RE: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434!

From: trent dilkie (trent@dilkie.com)
Date: 01/25/03

  • Next message: John Howie: "RE: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434!"
    From: "trent dilkie" <trent@dilkie.com>
    To: <bugtraq@securityfocus.com>
    Date: Sat, 25 Jan 2003 13:56:36 -0500
    
    

    Can anybody confirm that this worm is spreading on the Desktop Engine too?
    (MSDE)

    Thanks,
       Trent.

    -----Original Message-----
    From: H D Moore [mailto:sflist@digitaloffense.net]
    Sent: Saturday, January 25, 2003 6:49 AM
    To: bugtraq@securityfocus.com
    Subject: Re: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434!

    A worm which exploits a (new?) vulnerability in SQL Server is bringing the
    core routers to a grinding halt. The speed of the propagation can be
    attributed to the attack method and simplicity of the code. The worm sends
    a 376-byte UDP packet to port 1434 of each random target, each vulnerable
    system will immediately start propagating itself. Since UDP is
    connection-less, the worm is able to spread much more quickly than those
    using your standard TCP-based attack vectors (no connect timeouts).

    Some random screen shots, a copy of the worm as a perl script, and a
    disassembly (sorry, no comments) can be found online at:

    http://www.digitaloffense.net/worms/mssql_udp_worm/

    -HD

    On Saturday 25 January 2003 01:11, Michael Bacarella wrote:
    > I'm getting massive packet loss to various points on the globe. I am
    > seeing a lot of these in my tcpdump output on each host.
    >
    > 02:06:31.017088 150.140.142.17.3047 > 24.193.37.212.ms-sql-m: udp 376
    > 02:06:31.017244 24.193.37.212 > 150.140.142.17: icmp: 24.193.37.212
    > udp port ms-sql-m unreachable [tos 0xc0
    >
    > It looks like there's a worm affecting MS SQL Server which is
    > pingflooding addresses at some random sequence.
    >
    > All admins with access to routers should block port 1434 (ms-sql-m)!
    >
    > Everyone running MS SQL Server shut it the hell down or make sure it
    > can't access the internet proper!
    >
    > I make no guarantees that this information is correct, test it out for
    > yourself!

    -------------------------------------------------------



    Relevant Pages

    • RE: SQL Sapphire Worm Analysis
      ... For the latest version and information on our sql worm analysis goto: ... | the way SQL improperly handles data sent to its Microsoft SQL ... | service pack for SQL that includes a fix for this ...
      (Bugtraq)
    • [VulnWatch] eEye - SQL Sapphire Worm Analysis
      ... SQL Sapphire Worm Analysis ... Microsoft SQL Server 2000 pre SP 2 ... the way SQL improperly handles data sent to its Microsoft SQL Monitor port. ...
      (VulnWatch)
    • SQL Sapphire Worm Analysis
      ... SQL Sapphire Worm Analysis ... Microsoft SQL Server 2000 pre SP 2 ... The worm is spreading using a buffer overflow to exploit a flaw in Microsoft ...
      (NT-Bugtraq)
    • SQL Sapphire Worm Analysis
      ... SQL Sapphire Worm Analysis ... Microsoft SQL Server 2000 pre SP 2 ... The worm is spreading using a buffer overflow to exploit a flaw in Microsoft ...
      (Vuln-Dev)
    • SQL Sapphire Worm Analysis
      ... SQL Sapphire Worm Analysis ... Microsoft SQL Server 2000 pre SP 2 ... The worm is spreading using a buffer overflow to exploit a flaw in Microsoft ...
      (Incidents)