SOURCE: eweek
DATE : January 25, 2003
TITLE : SQL Worm Pounds Internet
AUTHOR: By Dennis Fisher and Chris Gonsalves
A worm that attacks known vulnerabilities in Microsoft Corp.'s SQL
Server hit the Internet hard Friday night and early Saturday morning,
slowing Web traffic to a crawl globally as it generated billions of
attacks, according to security response experts.
Dubbed the Sapphire Worm, or, SQL Slammer (so called because security
engineers were called out of bars just after midnight Friday to begin
the detection and clean-up work), the malware takes advantage of a
buffer overflow to exploit a flaw in Microsoft SQL Server 2000. That
flaw, first discovered in July 2002, exists because of the way SQL
handles data sent to its monitor port, according to Marc Maiffret,
chief hacking officer for eEye Digital Security in Aliso Viejo, Calif.
Once a vulnerable computer is compromised, the worm will infect that
target, randomly select a new target, and resend the exploit and
propagation code to that host, said Chris Rouland director of the
X-Force response team at Internet Security Systems Inc., in Atlanta.
"Although the Slammer worm is not destructive to the infected host,
it does generate a damaging level of network traffic when it scans
for additional targets," an X-Force alert reads. "A large amount of
network traffic is created by the worm. Billions of attacks have
been detected in the last 12 hours from various industry sources."
ISS received reports that several major national ISPs were either
experiencing severe latency or were completely unreachable during
the height of the attack, ISS's Rouland said. Overnight, five of
the Internet's 13 route DNS servers were down and two others had
latencies of more than 10 seconds, he added.
The Slammer worm doesn't scan local subnet addresses like the
Nimda worm, ISS officials said. It simply seeks to replicate
itself and does not try to further compromise servers or retain
access to compromised hosts. The Slammer worm also does not
infect or modify files, as it only exists in memory.
"It should be noted that this worm is not the same as an earlier
SQL worm that used the SA/nopassword SQL vulnerability as its
spread vector," eEye's Maiffret wrote in a posting on the
NTBugtraq mailing list. "This new worm is more devastating as it
is taking advantage of a software-specific flaw rather than a
configuration error. We have already had many reports of smaller
networks brought down due to the flood of data from the Sapphire
Worm trying to re-infect new systems."
Experts said the attack appears to have begun in South Korea,
where Internet service was effectively shut down early Saturday.
Experts are recommending administrators immediately firewall
SQL service ports at all of their gateways. The worm uses only
UDP port 1434 (SQL Monitor Port) to spread itself to a new systems.
Since Slammer takes advantage of a known vulnerability,
adminostrators are also urged to apply current patches available at
http://www.microsoft.com/technet/treeview/default.asp?url=/
technet/security/bulletin/MS02-039.asp or contained within SQL
2000 services packs at
http://www.microsoft.com/sql/downloads/2000/sp3.asp
