| |
|
|
 |
 |
5870 West Jefferson Blvd., Suite A
Los Angeles, CA 90016
Tel: 310.815.8855
Fax: 310.815.8808
info@OnlineSecurity.com
© 2008 Online Security
All rights reserved.
|
|
|
SUCCESS STORIES
| Posted: 01/29/2003 | National Infrastructure Protection Center UPDATE | | Original Source:
Summary:
This advisory updates NIPC Advisory 03-001 regarding the self-propagating malicious code that exploits multiple vulnerabilities in the Resolution Service of Microsoft SQL Server 2000. This worm activity appears to have caused various levels of network degradation across the Internet. In addition to the compromise of vulnerable machines; the apparent effects of this fast-spreading, virus-like infection has overwhelmed the world's digital pipelines and interfered with Web browsing and delivery of e-mail.
Update:
"Slammer" continues to affect unpatched systems and networks.
Properly patched home computers are unlikely to be vulnerable to the worm. However, because of network degradation, computers connected to the internet, may experience delays or “timeouts”.
Some who attempted to patch their systems after hearing about the worm were unable to download the fix from Microsoft because of a sudden spike in download demand and the worm's own network-clogging traffic. A suggested solution would be to attempt to patch downloads during the times of less network / internet usage; late night or early morning hours.
A service pack that included a fix for the vulnerability that Slammer exploits was released on January 17, 2003. Service pack fix requires time to download and configure – up to two hours depending on the size of a users SQL database.
The worm only spreads as an in-memory process; it never writes itself to the hard drive.
The worm uses UDP port 1434 to exploit a buffer overflow in MS SQL server. Close this port on your firewall to halt the introduction of the worm targeting the MS SQL vulnerability.
As the worm does not infect any files, an infected machine can be cleaned by simply rebooting the machine. However, once re-connected to the network without applying SP2 or SP3 patches for the MS SQL Server, the machine will soon be re-infected.
For patch information, see:
There are many other applications that might unknowingly install Microsoft SQL Server or MSDE 2000 on a users computer. Examples of such software are:
Microsoft Age of Mythology (yes, it's a game)
Microsoft Biztalk Server
Microsoft Office XP Developer Edition
Microsoft Project
Microsoft SharePoint Portal Server
Microsoft Visio 2000
Microsoft Visual FoxPro
Microsoft Visual Studio.NET
Microsoft .NET Framework SDK
Compaq Insight Manager
Crystal Reports Enterprise
Dell OpenManage
HP Openview Internet Services Monitor
McAfee Centralized Virus Admin
McAfee Epolicy Orchestrator
Trend Micro Damage Cleanup Server
Websense Reporter
Veritas Backup Exec
WebBoard Conferencing Server
etc.
Additional information:
BACKGROUND:
Starting around 01:30 GMT-0500 on Saturday, January 25, the Internet experienced increased traffic from seemingly random Internet Protocol (IP) source addresses to port 1434/udp targeting a service provided by Microsoft SQL Server. The packets appear to be of a small size (approximately 376 bytes). Reports indicate that the impact of this activity is causing varied levels of degradation in Internet connectivity. Early analysis suggests this is a result of scanning from a worm.
The worm apparently can easily fill the state table of stateful firewalls, e.g. PIX, Check Point, and Netscreen. This will cause an outage for the infected site, and the outage may occur long before the data pipes are filled. This issue is also causing problems to routers, both directly and indirectly. The worm generates some addresses to be attacked, including multicast addresses. This may cause problems for multicast-enabled routers and networks.
RESULTS:
This worm causes high CPU usage on servers, essentially slowing or shutting servers down. An infected host will spew packets as quickly as the infinite loop will allow. While an additional malicious "payload" has not yet been identified, this vulnerability essentially exploits a buffer overflow which may allow remote access to a victim's Microsoft SQL data base servers.
IMMEDIATE REMEDIATION:
Block or filter port 1434/udp ingress (inbound) and egress (outbound) traffic.Monitor watch port 1433 for any increased traffic load.
PREVIOUS SQL VULNERABILITY:
There have been previous SQL vulnerabilities. Last year, an SQL vulnerability was discovered and patches provided (see NIPC Advisory 02-003 "Microsoft SQL worm spider" May 22, 2002 at ). Microsoft SQL server users are encouraged to review the following web site to ensure they have taken appropriate action to fix that vulnerability.
Further information will be provided as it becomes available. In the meantime, you are encouraged to report any incidents to the NIPC at . Additional information is available at .
Recipients of this advisory are encouraged to report computer crime to federal, state, or local law enforcement and other appropriate authorities. The NIPC Watch and Warning Unit can be reached at (202) 323-3204/3205/3206 or nipc.watch@fbi.gov">email NIPC. |
|
|
|
>> Full SUCCESS STORIES Archive
|
