Internet Security System (ISS) was the first to discover and name a new worm it is tracking - "SQL Slammer" - that is rapidly spreading across the Internet via Microsoft SQL servers.
The worm is responsible for large amounts of Internet traffic as well as millions of UDP/IP probes causing the Internet and online service to be inaccessible.
Reports of major Internet Service Providers (ISPs), banking services and telecommunications worldwide have been affected Severe latency in domain name service (DNS) causing Web sites to be completely unreachable Other nations affected include South Korea's Internet infrastructure which has come to a stand still
This worm exploits MS/SQL servers vulnerable to the SQL Server Resolution service buffer overflow (CVE CAN-2002-0649). Once a vulnerable computer is compromised, the worm will infect that target, randomly select a new target, and resend the exploit and propagation code to that host.
ISS X-Force team responsible for the discovery and naming of this worm are available to provide help at: https://gtoc.iss.net/issEn/delivery/gtoc/index.jsp
Impact: The Slammer is generating a damaging level of network traffic when it scans for targets that are vulnerable. Billions of attacks have been detected in the last 12 hours from ISS Global Threat Operations Center (GTOC).
Affect Versions: Microsoft SQL Server 2000 Microsoft Desktop Engine (MSDE) 2000 Note: Unpatched or base installations older than SP3 are vulnerable.
Description: The Slammer worm propagates via Microsoft SQL installations without patches from Microsoft Security Bulletin MS02-039 or higher. The main function of the Slammer worm is to continue propagation. No Denial of Service or backdoor functionality is incorporated into the worm. Infection can be removed with a reboot, however without protection in place, it is likely that vulnerable servers will be quickly re-infected.
The Slammer worm seeks to replicate itself and does not try to compromise servers or retain access to compromised hosts. The Slammer worm does not infect or modify files, it only exists in memory.
Warning: Anti-virus programs do not detect nor stop this worm.
Recommendations: The ISS Dynamic Threat Protection platform has protected ISS customers for this major vulnerability for 6 months.
Protection mechanisms have been available in RealSecure Network Sensor XPU 20.4 and XPU 5.3 and Internet Scanner XPU 6.15 (available as of 7/25/02).
ISS X-Force recommends that system administrators immediately take steps to protect their networks. To remove the infection, apply the necessary patches listed below and restart the server. This action will remove the worm from memory.
The following ISS updates address the issues described in this alert. These updates are available from the ISS Download center (http://www.iss.net/download)
Additionally ISS X-Force recommends blocking UDP port 1433 and 1434 traffic to protect SQL Server databases with a firewall or packet filter.
Microsoft SQL Server customers should refer to the following address for information and securing Microsoft SQL Server against this buffer overflow: http://www.microsoft.com/technet/security/bulletin/MS02-039.asp.
Additional Information: The Common Vulnerabilities and Exposures (CVE) project has assigned the Name CAN-2002-0649 to this issue. This is a candidate for inclusion in the CVE list http://cve.mitre.org), which standardizes names for security problems.
Microsoft SQL Slammer Worm Propagation http://bvlive01.iss.net/issEn/deliver y/xforce/aler tdetail.jsp?oid=21824
ISS Advisor community feedback http://www.issadvisor.com
______ About Internet Security Systems (ISS) Founded in 1994, Internet Security Systems, Inc. (ISS) is a world leader in Dynamic Threat Protection software and services that protect critical information assets from an ever-changing spectrum of threats and misuse.Internet Security Systems is headquartered in Atlanta, GA, with additional operations throughout the Americas, Asia, Australia, Europe and the Middle East.
Internet Security System (ISS) was the first to discover and name a new worm it is tracking - "SQL Slammer" - that is rapidly spreading across the Internet via Microsoft SQL servers.
The worm is responsible for large amounts of Internet traffic as well as millions of UDP/IP probes causing the Internet and online service to be inaccessible.
Reports of major Internet Service Providers (ISPs), banking services and telecommunications worldwide have been affected
Severe latency in domain name service (DNS) causing Web sites to be completely unreachable
Other nations affected include South Korea's Internet infrastructure which has come to a stand still
This worm exploits MS/SQL servers vulnerable to the SQL Server Resolution service buffer overflow (CVE CAN-2002-0649). Once a vulnerable computer is compromised, the worm will infect that target, randomly select a new target, and resend the exploit and propagation code to that host.
ISS X-Force team responsible for the discovery and naming of this worm are available to provide help at: https://gtoc.iss.net/issEn/delivery/gtoc/index.jsp
Impact:
The Slammer is generating a damaging level of network traffic when it scans for targets that are vulnerable. Billions of attacks have been detected in the last 12 hours from ISS Global Threat Operations Center (GTOC).
Affect Versions:
Microsoft SQL Server 2000
Microsoft Desktop Engine (MSDE) 2000
Note: Unpatched or base installations older than SP3 are vulnerable.
Description:
The Slammer worm propagates via Microsoft SQL installations without patches from Microsoft Security Bulletin MS02-039 or higher. The main function of the Slammer worm is to continue propagation. No Denial of Service or backdoor functionality is incorporated into the worm. Infection can be removed with a reboot, however without protection in place, it is likely that vulnerable servers will be quickly re-infected.
The Slammer worm seeks to replicate itself and does not try to compromise servers or retain access to compromised hosts. The Slammer worm does not infect or modify files, it only exists in memory.
Warning: Anti-virus programs do not detect nor stop this worm.
Recommendations:
The ISS Dynamic Threat Protection platform has protected ISS customers for this major vulnerability for 6 months.
Protection mechanisms have been available in RealSecure Network Sensor XPU 20.4 and XPU 5.3 and Internet Scanner XPU 6.15 (available as of 7/25/02).
ISS X-Force recommends that system administrators immediately take steps to protect their networks. To remove the infection, apply the necessary patches listed below and restart the server. This action will remove the worm from memory.
The following ISS updates address the issues described in this alert.
These updates are available from the ISS Download center
(http://www.iss.net/download)
Additionally ISS X-Force recommends blocking UDP port 1433 and 1434 traffic to protect SQL Server databases with a firewall or packet filter.
Microsoft SQL Server customers should refer to the following address for
information and securing Microsoft SQL Server against this buffer
overflow: http://www.microsoft.com/technet/security/bulletin/MS02-039.asp.
Additional Information:
The Common Vulnerabilities and Exposures (CVE) project has assigned the Name CAN-2002-0649 to this issue. This is a candidate for inclusion in the CVE list http://cve.mitre.org), which standardizes names for security problems.
Additional Links:
ISS: Security Center: X-Force Threat Forecast
https://gtoc.iss.net/issEn/delivery/gtoc/index.jsp
Microsoft SQL Slammer Worm Propagation
http://bvlive01.iss.net/issEn/delivery/xforce/aler tdetail.jsp?oid=21824
ISS Advisor community feedback
http://www.issadvisor.com
______
About Internet Security Systems (ISS)
Founded in 1994, Internet Security Systems, Inc. (ISS) is a world leader in Dynamic Threat Protection software and services that protect critical information assets from an ever-changing spectrum of threats and misuse.Internet Security Systems is headquartered in Atlanta, GA, with additional operations throughout the Americas, Asia, Australia, Europe and the Middle East.
Slashdot Mirror
Internet Security System (ISS) was the first to discover and name a new worm it is tracking - "SQL Slammer" - that is rapidly spreading across the Internet via Microsoft SQL servers.
p
n /MS02-039.asp.
c /index.jsp
r y/xforce/aler tdetail.jsp?oid=21824
The worm is responsible for large amounts of Internet traffic as well as millions of UDP/IP probes causing the Internet and online service to be inaccessible.
Reports of major Internet Service Providers (ISPs), banking services and telecommunications worldwide have been affected
Severe latency in domain name service (DNS) causing Web sites to be completely unreachable
Other nations affected include South Korea's Internet infrastructure which has come to a stand still
This worm exploits MS/SQL servers vulnerable to the SQL Server Resolution service buffer overflow (CVE CAN-2002-0649). Once a vulnerable computer is compromised, the worm will infect that target, randomly select a new target, and resend the exploit and propagation code to that host.
ISS X-Force team responsible for the discovery and naming of this worm are available to provide help at: https://gtoc.iss.net/issEn/delivery/gtoc/index.js
Impact:
The Slammer is generating a damaging level of network traffic when it scans for targets that are vulnerable. Billions of attacks have been detected in the last 12 hours from ISS Global Threat Operations Center (GTOC).
Affect Versions:
Microsoft SQL Server 2000
Microsoft Desktop Engine (MSDE) 2000
Note: Unpatched or base installations older than SP3 are vulnerable.
Description:
The Slammer worm propagates via Microsoft SQL installations without patches from Microsoft Security Bulletin MS02-039 or higher. The main function of the Slammer worm is to continue propagation. No Denial of Service or backdoor functionality is incorporated into the worm. Infection can be removed with a reboot, however without protection in place, it is likely that vulnerable servers will be quickly re-infected.
The Slammer worm seeks to replicate itself and does not try to compromise servers or retain access to compromised hosts. The Slammer worm does not infect or modify files, it only exists in memory.
Warning: Anti-virus programs do not detect nor stop this worm.
Recommendations:
The ISS Dynamic Threat Protection platform has protected ISS customers for this major vulnerability for 6 months.
Protection mechanisms have been available in RealSecure Network Sensor XPU 20.4 and XPU 5.3 and Internet Scanner XPU 6.15 (available as of 7/25/02).
ISS X-Force recommends that system administrators immediately take steps to protect their networks. To remove the infection, apply the necessary patches listed below and restart the server. This action will remove the worm from memory.
The following ISS updates address the issues described in this alert.
These updates are available from the ISS Download center
(http://www.iss.net/download)
Additionally ISS X-Force recommends blocking UDP port 1433 and 1434 traffic to protect SQL Server databases with a firewall or packet filter.
Microsoft SQL Server customers should refer to the following address for
information and securing Microsoft SQL Server against this buffer
overflow: http://www.microsoft.com/technet/security/bulleti
Additional Information:
The Common Vulnerabilities and Exposures (CVE) project has assigned the Name CAN-2002-0649 to this issue. This is a candidate for inclusion in the CVE list http://cve.mitre.org), which standardizes names for security problems.
Additional Links:
ISS: Security Center: X-Force Threat Forecast
https://gtoc.iss.net/issEn/delivery/gto
Microsoft SQL Slammer Worm Propagation
http://bvlive01.iss.net/issEn/delive
ISS Advisor community feedback
http://www.issadvisor.com
______
About Internet Security Systems (ISS)
Founded in 1994, Internet Security Systems, Inc. (ISS) is a world leader in Dynamic Threat Protection software and services that protect critical information assets from an ever-changing spectrum of threats and misuse.Internet Security Systems is headquartered in Atlanta, GA, with additional operations throughout the Americas, Asia, Australia, Europe and the Middle East.
Internet Security System (ISS) was the first to discover and name a new worm it is tracking - "SQL Slammer" - that is rapidly spreading across the Internet via Microsoft SQL servers. The worm is responsible for large amounts of Internet traffic as well as millions of UDP/IP probes causing the Internet and online service to be inaccessible. Reports of major Internet Service Providers (ISPs), banking services and telecommunications worldwide have been affected Severe latency in domain name service (DNS) causing Web sites to be completely unreachable Other nations affected include South Korea's Internet infrastructure which has come to a stand still This worm exploits MS/SQL servers vulnerable to the SQL Server Resolution service buffer overflow (CVE CAN-2002-0649). Once a vulnerable computer is compromised, the worm will infect that target, randomly select a new target, and resend the exploit and propagation code to that host. ISS X-Force team responsible for the discovery and naming of this worm are available to provide help at: https://gtoc.iss.net/issEn/delivery/gtoc/index.jsp
Impact:
The Slammer is generating a damaging level of network traffic when it scans for targets that are vulnerable. Billions of attacks have been detected in the last 12 hours from ISS Global Threat Operations Center (GTOC).
Affect Versions:
Microsoft SQL Server 2000
Microsoft Desktop Engine (MSDE) 2000
Note: Unpatched or base installations older than SP3 are vulnerable.
Description:
The Slammer worm propagates via Microsoft SQL installations without patches from Microsoft Security Bulletin MS02-039 or higher. The main function of the Slammer worm is to continue propagation. No Denial of Service or backdoor functionality is incorporated into the worm. Infection can be removed with a reboot, however without protection in place, it is likely that vulnerable servers will be quickly re-infected.
The Slammer worm seeks to replicate itself and does not try to compromise servers or retain access to compromised hosts. The Slammer worm does not infect or modify files, it only exists in memory.
Warning: Anti-virus programs do not detect nor stop this worm.
Recommendations:
The ISS Dynamic Threat Protection platform has protected ISS customers for this major vulnerability for 6 months.
Protection mechanisms have been available in RealSecure Network Sensor XPU 20.4 and XPU 5.3 and Internet Scanner XPU 6.15 (available as of 7/25/02).
ISS X-Force recommends that system administrators immediately take steps to protect their networks. To remove the infection, apply the necessary patches listed below and restart the server. This action will remove the worm from memory.
The following ISS updates address the issues described in this alert.
These updates are available from the ISS Download center
(http://www.iss.net/download)
Additionally ISS X-Force recommends blocking UDP port 1433 and 1434 traffic to protect SQL Server databases with a firewall or packet filter.
Microsoft SQL Server customers should refer to the following address for
information and securing Microsoft SQL Server against this buffer
overflow: http://www.microsoft.com/technet/security/bulletin /MS02-039.asp.
Additional Information:
The Common Vulnerabilities and Exposures (CVE) project has assigned the Name CAN-2002-0649 to this issue. This is a candidate for inclusion in the CVE list http://cve.mitre.org), which standardizes names for security problems.
Additional Links:
ISS: Security Center: X-Force Threat Forecast
https://gtoc.iss.net/issEn/delivery/gtoc/index.jsp
Microsoft SQL Slammer Worm Propagation
http://bvlive01.iss.net/issEn/delivery/xforce/aler tdetail.jsp?oid=21824
ISS Advisor community feedback
http://www.issadvisor.com
______
About Internet Security Systems (ISS)
Founded in 1994, Internet Security Systems, Inc. (ISS) is a world leader in Dynamic Threat Protection software and services that protect critical information assets from an ever-changing spectrum of threats and misuse.Internet Security Systems is headquartered in Atlanta, GA, with additional operations throughout the Americas, Asia, Australia, Europe and the Middle East.