|
[ANN:] MS SQL Worm Update (GN)
|
Vijay Kumar
|
Jan 26, 2003 18:14 PST
|
MS SQHell Worm
Author: vijay
Date: Sun Jan 26 14:52:11 IST 2003
Type: FYI
For Glug-Nilgiris Members [glug-nilgiri-@topica.com]
This is a compilation on MS SQ Hell Worm this weekend on the Net/news
Concept/Discussion
======================================================================
A worm which exploits a (new?) vulnerability in SQL Server is bringing the
core routers to a grinding halt. The speed of the propagation can be
attributed to the attack method and simplicity of the code. The worm
sends a 376-byte UDP packet to port 1434 of each random target, each
vulnerable system will immediately start propagating itself. Since UDP is
connection-less, the worm is able to spread much more quickly than those
using your standard TCP-based attack vectors (no connect timeouts).
Some random screen shots, a copy of the worm as a perl script, and a
disassembly (sorry, no comments) can be found online at:
http://www.digitaloffense.net/worms/mssql_udp_worm/
"Microsoft's database server SQL Server 2000 exhibits two buffer overrun
vulnerabilities that can be exploited by a remote attacker without ever
having to authenticate to the server."
***********************
MS SQL listens on port 1434/udp so that clients can figure out which method
of communication to use (named pipes, tcp/ip et al)
there are two problems that yield ability to execute code remotely while
unauthenticated.
***********************
This is also being widely reported on the NANOG
and inetproviders lists. Check traffic outbound
from your MS SQL hosts if any. Firewall 1434/UDP
inbound and outbound if you don't already.
Tier 1 backbones are reporting a bad night: routing
instabilities, one major dropped most of its peering
for a while, the volume from this triggers the Cisco
netflow switching bug and is causing routers to lock
up at places, etc.
***********************
This is indeed happening widely tonight. Some of the
client machines here have been hit as their boxes were
not patched up properly. We have firewalled access and
have brought our core switches online again after a
brief interruption where the traffic here got up to a
little over 110Mbits/s. The switches simply went into
failover. The good news is that it is not autonomous,
so you can control access through port filtering until
the patches are applied.
The UDP D.O.S. attack: (Random snippets from logs)
PROTO=UDP SPT=1518 DPT=1434
PROTO=UDP SPT=1032 DPT=1434
PROTO=UDP SPT=1077 DPT=1434
PROTO=UDP SPT=4319 DPT=1434
***********************
We can confirm it here in Toronto, Canada. Even though the effect was
minimal to us, we saw many major networks dissappear on the Internet.
The effect is like a LAN denial of service attack. The requests are
distributed over port 1434 UDP to multicast addresses. If the multicast
on the router is enabled, this can multiply the effect to WAN.
You have to patch your MS-SQL Server to the highest service pack.
But, here is the funny thing, we had a MS-Project Server 2002 installed
on a test machine with MSDE running. There is no service pack 3 for MSDE
2000 yet, but there is a hotfix to solve the problem.
That hotfix requires service pack 2. When we tried to install service
pack 2 for MSDE, it gave an error. On the Microsoft web site, it says
that SOME! of the MSDE installations require the service pack 2 to be
installed only from an update CD but not from the Internet.
I think it's going to be a while for all the networks to install these
patches properly to stop these attack.
Meanwhile I also recommend the sys admins to block the outgoing
1434TCP/UDP as well. Incoming blocking might protect some of your servers
but if you are already effected, at least try to contain this in your LAN
by blocking the outgoing ports.
***********************
However, this worm might not be so harmless as it appears because of
collateral damage:
Bank of America ATMs Disrupted by Virus
http://story.news.yahoo.com/news?tmpl=story&ncid=578&e=3&cid=569&u=/nm/2
0030125/tc_nm/tech_virus_dc
"SEATTLE (Reuters) - Bank of America Corp. said on
Saturday that customers at a majority of its 13,000
automatic teller machines were unable to process
customer transactions after a malicious computer worm
nearly froze Internet traffic worldwide."
***********************
Subject: RE: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434!
The fact that the nations largest banking institution relies on the
Internet for ATM transactions is disturbing. I personally experienced
this while at a Bank of America ATM today. I will never use Bank of
America because of a statement like that.
-brian
On Sat, 25 Jan 2003, Richard M. Smith wrote:
| | However, this worm might not be so harmless as it appears because of
collateral damage:
Bank of America ATMs Disrupted by Virus
http://story.news.yahoo.com/news?tmpl=story&ncid=578&e=3&cid=569&u=/nm/2
0030125/tc_nm/tech_virus_dc
"SEATTLE (Reuters) - Bank of America Corp. said on
Saturday that customers at a majority of its 13,000
automatic teller machines were unable to process
customer transactions after a malicious computer worm
nearly froze Internet traffic worldwide."
Richard M. Smith
http://www.ComputerBytesMan.com
-----Original Message-----
From: Jason Coombs [mailto:jas-@science.org]
Sent: Saturday, January 25, 2003 4:41 PM
To: Jay D. Dyson; Bugtraq
Subject: RE: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434!
Jay Dyson wrote:
| | And to think...up until tonight, I thought the vulnerabilities
that paved the way for Nimda were the worst that Microsoft could do
to the net.community. They've really topped themselves this time.
|
As of now we don't know who wrote the worm, but we do know that it looks
like a concept worm with no malicious payload. There is a good argument
to
be made in favor of such worms. Whomever did write this worm could have
done
severe damage beyond unfocused DDoS and chose not to do so. One would
expect
intelligence agencies in developed countries to write and release
precisely
this type of concept worm as a form of mass inoculation against
malicious
attacks.
Before you get upset at your vendor, or anyone else's, consider the
bigger
picture and recognize the increased security hardening the Internet just
received. Belief in this silver lining shouldn't be taken too far, of
course, but flaming anyone over an event like this is misplaced
considering
the number of infosec experts who would probably have agreed to write
this
worm if approached by their nations' government with proof that an
adversary
was planning to cause severe harm by exploiting the W32/SQLSlammer
vulnerability.
Sincerely,
Jason Coombs
jas-@science.org
|
***********************
===============================================================================
End of MS SQHell Worm
===============================================================================
--
-vi
|
|
 |
|
