W32/SQLSlammer

• Previous message: Russ: "Re: URGENT: New SQL Worm?"
• Next in thread: Graham Rose: "Re: W32/SQLSlammer PACKET CAPTURE"
• Reply: Graham Rose: "Re: W32/SQLSlammer PACKET CAPTURE"
• Maybe reply: Russ: "Re: W32/SQLSlammer"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date:         Sat, 25 Jan 2003 08:04:05 -0500
From: Russ <Russ.Cooper@RC.ON.CA>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

I would like to revise my previous statement.

W32/SQLSlammer, as its being called now, does not act like SQL-Spida,
and the mitigators to prevent SQL-Spida are not necessarily effective in
preventing SQLSlammer.

SQLSlammer is delivered entirely in the single connection, 367 bytes of
attack code. It appears to be entirely memory resident, iows, it won't
drop anything. It does not appear to take advantage of weak passwords or
any stored procedures, it simply overflows the buffer and executes.
Also, SQL-Spida attacked 1433, whereas this attacks UDP1434.

If this attack is also employing the SQL Ping bounce described by David
Litchfield last July, then this could account for the amount of
bandwidth being consumed by this. Look in the NTBugtraq archives for
David's email.

There is some discussion occurring that ISPs are blocking this traffic,
so we should see recovery relatively quickly.

So far there have been no reports of SQL 7 or lower being affected.

More as its available.

Cheers,
Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor

oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
Delivery co-sponsored by TruSecure Corporation
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
TICSA - Anniversary Special - Limited Time

Become TICSA certified for just $221.25 US when you register before 3/31/03
with PROMO "TS0103" at www.2test.com. NO membership fees, certification
good for 2 years. Price for international delivery just $296.25 US, with
this offer. Offer cannot be combined with any other special and expires
3/31/03. Visit www.trusecure.com/ticsa for full details.

oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo

• Next message: Marc Maiffret: "SQL Sapphire Worm Analysis"
• Previous message: Russ: "Re: URGENT: New SQL Worm?"
• Next in thread: Graham Rose: "Re: W32/SQLSlammer PACKET CAPTURE"
• Reply: Graham Rose: "Re: W32/SQLSlammer PACKET CAPTURE"
• Maybe reply: Russ: "Re: W32/SQLSlammer"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: Massive SQL Server attack ... W32/SQLSlammer, as its being called now, does not act like SQL-Spida, ... If this attack is also employing the SQL Ping bounce described by David ... If this post or another solves your problem in any way, or gives you new ideas, please have the common decency to inform the newsgroup of your farings. ... (microsoft.public.win2000.security) Re: Playing Blue Bossa for JBGI ... Delivery: Maturely reasoned, developed lines. ... Balance of attack: Even tempered throughout; ... the last chorus in the upper register remained "mellow." ... (rec.music.makers.guitar.jazz) Re: High risk of terrorist attack in UK -- Fact or fantasy? ... the biggest terrorist attack to date. ... time so who knows what will be bigger than the "World Trade Centre". ... Ah fetch it yourself if you can't wait for delivery ... (uk.legal) Re: High risk of terrorist attack in UK -- Fact or fantasy? ... the biggest terrorist attack to date. ... time so who knows what will be bigger than the "World Trade Centre". ... Ah fetch it yourself if you can't wait for delivery ... (uk.legal)