[Full-Disclosure] RE: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434!

• Previous message: qobaiashi: "Re: [Full-Disclosure] format strings vulns in /bin/login and /usr/bin/passwd"
• Next in thread: Schmehl, Paul L: "RE: [Full-Disclosure] RE: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434!"
• Maybe reply: Schmehl, Paul L: "RE: [Full-Disclosure] RE: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434!"
• Maybe reply: Schmehl, Paul L: "RE: [Full-Disclosure] RE: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434!"
• Maybe reply: Schmehl, Paul L: "RE: [Full-Disclosure] RE: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434!"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: "Richard M. Smith" <rms@computerbytesman.com>
From: jmcguire@sbcs.com
Date: Sun, 26 Jan 2003 10:36:56 -0500

I find this ATM outage curious. A couple of jobs ago, BofA was a customer
of mine using our ATM monitoring software. At that time, 6 years ago to be
sure, ATMs were on leased lines or satellite connections to the banks
central processing systems.

In the ensuing time, have banks began using inexpensive broadband Internet
connections to communicate with these remote devices? If this is the case,
this worm could take the machines off-line through the DDOS effect.

Do they use SQL server on Intel on the backend now? This would be quite
different form the Tandem, AS400, Unisys, minis used at that time. This
could have caused outages due to filtering at routers to block the worm,
but implies that the data connections between the ATMs and the database
aren't encrypted. I can't believe that to be the case.

Having an understanding of how these links worked relatively recently and a
concern for security in financial institutions, I have to ask how this worm
had the effect of downing BofA's ATM network.

__________________________________________
JOHN MCGUIRE CISSP, MCSE2k, MCSE+I
Network Security Specialist
888.529.0401
jmcguire@sbcs.com
Strictly Business
www.sbcs.com

                                                                                                                                       
                      "Richard M.
                      Smith" To: <jasonc@science.org>, "'Jay D. Dyson'" <jdyson@treachery.net>, "'Bugtraq'"
                      <rms@computerbyte <bugtraq@securityfocus.com>, "'Full-Disclosure'" <full-disclosure@lists.netsys.com>
                      sman.com> cc:
                                               Subject: RE: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434!
                      01/25/2003 06:11
                      PM
                                                                                                                                       
                                                                                                                                       

However, this worm might not be so harmless as it appears because of
collateral damage:

   Bank of America ATMs Disrupted by Virus

http://story.news.yahoo.com/news?tmpl=story&ncid=578&e=3&cid=569&u=/nm/2ot </em><br> <em>&gt;everyone can do PhDSubject: RE: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434!
0030125/tc_nm/tech_virus_dc

   "SEATTLE (Reuters) - Bank of America Corp. said on
   Saturday that customers at a majority of its 13,000
   automatic teller machines were unable to process
   customer transactions after a malicious computer worm
   nearly froze Internet traffic worldwide."

Richard M. Smith
http://www.ComputerBytesMan.com

-----Original Message-----
From: Jason Coombs [mailto:jasonc@science.org]
Sent: Saturday, January 25, 2003 4:41 PM
To: Jay D. Dyson; Bugtraq
Subject: RE: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434!

Jay Dyson wrote:
> And to think...up until tonight, I thought the vulnerabilities
> that paved the way for Nimda were the worst that Microsoft could do
> to the net.community. They've really topped themselves this time.

As of now we don't know who wrote the worm, but we do know that it looks
like a concept worm with no malicious payload. There is a good argument
to
be made in favor of such worms. Whomever did write this worm could have
done
severe damage beyond unfocused DDoS and chose not to do so. One would
expect
intelligence agencies in developed countries to write and release
precisely
this type of concept worm as a form of mass inoculation against
malicious
attacks.

Before you get upset at your vendor, or anyone else's, consider the
bigger
picture and recognize the increased security hardening the Internet just
received. Belief in this silver lining shouldn't be taken too far, of
course, but flaming anyone over an event like this is misplaced
considering
the number of infosec experts who would probably have agreed to write
this
worm if approached by their nations' government with proof that an
adversary
was planning to cause severe harm by exploiting the W32/SQLSlammer
vulnerability.

Sincerely,

Jason Coombs
jasonc@science.org

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

• Next message: Ka: "Re: [Full-Disclosure] RE: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434!"
• Previous message: qobaiashi: "Re: [Full-Disclosure] format strings vulns in /bin/login and /usr/bin/passwd"
• Next in thread: Schmehl, Paul L: "RE: [Full-Disclosure] RE: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434!"
• Maybe reply: Schmehl, Paul L: "RE: [Full-Disclosure] RE: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434!"
• Maybe reply: Schmehl, Paul L: "RE: [Full-Disclosure] RE: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434!"
• Maybe reply: Schmehl, Paul L: "RE: [Full-Disclosure] RE: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434!"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]