Targets SQL Vulnerability"
January 25, 2003
following information should be disseminated immediately
to your Information Technology (IT) system managers.
The NIPC is aware of the propagation of an SQL worm.
This exploitation affects users of Microsoft SQL Server
2000, primarily "corporate-level" data base
users. This is not a home user issue unless they are
running this server.
Starting around 01:30 GMT-0500 on Saturday, January 25, the Internet experienced
increased traffic from seemingly random Internet Protocol (IP) source addresses
to port 1434/udp targeting a service provided by Microsoft SQL Server.
The packets appear to be of a small size (approximately 376 bytes). Reports
indicate that the impact of this activity is causing varied levels of degradation
in Internet connectivity. Early analysis suggests this is a result of scanning
from a worm.
worm apparently can easily fill the state table of
stateful firewalls, e.g. PIX, Check Point, and Netscreen.
This will cause an outage for the infected site, and
the outage may occur long before the data pipes are
filled. This issue is also causing problems to routers,
both directly and indirectly. The worm generates some
addresses to be attacked, including multicast addresses.
This may cause problems for multicast-enabled routers
This worm causes high CPU usage on servers, essentially slowing or shutting
servers down. An infected host will spew packets as quickly as the infinite
loop will allow. While an additional malicious "payload" has
not yet been identified, this vulnerability essentially exploits a buffer
overflow which may allow remote access to a victim's Microsoft SQL data
Block or filter port 1434/udp ingress (inbound) and egress (outbound) traffic.
Monitor watch port 1433 for any increased traffic load.
There have been previous SQL vulnerabilities. Last year, an SQL vulnerability
was discovered and patches provided (see NIPC Advisory 02-003 "Microsoft
SQL worm spider" May 22, 2002 at http://www.nipc.gov/warnings/warnings.htm).
Microsoft SQL server users are encouraged to review the following web site
to ensure they have taken appropriate action to fix that vulnerability.
information will be provided as it becomes available.
In the meantime, you are encouraged to report any incidents
to the NIPC at http://www.nipc.gov/incident/cirr.htm.
Additional information is available at http://www.cert.org/advisories/CA-2003-04.html.
of this advisory are encouraged to report computer
crime to federal, state, or local law enforcement and
other appropriate authorities. The NIPC Watch and Warning
Unit can be reached at (202) 323-3204/3205/3206 or email@example.com.