|Page Updated: Feb 24, 2008 at 16:14 (3,072.23 days ago)||Viewed 17 times per day|
The Windows SQL Server "buffer overflow" vulnerability being exploited by this worm has been known for six months. Security patches and updates have been available since it's public disclosure. Therefore, only machines that are not kept up to date with current security patches and service packs are vulnerable to infection. On his page, Robert Graham presents an extremely compelling argument for the practical impossibility of ever achieving total patching of vulnerable machines.
eEye's and other analysis of the worm's payload indicates that, unlike the previous CodeRed and Nimda worms, this worm's only agenda is self replication. (Which it pursues with significant gusto.)
Since the worm lives only in the system's RAM memory and does not modify any system files, "disinfection" of an infected system is as simple as a system reboot.
It is somewhat intriguing that every worm packet probe emitted contained a complete self-replicating-capable copy of the entire worm. Thanks to the worm's use of the "connectionless" UDP protocol, the receipt of a single packet was all that was necessary.
We are fortunate that the worm spreads by UDP protocol over port 1434, because this traffic can be readily filtered and blocked at any level of the Internet without negative side effects. This was not the case, for example, with the previous Code Red and Nimda worms which used standard web TCP protocol and ports and could not, therefore, be blocked without blocking all other web traffic.
Gibson Research Corporation is owned and operated by Steve Gibson. The contents
of this page are Copyright (c) 2016 Gibson Research Corporation. SpinRite, ShieldsUP,
NanoProbe, and any other indicated trademarks are registered trademarks of Gibson
|Last Edit: Feb 24, 2008 at 16:14 (3,072.23 days ago)||Viewed 17 times per day|