IWS - The Information Warfare Site
News Watch Make a donation to IWS - The Information Warfare Site Use it for navigation in case java scripts are disabled

NIPC Seal National Infrastructure Protection Center
NIPC Seal CyberNotes

Advisory 03-001.1

National Infrastructure Protection Center
"Worm Targets SQL Vulnerability"
Advisory 03-001.1January 27, 2003

[Updates to NIPC Advisory 03-001.1 are in bold]

Summary:

This advisory updates NIPC Advisory 03-001 regarding the self-propagating malicious code that exploits multiple vulnerabilities in the Resolution Service of Microsoft SQL Server 2000.  This worm activity appears to have caused various levels of network degradation across the Internet. In addition to the compromise of vulnerable machines; the apparent effects of this fast-spreading, virus-like infection has overwhelmed the world's digital pipelines and interfered with Web browsing and delivery of e-mail. 

Update:

"Slammer" continues to affect unpatched systems and networks. 

Properly patched home computers are unlikely to be vulnerable to the worm.   However, because of network degradation, computers connected to the internet, may experience delays or "timeouts".

Some who attempted to patch their systems after hearing about the worm were unable to download the fix from Microsoft because of a sudden spike in download demand and the worm's own network-clogging traffic.  A suggested solution would be to attempt to  patch  downloads during the times of less network / internet usage; late night or early morning hours.

A service pack that included a fix for the vulnerability that Slammer exploits was released on January 17, 2003. Service pack fix requires time to download and configure - up to two hours depending on the size of a users SQL database.

The worm only spreads as an in-memory process; it never writes itself to the hard drive.

The worm uses UDP port 1434 to exploit a buffer overflow in MS SQL server. Close this port on your firewall to halt the introduction of the worm targeting the MS SQL vulnerability.

As the worm does not infect any files, an infected machine can be cleaned by simply rebooting the machine. However, once re-connected to the network without applying SP2 or SP3 patches for the MS SQL Server, the machine will soon be re-infected.

For patch information, see:
http://www.microsoft.com/security/slammer.asp http://www.microsoft.com/technet/security/bulletin/MS02-061.asp
http://www.microsoft.com/technet/security/bulletin/MS02-039.asp

There are many other applications that might unknowingly install Microsoft SQL Server or MSDE 2000 on a users
computer.   Examples of such software are: 

 Microsoft Age of Mythology (yes, it's a game)
 Microsoft Biztalk Server
 Microsoft Office XP Developer Edition
 Microsoft Project
 Microsoft SharePoint Portal Server
 Microsoft Visio 2000
 Microsoft Visual FoxPro
 Microsoft Visual Studio.NET
 Microsoft .NET Framework SDK
 Compaq Insight Manager
 Crystal Reports Enterprise
 Dell OpenManage
 HP Openview Internet Services Monitor
 McAfee Centralized Virus Admin
 McAfee Epolicy Orchestrator
 Trend Micro Damage Cleanup Server
 Websense Reporter
 Veritas Backup Exec
 WebBoard Conferencing Server
 etc.
 
Additional information:
http://www.microsoft.com/technet/security/virus/alerts/slammer.asp

BACKGROUND:
Starting around 01:30 GMT-0500 on Saturday, January 25, the Internet experienced increased traffic from seemingly random Internet Protocol (IP) source addresses to port 1434/udp targeting a service provided by Microsoft SQL Server. The packets appear to be of a small size (approximately 376 bytes). Reports indicate that the impact of this activity is causing varied levels of degradation in Internet connectivity. Early analysis suggests this is a result of scanning from a worm.

The worm apparently can easily fill the state table of stateful firewalls, e.g. PIX, Check Point, and Netscreen. This will cause an outage for the infected site, and the outage may occur long before the data pipes are filled. This issue is also causing problems to routers, both directly and indirectly. The worm generates some addresses to be attacked, including multicast addresses. This may cause problems for multicast-enabled routers and networks.

RESULTS:
This worm causes high CPU usage on servers, essentially slowing or shutting servers down. An infected host will spew packets as quickly as the infinite loop will allow. While an additional malicious "payload" has not yet been identified, this vulnerability essentially exploits a buffer overflow which may allow remote access to a victim's Microsoft SQL data base servers.

IMMEDIATE REMEDIATION:
Block or filter port 1434/udp ingress (inbound) and egress (outbound) traffic. Monitor watch port 1433 for any increased traffic load.

PREVIOUS SQL VULNERABILITY:
There have been previous SQL vulnerabilities. Last year, an SQL vulnerability was discovered and patches provided (see NIPC Advisory 02-003 "Microsoft SQL worm spider" May 22, 2002 at http://www.nipc.gov/warnings/warnings.htm). Microsoft SQL server users are encouraged to review the following web site to ensure they have taken appropriate action to fix that vulnerability.

http://www.microsoft.com/Downloads/details.aspx?displaylang=en&FamilyID=DCFDCBE9-B4EB-4446-9BE7-2DE45CFA6A89

Further information will be provided as it becomes available. In the meantime, you are encouraged to report any incidents to the NIPC at http://www.nipc.gov/incident/cirr.htm. Additional information is available at http://www.cert.org/advisories/CA-2003-04.html.

Recipients of this advisory are encouraged to report computer crime to federal, state, or local law enforcement and other appropriate authorities. The NIPC Watch and Warning Unit can be reached at (202) 323-3204/3205/3206 or nipc.watch@fbi.gov.