|
| |
| | CERT Advisory CA-2003-04 MS-SQL Server Worm |
 | | The worm targeting SQL Server computers is self-propagating malicious code that exploits the vulnerability described in | | | The high volume of 1434/udp traffic generated by hosts infected with the worm trying to find and compromise other SQL Server computers may itself lead to performance issues (including possible denial-of-service conditions) for Internet-connected hosts or for those computers on networks with compromise hosts. | | | This vulnerability allows for the execution of arbitrary code on the SQL Server computer due to a stack buffer overflow. |
|
http://www.cert.org/advisories/CA-2003-04.html
(880 words)
|
|
| |
| | SQL slammer worm : SQL Slammer |
| | SQL Slammer was the first observed example of a "Warhol worm" -- a fast-propagating Internet infection of the sort first hypothesized in 2002 in a paper by Nicholas Weaver. | | | The SQL slammer worm is a computer virus (technically, a "worm program") that caused a denial of service on some Internet hosts and dramatically slowed down general Internet traffic, starting at 05:30 UTC on January 25, 2003. | | | The worm was made possible by a software security vulnerability in SQL Server first reported by Microsoft on July 24, 2002. |
|
http://www.termsdefined.net/sq/sql-slammer.html
(581 words)
|
|
| |
| | Wired 11.07: Slammed! |
| | Slammer's code is a set of instructions as simple as "Lather, rinse, repeat." The program itself is only 376 bytes, not much longer than this paragraph. | | | The first thing the computer does after opening Slammer's too-long UDP "request" is overwrite its own stack with new instructions that Slammer has disguised as a routine query. | | | The genius of Slammer is how it uses an attack on just one type of software as leverage for a general attack on the Web itself. |
|
http://www.wired.com/wired/archive/11.07/slammer.html
(1096 words)
|
|
| |
| | F-Secure Computer Virus Information Pages: Slammer |
| | The worm code is 376 bytes in size which suggests that is was written and hand optimized using the Assembly language. | | | Since the worm does not reach the disk on the infected computer it disappears when the server is restarted. | | | Slammer uses GetTickCount() function from the Win32 API to initialize it's random number generator. |
|
http://www.f-secure.com/v-descs/mssqlm.shtml
(968 words)
|
|
| |
| | SQL Slammer worm wreaks havoc on Internet - ZDNet UK News |
| | SQL Slammer's code instructs the Microsoft SQL Server to go into an endless loop, continually sending out data to other computers, in effect performing a denial of service attack, F-Secure said, comparing the slowdown to the impact of the Code Red virus, which brought internet traffic to a halt in the summer of 2001. | | | Unlike mass-mailing worms, SQL Slammer does not write files to a computer's hard disk, but resides in memory. | | | The worm, known as SQL Slammer, takes advantage of a bug that was discovered last July in Microsoft's SQL Server database software. |
|
http://news.zdnet.co.uk/internet/security/0,39020375,2129330,00.htm
(1105 words)
|
|
| |
| | CNN.com - Computer worm grounds flights, blocks ATMs - Jan. 26, 2003 |
| | Worms of this nature are often precursors to a different type of attack called "distributed denial of service." In that case, computers infected with a worm or other program are directed to send a flood of information to a specific Internet location and force it off-line. | | | The "Slammer" did not appear to affect files stored on computers. | | | Alan Paller of the SANS Institute, a training organization for technologists who try to protect computer systems and networks, said the SQL worm did not appear to be affecting files stored on computers. |
|
http://www.cnn.com/2003/TECH/internet/01/25/internet.attack
(888 words)
|
|
| |
| | W32/SQLSlammer.worm |
| | Once the worm gets control on the target computer it loads WS2_32.DLL and starts to continually send itself to port 1434/udp of randomly selected IP targets in an infinite loop.The IP of a victim is constructed using 'GetTickCount' API and is purely random (no skew towards the local subnet, for example). | | | When this task is executed, all computers that are running Microsoft SQL Server 2000 that do not have service pack 3 will be reported. | | | The Sniffer can be used as a network scanner to detect and identify infected computers. |
|
http://vil.nai.com/vil/content/v_99992.htm
(805 words)
|
|
| |
| | Damage control CNET News.com |
| | The SQL Slammer worm, at 376 bytes of computer code, is much smaller than either Code Red's estimated 4KB (4,096 bytes) or Nimda's 60KB (61,440 bytes). | | | Database infector: While there has always existed the possibility to infect databases, Slammer is the first computer worm to infect SQL databases on such an extensive scale. | | | Small size: The worms itself consisted of 376 bytes of assembly code and is entirely self-contained. |
|
http://news.com.com/2009-1001-983540.html
(1839 words)
|
|
| |
| | ATMs, ISPs hit by Slammer worm spread The Register |
| | Since Slammer spreads on UDP port 1434, users are been urged to update firewall or router tables to block this traffic as a workaround, prior to putting patches in place. | | | Although Slammer is not destructive to an infected host (like Code Red it only exists in memory), it generates a damaging level of network traffic when it scans for additional targets. | | | The worm continuously sends 367 bytes of exploit and propagation code across port 1434/UDP until the SQL Server process is shut down. |
|
http://www.theregister.co.uk/2003/01/27/atms_isps_hit_by_slammer
(674 words)
|
|
| |
| | The Spread of the Sapphire/Slammer Worm |
| | While the filtering may mitigate the overhead of the worm's continuing scan traffic, a more sophisticated worm might have stopped scanning once the entire susceptible population was infected, leaving itself dormant on over 75,000 machines to do harm at some future point. | | | Both worms used the same basic strategy of scanning to find vulnerable machines and then transferring the exploitive payload; they differed in their scanning constraints. | | | Had the worm's propagation lasted only 10 minutes, it would likely take hours or days of effort simply to identify the attack, and many compromised machines could never be identified. |
|
http://www.caida.org/outreach/papers/2003/sapphire/sapphire.html
(3024 words)
|
|
| |
| | Slammer attack almost over after 10 minutes Tech News on ZDNet |
| | Slammer's spread was two orders of magnitude faster than Code Red, which infected 359,000 computers in the summer of 2001, and doubled in size only about every 37 minutes, CAIDA said. | | | Slammer infected fewer computers than Code Red, but significantly was limited by flaws in its design. | | | Researchers have theorized about such worms for some time, and a paper presented at last year's Usenix Security Symposium by security experts Vern Paxson, Stuart Staniford, and Nicholas Weaver also predicted the emergence of a "flash worm", which could scan the entire Internet in a matter of seconds. |
|
http://zdnet.com.com/2100-1104-983108.html
(636 words)
|
|
| |
| | News: Special Reports |
| | The security researcher whose published code was probably adopted by the author of the Slammer worm says publication is necessary to keep networks and computers secure. | | | SQL Slammer spreads by scanning the Internet for vulnerable systems. | | | A two-day-old computer worm that wreaked havoc on the Internet over the weekend appeared to slow to a crawl late on Monday, fizzling out as quickly as it emerged. |
|
http://zdnet.com.com/2251-1110-982181.html
(494 words)
|
|
| |
| | Witty worm frays patch-based security CNET News.com |
| | Compared with the Microsoft SQL Slammer worm, which infected 70,000 to 100,000 computers, the Witty worm attacked a smaller population, according to CAIDA. | | | The Witty worm first hit computers known to be vulnerable and emerged so quickly that most companies had no time to apply a patch, according to an analysis of the program. | | | The worm also attacked computers that were specifically in place to protect against such threats. |
|
http://news.com.com/2100-7355_3-5180482.html?part=rss&tag=feed&subj=news
(1045 words)
|
|
| |
| | Internet Security Systems - |
| | Once a vulnerable computer is compromised, the worm will infect that target, randomly select a new target, and resend the exploit and propagation code to that host. | | | The main function of the Slammer worm is to continue propagation. | | | The Slammer worm does not infect or modify files, it only exists in memory. |
|
http://bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=21824
(821 words)
|
|
| |
| | Symantec Security Response - W32.SQLExp.Worm |
| | Because the worm resides in memory only and is not written to disk, the virus definitions do not detect this threat. | | | Opens a socket on the infected computer and attempts to repeatedly send itself to UDP port 1434 on the IP addresses it has generated, by using an ephemeral source port. |
|
http://securityresponse.symantec.com/avcenter/venc/data/w32.sqlexp.worm.html
(1004 words)
|
|
| |
| | SQL Slammer: How it works--prevent it Tech News on ZDNet |
| | The SQL worm itself is file-less and resides only in memory, much as Code Red. | | | SQL Slammer exploits the way in which MS SQL servers process input on SQL Server Resolution Service port 1434. | | | The aggressive scanning done by SQL Slammer overloaded many networks on January 25, 2003, slowing Internet traffic. |
|
http://news.zdnet.com/2100-1009_22-982226.html
(498 words)
|
|
| |
| | ISS X-Force Database: sql-slammer-worm(11153): SQL Slammer worm propagation |
| | The main function of the Slammer worm is to continue propagation. | | | The Slammer worm does not infect or modify files, it only exists in memory. | | | This routine then continuously sends 376 bytes of exploit and propagation code across port 1434/UDP until the SQL Server process is shut down. |
|
http://xforce.iss.net/xforce/xfdb/11153
(698 words)
|
|
| |
| | Worm exposes apathy, Microsoft flaws Tech News on ZDNet |
| | Given that the worm did little damage to the machines it infected--a reboot would rid any computer of the worm--some security experts saw the ultimate effect of the attack as a good thing. | | | In the largest such incident since the Code Red and Nimda worms bored into servers in 2001, the Sapphire worm--also known as Slammer and SQLExp--infected more than 120,000 computers and caused chaos within many corporate networks. | | | Because the worm exploited an old flaw, security experts directed only moderate criticism at Microsoft, choosing instead to focus on administrators who have failed to patch their software. |
|
http://zdnet.com.com/2100-1105-982135.html
(1200 words)
|
|
| |
| | Geek.com Geek News - "SQL Slammer" worm wreaks havoc worldwide |
| | However, in MS's defence, SQL Server is covered by the buggy MS Baseline advisor software. | | | SQL Server operates on 2 non-stadard ports, so why are people even able to access the servers through Query Analyzer or Enterprise Manager? | | | Of course, that program is buggy as all hell and gets many false positives when looking for uninstalled fixes, the admins can't say they had no way of knowing. |
|
http://www.geek.com/news/geeknews/2003Jan/gee20030127018346.htm
(3457 words)
|
|
| |
| | SAFE SQL Slammer Worm Attack Mitigation [SAFE Blueprint] - Cisco Systems |
| | This particular worm does not appear to have a purpose beyond simply propagating itself; however, due to the nature of how it propagates it has caused significant problems for some service provider and enterprise networks. | | | Setting up a sink-hole router will assist in determining which systems in your environment are infected when NIDS is not available. | | | The sink-hole router advertises these networks locally (only), and any attempts at reaching them are then routed to the router. |
|
http://www.cisco.com/en/US/netsol/ns340/ns394/ns171/ns128/networking_solutions_white_paper09186a008033a40e.shtml
(3160 words)
|
|
| |
| | Microsoft TechNet: SQL Server 2000 - Downloads |
| | Download these tools to scan instances of SQL Server 2000 and MSDE 2000, help detect instances vulnerable to the Slammer worm, and then apply updates to the affected files. | | | Use this tool to scan your SQL Server systems and verify that common best practices have been implemented. | | | Fix: Not All Memory is Available When AWE is Enabled on a Computer Running 32-bit Version of SQL Server 2000 SP4 (899761) |
|
http://www.microsoft.com/sql/downloads/2000/sp3.asp
(643 words)
|
|
| |
| | HNS - MS SQL Worm Roundup |
| | Kaspersky Labs, an international data security software developer, is warning users against the new Internet-worm "Helkern" (also known as "Slammer") that infects servers running under the popular Web-enabled database Microsoft SQL Server 2000. | | | Besides the analysis, the disassembled worm code is available here. | | | The propagation of this worm has caused varied levels of network degradation across the Internet, in addition to the compromise of vulnerable machines |
|
http://www.net-security.org/article.php?id=369
(992 words)
|
|
| |
| | SQL Slammer Worm |
| | Again, the "SQL Slammer" worm only directly affects computers that are running Microsoft SQL Server 2000, or in some cases Microsoft MSDE. | | | Applications likely to be used on a BSU Computer system that also install Microsoft MSDE include: | | | If you have already installed the MS02-061 update, please see below for important instructions about how to update your system. |
|
http://www.bsu.edu/security/article/0,1384,6927-1942-11208,00.html
(411 words)
|
|
| |
| | Computer or worm or MSFT — CNET News.com |
| | Sign up for e-mail alerts by keyword Computer or worm or MSFT. | | | Search General News for ‘Computer or worm or MSFT’ | | | Dasher worm gallops onto the Net – December 16, 2005 |
|
http://news.search.com/search?q=Computer+or+worm+or+MSFT&message=expired
(265 words)
|
|
| |
| | Review of "SQL Slammer Worm" |
| | Microsoft's (MS) SQL Server software is a software package that provides databases. | | | It does no damage to the file system (in other words, it writes out no files, and therefore isn't considered a virus per se), and, after a reboot, the violated server can be considered clean (but not protected from future attacks). | | | Unlike the TCP protocol, the UDP protocol requires no confirmation messages - when something is sent from one machine to another using UDP, the sending machine makes two assumptions: 1) Either the information was received; 2) or it's out of date and not needed any more. |
|
http://www.lib.usf.edu/pipermail/lib-talk/2003-January/000013.html
(711 words)
|
|
| |
| | Viruslist.com - Net-Worm.Win32.Slammer |
| | The worm is memory only, and it spreads from an infected machine's memory to a victim machine's memory. | | | As a result this worm is spreading 255 times faster than any other worm known at the moment. | | | There are text strings visible in the worm code (a mix of worm code and data): |
|
http://www.viruslist.com/eng/viruslist.html?id=59159
(341 words)
|
|
| |
| | "Sapphire" - "SQL Slammer" Worm |
| | But the attacking software was scanning for victim computers so randomly and so aggressively - sending out thousands of probes a second - that it saturated many Internet data pipelines. | | | EST, sought out vulnerable computers on the Internet to infect using a known flaw in the database software from Microsoft Corp., SQL Server 2000. | | | A Malicious worm (named "Sapphire" / "SQL Slammer" worm) was attacking Microsoft Windows Machines running SQL Server 2000 on all the major backbone providers. |
|
http://www.langerent.com/virus/sapphire.html
(190 words)
|
|
| |
| | Behind the Scenes of the SQL Slammer Worm Virus |
| | The irony of the Slammer crisis is that the vulnerability that the Slammer exploited was first corrected almost 7 months earlier by Microsoft Security Bulletin MS02-039 (Buffer Overruns in SQL Server 2000 Resolution Service Could Enable Code Execution) and in the subsequent cumulative Microsoft Security Bulletin MS02-061 (Elevation of Privilege in SQL Server Web Tasks). | | | You can get the Windows Update software by selecting Windows Update on the Tools menu in Microsoft Internet Explorer (IE), or you can go directly to the Windows Update site at http://windowsupdate.microsoft.com. | | | And, why isn't every Microsoft product part of Windows Update? |
|
http://emea.windowsitpro.com/Windows/Article/ArticleID/38138/38138.html
(880 words)
|
|
| |
| | Slammer Worm: A Blow to Remote Storage? |
| | This loss lead consumers to question the long-term viability of storage services. | | | Get the right tools to speed up your SOA implementation, with IBM Rational. | | | TimeSpring's CDP software for Windows automatically captures all changes in REAL TIME so you can recover fr... |
|
http://www.eweek.com/article2/0,1759,1491513,00.asp
(998 words)
|
|
| |
| | dBforums - Sql Slammer Worm |
| | Is such a worm possible out of ASE? | | | > Is such a worm possible out of ASE? | | | > > Is such a worm possible out of ASE? |
|
http://dbforums.com/t669408.html
(147 words)
|
|
| |
| | WARNING: SQL 'SLAMMER' WORM VIRUS |
| | There is a real risk that the virus will spread further and cause more delays on the internet when unpatched systems and computers are started up after the weekend. | | | A good deal of software applications use MSDE. | | | XS4ALL strongly advises anyone using SQL Server 2000 or Microsoft SQL Desktop Engine (MSDE2000) to make sure that the patch which Microsoft issued after the vulnerability was detected has been properly applied. |
|
http://www.xs4all.nl/uk/news/overview/slammer.html
(207 words)
|
|
| |
| | "SQL Slammer" Can Affect Other Microsoft Software |
| | Besides the full-blown SQL Server software, Microsoft also sells a stripped-down database engine called the Microsoft Desktop Environment (MSDE) which contains the same buggy code. | | | Widely published exploits demonstrate how an intruder -- perhaps operating from inside the firewall -- can use the same hole to open a "root shell" on a Microsoft server, giving him or her complete control of the machine. | | | MSDE is included not only in many Microsoft products but in quite a few third-party offerings (including medical imaging software used by hospitals to catalog MRI and CAT scans), though it's not always turned on by default. |
|
http://www.extremetech.com/article2/0,3973,852194,00.asp
(721 words)
|
|
| |
| | UDP Port 1434 |
| | Outbound scans if occurring in volume should be considered an indication of a possible worm infection on the source computer and should be investigated. | | | Inbound scans are typically from systems infected with the SQL Slammer worm looking for vulnerable Microsoft SQL Servers or MSDE systems to infect. | | | SQL Slammer has the distinction of being the fastest worm ever released on the internet and while we were perhaps the first to publish a notice concerning SQL Slammer by then it was too late as SQL Slammer had compromised most of its available victims world wide within 15 minutes. |
|
http://www.linklogger.com/UDP1434.htm
(127 words)
|
|
| |
| | Microsoft SQL Server: How to remove SQL Slammer Worm |
| | I am running SQL Server 2000 on a Windows 2000 Server computer. | | | Get instant answers from Experts Exchange knowledge base | | | If this is a development machine, you might want to try leaving the sa password blank, or us 'sa' as the password. |
|
http://www.experts-exchange.com/Q_20592631.html
(475 words)
|
|
| |
| | Network Security, Vulnerability Assessment, Intrusion Prevention |
| | This is a new worm is more devastating as it is taking advantage of a software-specific flaw rather than a configuration error. | | | Attackers leveraging this vulnerability will be executing their code as SYSTEM, since Microsoft SQL Server 2000 runs with SYSTEM privileges. | | | We have provided brief information here as we are currently working to understand more of the worm's internal behavior. |
|
http://www.eeye.com/html/Research/Flash/AL20030125.html
(657 words)
|
|
| |
| | KLC Consulting |
| | It is a MAC Address Modifying Utility for Windows 2000, XP and 2003 Server in all languages. | | | SQL Slammer / Sapphire / SQL Hell / W32.SQLExp.Worm | | | SQL Slammer send UDP port 1434 packets to attack SQL Server 2000 and MSDE 2000 software flaw. |
|
http://www.klcconsulting.net/sqlslammer.htm
(163 words)
|
|
| |
| | SAFE: SQL Slammer Worm Attack Mitigation from Cisco White Papers at Builder UK |
| | And looks at the numerous technologies are available that mitigate the detrimental effects of the worm. | | | This white paper discusses the recently released SQL Slammer worms and their effects on the network and its hosts. | | | SAFE: SQL Slammer Worm Attack Mitigation from Cisco White Papers at Builder UK Builder UK |
|
http://uk.builder.com/whitepapers/0,39026692,60094128p-39000978q,00.htm
(67 words)
|
|
| |
| | AdminLife : SQL Slammer Worm on microsoft.public.security |
| | I am running the Windows XP operating system and | | | Slammer removal tools available from all major antivirus vendors (see | | | remove the SQL driver from my operating system? |
|
http://www.adminlife.com/247reference/msgs/10/50782.aspx
(254 words)
|
|
| |
| | Interop White Papers: NetContinuum Offers Emergency Discount to Companies Affected by SQL Slammer Worm |
| | The SQL Slammer Worm is the most widespread web attack since Code Red and demonstrates the need for next-generation security gateways that automatically block known and unknown web attacks. | | | Interop White Papers: NetContinuum Offers Emergency Discount to Companies Affected by SQL Slammer Worm | | | NetContinuum Offers Emergency Discount to Companies Affected by SQL Slammer Worm |
|
http://whitepapers.interop.com/detail/RES/1096565757_683.html
(93 words)
|
|
| |
| | [freetds] MS-SQL Slammer Worm |
| | FreeTDS doesn't yet implement this feature, though it'd probably be worthwhile to. | | | The suggestion by Microsoft was to install the security fix that has been out for six months. | | | It happened to me running MS SQL 2000 on Windows XP Pro. |
|
http://lists.ibiblio.org/pipermail/freetds/2003q1/011069.html
(216 words)
|
|
| |
| | USATODAY.com - Microsoft to release key update to Windows Server |
| | The SQL Slammer worm attacked this software in 2003, slowing global Internet traffic and caused disruption in flight traffic systems and even automated teller machines. | | | Windows Server, which competes directly with Linux in the market for personal computer-based servers, acts as the operating system for SQL Server database software. |
|
http://www.usatoday.com/tech/news/computersecurity/hacking/2005-03-31-microsoft-security_x.htm
(273 words)
|
|
| |
| | SQL Slammer worm /// Internet Traffic Report |
| | A worm designed to take advantage of a vulnerability in Microsoft SQL to gain control of the server affected a large percentage of the Internet. | | | Several large Internet transit providers and end-user ISP's were completely shut down as a result, with affects varying from slow browsing to disabling ATM machines. | | | Once the worm had infected a server it began scanning the network for more vulnerable systems, causing packet loss or completely saturating circuits in some instances. |
|
http://www.internettrafficreport.com/event/3.htm
(215 words)
|
|
| |
| | SQL Slammer worm : Worm.SQL.Slammer.A |
| | After its code is executed it generates random IP numbers based on GetTickCount function and sends itself to those addresses using UDP port 1434. | | | This is an Internet worm that spreads using a known vulnerability in MS SQL Server. | | | For more information about this vulnerability go to: |
|
http://www.bullguard.com/antivirus/vit_sql-slammer_a.aspx
(140 words)
|
|
| |
| | SQL Slammer Worm - die.net |
| | On Friday, January 24th, 2003, Cyberverse started seeing a new worm probing around from random hosts on the 'net: | | | Within 2 hours, we already have evidence of attacking hosts or networks getting shut down faster than new ones we being found. |
|
http://www.die.net/musings/sql_slammer
(102 words)
|
|
| |
| | Applelinks: SQL Slammer Worm Hoax |
| | A story we published the other day on the subject of an alleged radical Islamic group claiming responsibility for the recent SQL Slammer worm Internet slowdown was based on information now known to be a hoax! | | | ComputerWorld writer Dan Verton was duped by one Brian McWilliams, an employee of Salon.com and Wired News, who basicially fed the story to Verton by posing as a fictitious Pakistani informant. | | | The Associated Press reports that the ComputerWorld story we referenced was bogus. |
|
http://www.applelinks.com/articles/2003/02/20030208000636.shtml
(497 words)
|
|
| |
| | Protecting RealSecure from the Microsoft SQL Slammer Worm |
| | The following describes how to protect the RealSecure products that use SQL Server 2000 or MSDE 2000 (Microsoft Desktop Engine 2000) from the SQL Slammer Worm. | | | Hitachi shall not be liable for any consequences arising out of or in connection with the security countermeasures or other actions that you will take or have taken (or not taken) by yourself. | | | For details on how to apply the patch for SQL Server 2000 (including the patch for MSDE), search the ISS Knowledgebase and then see: |
|
http://www.hitachi-support.com/security_e/msde2000/realsecure/realsecure-e.shtml
(455 words)
|
|
| |
| | Microsoft SQL Server: Security |
| | Learn more about key resources for helping to secure your database, discover best practices from security specialists, and gain insights about database vendor security claims from trusted industry experts. | | | Read how SQL Server 2005 has improved security, privacy, reliability, and business integrity. | | | Review the new and enhanced security features in SQL Server 2005. |
|
http://www.microsoft.com/sql/techinfo/administration/2000/security/slammer.asp
(146 words)
|
|
| |
| | SQL Slammer Worm - Whose Fault and How to Fix? |
| | however PIX administration and SQL servers belong to others... | | | SQL Slammer Worm - Whose Fault and How to Fix? | | | Nah, I was too busy filling out TPS reports *1* |
|
http://www.ntcompatible.com/postprint120325.html
(205 words)
|
|
|
