Slashdot Mirror
MS SQL Server Worm Wreaking Havoc
defile writes "Since about midnight EST almost every host on the internet has been receiving a 376 byte UDP payload on port ms-sql-m (1434) from a random infected server. Reports of some hosts receiving 10 per minute or more. internetpulse.net is reporting UUNet and Internap are being hit very hard. This is the cause of major connectivity problems being experienced worldwide. It is believed this worm leverages a vulnerability published
in June 2002. Several core routers have taken to blocking port 1434 outright.
If you run Microsoft SQL Server, make sure the public internet can't access it. If you manage a gateway, consider dropping UDP packets sent to port 1434." bani adds "This has effectively disabled 5 of the 13 root nameservers."
So wil it be this year that MicroSquash will sell us the fix for this, or will the release date slip.
Ya know... On a more serious note, one of these days one of these little worms will have a really mean and nasty payload attached. Instead of just swamping us with annoying packets it could do some major harm. Remember Code Red? something like 90% of infectable hosts infected in 26 hours... the thing could have destroyed the server's OS/file system/whatever. It was the kindness of the coder that he/she spared us from that. We should not let the world economy's security be handeled by the kindness of these worm/virii coders!!!
I say we should shoot l4m3r windows sysadmins on sight... for the sake of the world... and our beloved Internet.
Having used Orcle, SQL Server, and PostgreSQL, I'm wondering... why use anything other than PostgreSQL?
Because if you're using PostgreSQL, you don't have the satisfaction of saying "I have so much power than I can waste N hundred thousand dollars of company funds on Oracle." It's a status thing.
May we never see th
Internet Security System (ISS) was the first to discover and name a new worm it is tracking - "SQL Slammer" - that is rapidly spreading across the Internet via Microsoft SQL servers. The worm is responsible for large amounts of Internet traffic as well as millions of UDP/IP probes causing the Internet and online service to be inaccessible. Reports of major Internet Service Providers (ISPs), banking services and telecommunications worldwide have been affected Severe latency in domain name service (DNS) causing Web sites to be completely unreachable Other nations affected include South Korea's Internet infrastructure which has come to a stand still This worm exploits MS/SQL servers vulnerable to the SQL Server Resolution service buffer overflow (CVE CAN-2002-0649). Once a vulnerable computer is compromised, the worm will infect that target, randomly select a new target, and resend the exploit and propagation code to that host. ISS X-Force team responsible for the discovery and naming of this worm are available to provide help at: https://gtoc.iss.net/issEn/delivery/gtoc/index.jsp
Impact:
The Slammer is generating a damaging level of network traffic when it scans for targets that are vulnerable. Billions of attacks have been detected in the last 12 hours from ISS Global Threat Operations Center (GTOC).
Affect Versions:
Microsoft SQL Server 2000
Microsoft Desktop Engine (MSDE) 2000
Note: Unpatched or base installations older than SP3 are vulnerable.
Description:
The Slammer worm propagates via Microsoft SQL installations without patches from Microsoft Security Bulletin MS02-039 or higher. The main function of the Slammer worm is to continue propagation. No Denial of Service or backdoor functionality is incorporated into the worm. Infection can be removed with a reboot, however without protection in place, it is likely that vulnerable servers will be quickly re-infected.
The Slammer worm seeks to replicate itself and does not try to compromise servers or retain access to compromised hosts. The Slammer worm does not infect or modify files, it only exists in memory.
Warning: Anti-virus programs do not detect nor stop this worm.
Recommendations:
The ISS Dynamic Threat Protection platform has protected ISS customers for this major vulnerability for 6 months.
Protection mechanisms have been available in RealSecure Network Sensor XPU 20.4 and XPU 5.3 and Internet Scanner XPU 6.15 (available as of 7/25/02).
ISS X-Force recommends that system administrators immediately take steps to protect their networks. To remove the infection, apply the necessary patches listed below and restart the server. This action will remove the worm from memory.
The following ISS updates address the issues described in this alert.
These updates are available from the ISS Download center
(http://www.iss.net/download)
Additionally ISS X-Force recommends blocking UDP port 1433 and 1434 traffic to protect SQL Server databases with a firewall or packet filter.
Microsoft SQL Server customers should refer to the following address for
information and securing Microsoft SQL Server against this buffer
overflow: http://www.microsoft.com/technet/security/bulletin /MS02-039.asp.
Additional Information:
The Common Vulnerabilities and Exposures (CVE) project has assigned the Name CAN-2002-0649 to this issue. This is a candidate for inclusion in the CVE list http://cve.mitre.org), which standardizes names for security problems.
Additional Links:
ISS: Security Center: X-Force Threat Forecast
https://gtoc.iss.net/issEn/delivery/gtoc/index.jsp
Microsoft SQL Slammer Worm Propagation
http://bvlive01.iss.net/issEn/delivery/xforce/aler tdetail.jsp?oid=21824
ISS Advisor community feedback
http://www.issadvisor.com
______
About Internet Security Systems (ISS)
Founded in 1994, Internet Security Systems, Inc. (ISS) is a world leader in Dynamic Threat Protection software and services that protect critical information assets from an ever-changing spectrum of threats and misuse.Internet Security Systems is headquartered in Atlanta, GA, with additional operations throughout the Americas, Asia, Australia, Europe and the Middle East.
I think that Microsoft is a mneace that must be stopped with all due force. :-)
Murphy was an optimist.