National Infrastructure Protection Center
"Worm Targets SQL Vulnerability"
Advisory 03-001.1January 27, 2003
[Updates to NIPC Advisory 03-001.1 are in
advisory updates NIPC Advisory 03-001 regarding the
self-propagating malicious code that exploits multiple
vulnerabilities in the Resolution Service of Microsoft SQL Server 2000. This worm
activity appears to have
various levels of network degradation across the Internet. In addition to the
compromise of vulnerable machines; the
apparent effects of this fast-spreading, virus-like infection has overwhelmed
the world's digital pipelines and interfered
with Web browsing and delivery of e-mail.
"Slammer" continues to affect unpatched
systems and networks.
Properly patched home computers are
unlikely to be vulnerable to the worm. However, because of network
degradation, computers connected to the internet, may experience delays or "timeouts".
Some who attempted to patch their
systems after hearing about the worm were unable
to download the fix from
Microsoft because of a sudden spike in download demand and the worm's own network-clogging
suggested solution would be to attempt to patch downloads
during the times of less network / internet usage; late
night or early morning hours.
A service pack that included a fix
for the vulnerability that Slammer exploits was released
on January 17, 2003.
Service pack fix requires time to download and configure - up to two hours
depending on the size of a users SQL
worm only spreads as an in-memory process; it never
writes itself to the hard drive.
worm uses UDP port 1434 to exploit a buffer overflow
in MS SQL server. Close this port on your firewall
the introduction of the worm targeting the MS SQL vulnerability.
the worm does not infect any files, an infected machine
can be cleaned by simply rebooting the machine.
However, once re-connected to the network without applying SP2 or SP3 patches
for the MS SQL Server, the
machine will soon be re-infected.
patch information, see:
are many other applications that might unknowingly
install Microsoft SQL Server or MSDE 2000 on a users
computer. Examples of such
Microsoft Age of Mythology (yes, it's a game)
Microsoft Biztalk Server
Microsoft Office XP Developer Edition
Microsoft SharePoint Portal Server
Microsoft Visio 2000
Microsoft Visual FoxPro
Microsoft Visual Studio.NET
Microsoft .NET Framework SDK
Compaq Insight Manager
Crystal Reports Enterprise
HP Openview Internet Services Monitor
McAfee Centralized Virus Admin
McAfee Epolicy Orchestrator
Trend Micro Damage Cleanup Server
Veritas Backup Exec
WebBoard Conferencing Server
Starting around 01:30 GMT-0500 on Saturday, January 25, the Internet experienced
increased traffic from seemingly random
Internet Protocol (IP) source addresses to port 1434/udp targeting a service
provided by Microsoft SQL Server. The packets
appear to be of a small size (approximately 376 bytes). Reports indicate that
the impact of this activity is causing varied levels
of degradation in Internet connectivity. Early analysis suggests this is a
result of scanning from a worm.
The worm apparently
can easily fill the state table of stateful firewalls,
e.g. PIX, Check Point, and Netscreen. This will cause
an outage for the infected site, and the outage may occur long before the data
pipes are filled. This issue is also causing
problems to routers, both directly and indirectly. The worm generates some
addresses to be attacked, including multicast
addresses. This may cause problems for multicast-enabled routers and networks.
This worm causes high CPU usage on servers, essentially slowing or shutting
servers down. An infected host will spew
packets as quickly as the infinite loop will allow. While an additional malicious "payload" has
not yet been identified, this
vulnerability essentially exploits a buffer overflow which may allow remote
access to a victim's Microsoft SQL data base servers.
Block or filter port 1434/udp ingress (inbound) and egress (outbound) traffic.
Monitor watch port 1433 for any increased traffic load.
PREVIOUS SQL VULNERABILITY:
There have been previous SQL vulnerabilities. Last year, an SQL vulnerability
was discovered and patches provided (see NIPC
Advisory 02-003 "Microsoft SQL worm spider" May 22, 2002 at http://www.nipc.gov/warnings/warnings.htm).
server users are encouraged to review the following web site to ensure they
have taken appropriate action to fix that
will be provided as it becomes available. In the meantime,
you are encouraged to report any incidents to
the NIPC at http://www.nipc.gov/incident/cirr.htm.
Additional information is available at http://www.cert.org/advisories/CA-2003-04.html.
Recipients of this
advisory are encouraged to report computer crime to
federal, state, or local law enforcement and other
appropriate authorities. The NIPC Watch and Warning Unit can be reached at
(202) 323-3204/3205/3206 or email@example.com.