https

   SQL Sapphire / SQL-Hell
Slammer Worm News

Page Updated: Feb 24, 2008 at 16:14 (2,249.59 days ago)Viewed 52 times per day

WORM WATCH 2003
Saturday, 25 Jan 2003 — A New Worm is Loose

A new worm exploded onto the Internet, causing worldwide traffic congestion as it aggressively replicated by searching for vulnerable and unpatched Microsoft Windows servers running the SQL database engine.

The worm is known by the names "SQL Sapphire", "SQL-Hell" and "MS SQL Slammer".

The sharp gang at eEye immediately deconstructed and analyzed this new worm. (See the link for their analysis.)

Matthew Murphy has also provided a detailed technical analysis of the worm.

Robert Graham's excellent SQL slammer analysis is a must-read.

Symantec's quick and free vulnerability testing tool.



Dangerous Applications

Users of the following applications which install the MSDE (Microsoft SQL Desktop Engine) may also be at risk of SQL Sapphire worm infection:

Microsoft Biztalk Server, Visual Studio.NET, .NET Framework SDK, Application Center Server, Microsoft Visio 2000, Microsoft Project, McAfee Centralized Virus Admin, FlipFactory, Lyris Listserver, ASP.NET Web Matrix Tool, Office XP Developer Edition, MSDN Universal and Enterprise Edition, Microsoft Visual FoxPro 7.0, Compaq Insight Manager, Dell OpenManage, HP Openview Internet Services Monitor, Websense, Megatrack from BLUEMEGA, Veritas Backup Exec ver 9.0, WebBoard, Chubb security system, Microsoft Office 2000/XP, Crystal Reports Enterprise 8.5, MonTel (a PABX admin tool), HelpMaster Pro, Hailstorm (http://www.cenzic.com), McAfee Epolicy Orchestrator, GFI S.E.L.M, SecureScanNX - Vigilante, ASSET v1.01 - NIST, Centennial Discovery, SalesLogix, Helpstar (Helpdesk), http://www.realestate.intuit.com/, Microsoft's Age of Mythology, Tumbleweed Secure Guardian, World Secure, PowerQuest Deploy Center 5, ControlCenter ST, Trend Micro Damage Cleanup Server 1.0, Compaq Insight Manager v7, Patchlink Patch Management System, Microsoft SharePoint Portal Server

Please see the lefthand column of the SQL Security site home page, under the heading "MSDE/SQL Apps", for an updated list of dangerous applications.



For further information, please see these excellent sites:

 The terrific CAIDA team research paper

 http://www.eeye.com/...

 Matthew Murphy's technical analysis

 Robert Graham's excellent worm analysis

 http://www.cert.org/...

 http://isc.incidents.org/...

 http://www.symantec.com/avcenter/...

 http://www.sqlsecurity.com/...

A Quick Vulnerability Test
You may quickly and easily check your system:

It is unlikely that typical personal computer users will be vulnerable to this worm's infection attempts, so you probably have nothing to worry about. Most personal computers are not running Microsoft's "SQL Server", so there is no point of entry for this infection.

To quickly verify that your system is not running Microsoft's SQL Server, and therefore can not be infected by Sapphire/Slammer worm probes, enter the following command in an "MS-DOS Prompt" window:

netstat -an | find "1434"

This DOS command line checks for the presence of any process "listening" on your computer's port 1434. Your system might be vulnerable only if some lines containing "1434" are printed to the screen when this command is entered. Otherwise, your computer can not be infected by this new worm.

(Note: The vertical bar "|" character is often located above the keyboard's "\" character.)


Commentary

The Windows SQL Server "buffer overflow" vulnerability being exploited by this worm has been known for six months. Security patches and updates have been available since it's public disclosure. Therefore, only machines that are not kept up to date with current security patches and service packs are vulnerable to infection. On his page, Robert Graham presents an extremely compelling argument for the practical impossibility of ever achieving total patching of vulnerable machines.

eEye's and other analysis of the worm's payload indicates that, unlike the previous CodeRed and Nimda worms, this worm's only agenda is self replication. (Which it pursues with significant gusto.)

Since the worm lives only in the system's RAM memory and does not modify any system files, "disinfection" of an infected system is as simple as a system reboot.

It is somewhat intriguing that every worm packet probe emitted contained a complete self-replicating-capable copy of the entire worm. Thanks to the worm's use of the "connectionless" UDP protocol, the receipt of a single packet was all that was necessary.

We are fortunate that the worm spreads by UDP protocol over port 1434, because this traffic can be readily filtered and blocked at any level of the Internet without negative side effects. This was not the case, for example, with the previous Code Red and Nimda worms which used standard web TCP protocol and ports and could not, therefore, be blocked without blocking all other web traffic.


Jump to top of page
Gibson Research Corporation is owned and operated by Steve Gibson.  The contents
of this page are Copyright (c) 2014 Gibson Research Corporation. SpinRite, ShieldsUP,
NanoProbe, and any other indicated trademarks are registered trademarks of Gibson
Research Corporation, Laguna Hills, CA, USA. GRC's web and customer privacy policy.
Jump to top of page

Last Edit: Feb 24, 2008 at 16:14 (2,249.59 days ago)Viewed 52 times per day