Malware

SQL Slammer

SQL Slammer, also known as Sapphire and SQL-Hell, is a fast-spreading Internet worm that targeted Microsoft SQL Server 2000 and Microsoft Desktop Engine (MSDE) 2000. It exploited a buffer overrun in the SQL Server 2000 Resolution Service on UDP port 1434, a vulnerability addressed by Microsoft in Security Bulletin MS02-039. The worm propagated by sending crafted packets to vulnerable hosts and was widely reported to have infected 90% of its hosts in less than 10 minutes. Multiple sources in the content describe it as taking out or degrading large portions of the Internet, with reporting at the time noting country-level impact including South Korea. The malware is repeatedly cited as a canonical early-2000s worm and as an example of disruptive, non-targeted malware that also highlighted industrial control system exposure.

High-confidence behavior and impact described in the content include rapid self-propagation over UDP/1434, widespread Internet congestion and denial-of-service effects, and continued scanning activity observable on the public Internet decades later. The affected platforms explicitly mentioned are Microsoft SQL Server 2000 and MSDE 2000; client systems were not affected. The content also notes that the exploited vulnerability had been patched roughly six months before the outbreak, and that Microsoft stated the MS02-039 patch was effective in protecting SQL Server 2000 and MSDE 2000 against SQL Slammer. No specific threat actor attribution is provided in the content. Known aliases directly mentioned are Sapphire and SQL-Hell.

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

MITRE ATT&CK

Techniques & procedures

6 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

1 technique

T1190Exploit Public-Facing ApplicationEvidence2

TacticInitial Access

"SQL Slammer" and "TCP sequence prediction attack" are listed among linked security incident topics; SQL Slammer is historically associated with SQL Server exploitation.

Execution

1 technique

T1203Exploitation for Client ExecutionEvidence1

TacticExecution

By sending a carefully crafted packet to the Resolution Service, an attacker could cause portions of system memory (the heap in one case, the stack in the other) to be overwritten. Overwriting it with carefully selected data could allow the attacker to run code in the security context of the SQL Server service.

Lateral Movement

1 technique

T1210Exploitation of Remote ServicesEvidence1

TacticLateral Movement

The SQL Slammer worm that attacked Microsoft SQL and MSDE, which crashed the Internet.

Command and Control

1 technique

T1572Protocol TunnelingEvidence1

TacticCommand and Control

A second kind of covert channel, aimed at subverting firewall–based filtering, uses standard ports for passing non-standard traffic.

Impact

2 techniques

T1498Network Denial of ServiceEvidence1

TacticImpact

A second kind of covert channel, aimed at subverting firewall–based filtering, uses standard ports for passing non-standard traffic. Firewalls that enforce a “block-all-but-necessary” approach to regulating traffic are the typical targets of standard port abuse. A recent (25 Jan 2003) case of standard port abuse involved a Denial of Service (DOS) attack that was variously known as the ‘SQL Slammer’ worm, ‘Sapphire’ and “SQL-Hell’.

T1498.001Direct Network FloodEvidence1

TacticImpact

The infected host starts transmitting 376 byte long UDP packets at a very high rate to random IP addresses on the Internet thereby generating overwhelming traffic.

ACTIVITY FEED

Recent activity

25 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

25 SOURCESView more in app

dark readingNews

Jun 5, 2026

Adaptive, Agentic AI Worms Loom as Next Enterprise Threat

A fast-spreading Internet worm cited as an example of flash-worm-style propagation, infecting 90% of its hosts in less than 10 minutes.

upwind blogNews

Apr 22, 2026

Why AI Security Is Repeating Every 1990s Mistake - Upwind

A notorious internet worm mentioned as part of the sequence of disruptive malware incidents that forced changes in defensive strategy.

wikipedia cyber incidentsNews

Sep 4, 2025

Crime Boys - Wikipedia

Malware 2003 SQL Slammer

learn microsoftNews

Mar 1, 2023

Microsoft Security Bulletin MS02-039 - Critical | Microsoft Learn

A worm that targets SQL Server 2000/MSDE 2000 via the Resolution Service; the bulletin states the patch protects against SQL Slammer.

+14 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping6

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.