IWS - The Information Warfare Site
News Watch Make a  donation to IWS - The Information Warfare Site Use it for navigation in case java scripts are disabled

NIPC Seal National Infrastructure Protection Center
NIPC Seal CyberNotes

Advisory 03-001

"Worm Targets SQL Vulnerability"
January 25, 2003

The following information should be disseminated immediately to your Information Technology (IT) system managers. The NIPC is aware of the propagation of an SQL worm. This exploitation affects users of Microsoft SQL Server 2000, primarily "corporate-level" data base users. This is not a home user issue unless they are running this server.

BACKGROUND:
Starting around 01:30 GMT-0500 on Saturday, January 25, the Internet experienced increased traffic from seemingly random Internet Protocol (IP) source addresses to port 1434/udp targeting a service provided by Microsoft SQL Server. The packets appear to be of a small size (approximately 376 bytes). Reports indicate that the impact of this activity is causing varied levels of degradation in Internet connectivity. Early analysis suggests this is a result of scanning from a worm.

The worm apparently can easily fill the state table of stateful firewalls, e.g. PIX, Check Point, and Netscreen. This will cause an outage for the infected site, and the outage may occur long before the data pipes are filled. This issue is also causing problems to routers, both directly and indirectly. The worm generates some addresses to be attacked, including multicast addresses. This may cause problems for multicast-enabled routers and networks.

RESULTS:
This worm causes high CPU usage on servers, essentially slowing or shutting servers down. An infected host will spew packets as quickly as the infinite loop will allow. While an additional malicious "payload" has not yet been identified, this vulnerability essentially exploits a buffer overflow which may allow remote access to a victim's Microsoft SQL data base servers.

IMMEDIATE REMEDIATION:
Block or filter port 1434/udp ingress (inbound) and egress (outbound) traffic.
Monitor watch port 1433 for any increased traffic load.

PREVIOUS SQL VULNERABILITY:
There have been previous SQL vulnerabilities. Last year, an SQL vulnerability was discovered and patches provided (see NIPC Advisory 02-003 "Microsoft SQL worm spider" May 22, 2002 at http://www.nipc.gov/warnings/warnings.htm). Microsoft SQL server users are encouraged to review the following web site to ensure they have taken appropriate action to fix that vulnerability.

http://www.microsoft.com/Downloads/details.aspx?displaylang=en&FamilyID=DCFDCBE9-B4EB-4446-9BE7-2DE45CFA6A89

Further information will be provided as it becomes available. In the meantime, you are encouraged to report any incidents to the NIPC at http://www.nipc.gov/incident/cirr.htm. Additional information is available at http://www.cert.org/advisories/CA-2003-04.html.

Recipients of this advisory are encouraged to report computer crime to federal, state, or local law enforcement and other appropriate authorities. The NIPC Watch and Warning Unit can be reached at (202) 323-3204/3205/3206 or nipc.watch@fbi.gov.