NOTICE: This version of the NSF Unidata web site (archive.unidata.ucar.edu) is no longer being updated.
Current content can be found at unidata.ucar.edu.
To learn about what's going on, see About the Archive Site.
NOTICE: This version of the NSF Unidata web site (archive.unidata.ucar.edu) is no longer being updated.
Current content can be found at unidata.ucar.edu.
To learn about what's going on, see About the Archive Site.
SOURCE: eweek DATE : January 25, 2003 TITLE : SQL Worm Pounds Internet AUTHOR: By Dennis Fisher and Chris Gonsalves A worm that attacks known vulnerabilities in Microsoft Corp.'s SQL Server hit the Internet hard Friday night and early Saturday morning, slowing Web traffic to a crawl globally as it generated billions of attacks, according to security response experts. Dubbed the Sapphire Worm, or, SQL Slammer (so called because security engineers were called out of bars just after midnight Friday to begin the detection and clean-up work), the malware takes advantage of a buffer overflow to exploit a flaw in Microsoft SQL Server 2000. That flaw, first discovered in July 2002, exists because of the way SQL handles data sent to its monitor port, according to Marc Maiffret, chief hacking officer for eEye Digital Security in Aliso Viejo, Calif. Once a vulnerable computer is compromised, the worm will infect that target, randomly select a new target, and resend the exploit and propagation code to that host, said Chris Rouland director of the X-Force response team at Internet Security Systems Inc., in Atlanta. "Although the Slammer worm is not destructive to the infected host, it does generate a damaging level of network traffic when it scans for additional targets," an X-Force alert reads. "A large amount of network traffic is created by the worm. Billions of attacks have been detected in the last 12 hours from various industry sources." ISS received reports that several major national ISPs were either experiencing severe latency or were completely unreachable during the height of the attack, ISS's Rouland said. Overnight, five of the Internet's 13 route DNS servers were down and two others had latencies of more than 10 seconds, he added. The Slammer worm doesn't scan local subnet addresses like the Nimda worm, ISS officials said. It simply seeks to replicate itself and does not try to further compromise servers or retain access to compromised hosts. The Slammer worm also does not infect or modify files, as it only exists in memory. "It should be noted that this worm is not the same as an earlier SQL worm that used the SA/nopassword SQL vulnerability as its spread vector," eEye's Maiffret wrote in a posting on the NTBugtraq mailing list. "This new worm is more devastating as it is taking advantage of a software-specific flaw rather than a configuration error. We have already had many reports of smaller networks brought down due to the flood of data from the Sapphire Worm trying to re-infect new systems." Experts said the attack appears to have begun in South Korea, where Internet service was effectively shut down early Saturday. Experts are recommending administrators immediately firewall SQL service ports at all of their gateways. The worm uses only UDP port 1434 (SQL Monitor Port) to spread itself to a new systems. Since Slammer takes advantage of a known vulnerability, adminostrators are also urged to apply current patches available at http://www.microsoft.com/technet/treeview/default.asp?url=/ technet/security/bulletin/MS02-039.asp or contained within SQL 2000 services packs at http://www.microsoft.com/sql/downloads/2000/sp3.asp
ldm-users archives: