 2002-3: a strangely high proportion of those queries are about Helkern (the worm most us know as Slammer or SQL Slammer, or even Sapphire). How can such an old threat still constitute such a problem?

In fact, it doesn’t. It’s essentially a noise generator, a classic example of malware intended only to replicate. That’s bad enough, of course: no-one wants to waste bandwidth on the networking equivalent to housedust, and in any case, there’s always a risk that malware that does very little will have unexpected consequences on some systems in some contexts. In general, though, it doesn’t pose a significant risk to anyone not running an unpatched SQL Server installation. The “noise” comes from the fact that there obviously are still unpatched installations out there somewhere that keep sending probes out to random IP addresses over UDP/1434. The problem arises because some security software generates an alert every time it sees that wretched UDP packet, and users assume that (a) their system is in danger (b) they’re the victim of a targeted attack (not so – the target IPs are selected randomly (c) they’re seeing a huge onslaught of attacks by a worm that isn’t picked up by other security software. Back in this universe, any competent, mainstream scanner is capable of detecting Slammer, but most don’t generate alerts for random probes.

However, it’s usually possible to turn off alerts for network attacks in firewalls (and at least one AV engine) where alerting on everything is enabled by default, without turning off protection, and you can still check logs to see that the product is doing its job and blocking such probes, where appropriate, if you need that reassurance.

David Harley
Research Author

Author David Harley, ESET

Follow us

Copyright © 2017 ESET, All Rights Reserved.