Head Guru Posted January 27, 2003 Share Posted January 27, 2003 Saturday, 25 Jan 2003 — A New Worm is Loose A new worm exploded onto the Internet, causing worldwide traffic congestion as it aggressively replicated by searching for vulnerable and unpatched Microsoft Windows servers running the SQL database engine. The worm is known by the names "SQL Sapphire", "SQL-Hell" and "MS SQL Slammer". The Windows SQL Server "buffer overflow" vulnerability being exploited by this worm has been known for six months. Security patches and updates have been available since it's public disclosure. Therefore, only machines that are not kept up to date with current security patches and service packs are vulnerable to infection. eEye's and other analysis of the worm's payload indicates that, unlike the previous CodeRed and Nimda worms, this worm's only agenda is self replication. (Which it pursues with significant gusto.) Since the worm lives only in the system's RAM memory and does not modify any system files, "disinfection" of an infected system is as simple as a system reboot. It is somewhat intriguing that every worm packet probe emitted contained a complete self-replicating-capable copy of the entire worm. Thanks to the worm's use of the "connectionless" UDP protocol, the receipt of a single packet was all that was necessary. We are fortunate that the worm spreads by UDP protocol over port 1434, because this traffic can be readily filtered and blocked at any level of the Internet without negative side effects. This was not the case, for example, with the previous Code Red and Nimda worms which used standard web TCP protocol and ports and could not, therefore, be blocked without blocking all other web traffic. Since the following applications install editions of this insecure SQL server, users of the following applications may also be at risk of SQL Sapphire worm infection: Microsoft Biztalk Server, Visual Studio.NET, .NET Framework SDK, Application Center Server, Microsoft Visio 2000, Microsoft Project, McAfee Centralized Virus Admin, FlipFactory, Lyris Listserver, ASP.NET Web Matrix Tool, Office XP Developer Edition, MSDN Universal and Enterprise Edition, Microsoft Visual FoxPro 7.0, Compaq Insight Manager, Dell OpenManage, HP Openview Internet Services Monitor, Websense, Megatrack from BLUEMEGA, Veritas Backup Exec ver 9.0, WebBoard, Chubb security system, Microsoft Office 2000/XP, Crystal Reports Enterprise 8.5, MonTel (a PABX admin tool), HelpMaster Pro, Hailstorm (http://www.cenzic.com), McAfee Epolicy Orchestrator, GFI S.E.L.M, SecureScanNX - Vigilante, ASSET v1.01 - NIST, Centennial Discovery, SalesLogix, Helpstar (Helpdesk), http://www.realestate.intuit.com/, Microsoft's Age of Mythology, Tumbleweed Secure Guardian, World Secure, PowerQuest Deploy Center 5, ControlCenter ST, Trend Micro Damage Cleanup Server 1.0, Compaq Insight Manager v7, Patchlink Patch Management System, Microsoft SharePoint Portal Server Link to comment Share on other sites More sharing options...
KevinW Posted January 27, 2003 Share Posted January 27, 2003 Microsoft had a patch last year for this type of vulnerability with SQL. They have re-released this patch with a better install routine. If you are running a Microsoft server with SQL 2000 you should read and apply the apprpriate patch: http://www.microsoft.com/security/slammer.asp -kw Link to comment Share on other sites More sharing options...
Recommended Posts