RE: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434!

From: Arne Vidstrom (arne.vidstrom@ntsecurity.nu)
Date: 01/26/03

  • Next message: Marc Maiffret: "Tool: Sapphire SQL Worm Scanner"
    From: "Arne Vidstrom" <arne.vidstrom@ntsecurity.nu>
    To: <bugtraq@securityfocus.com>, "John Howie" <JHowie@securitytoolkit.com>
    Date: Sun, 26 Jan 2003 01:48:36 +0100
    
    

    Hi all,

    The problem is that if you say that good things come out of this there will
    be people out there who get inspired to write new worms with the argument
    that they "do good to the society" without considering the side-effects, or
    who just use it as an excuse to do damage. Also it's human nature (or
    something like that) to have the opinion that if something is bad you aren't
    allowed to say that it has something good in it too, but that's not really
    an objective argument.

    In fact the worm might have done lots of good - some of the vulnerable
    databases probably contain very sensitive information. A DoS of the Internet
    doesn't last forever, but if sensitive information from databases get into
    the hands of the wrong people it's a long-lasting problem. Sensitive
    corporate information, and especially sensitive information about
    individuals, and so on. I would rather have no Internet access for a few
    days than have sensitive information about myself leaked to the wrong
    people. Of course the perfect solution would be if those responsible for the
    databases make sure they're secure, but in a world that isn't perfect a worm
    might force them to make sure they're secure. Unfortunately lot's of people
    think they can neglect security as long as they don't see anything bad
    happening (and they often go selectively blind on purpose). I know for a
    fact that a lot of people responsible for very sensitive systems neglect
    security more or less on purpose for different reasons, and their only touch
    with reality is when they're struck with a worm or similar. Hopefully some
    of them have learned to take security more seriously now, and hopefully some
    sensitive information that would have leaked out in the future won't do so
    now, because of the worm. So I believe he wrote that - seriously, I do. ;-)
    That aside, I *don't* think releasing worms is a good way to solve the
    problem!

    /Arne

    -----Original Message-----
    From: John Howie [mailto:JHowie@securitytoolkit.com]
    Sent: den 26 januari 2003 00:17
    To: jasonc@science.org; Jay D. Dyson; Bugtraq
    Subject: RE: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434!

    Jason,

    I can't believe you wrote this - seriously, I can't.

    >
    > As of now we don't know who wrote the worm, but we do know that it
    looks
    > like a concept worm with no malicious payload. There is a good
    argument to
    > be made in favor of such worms.
    >

    What good can come of a widespread DoS of the Internet? What about the
    problems that come hacker getting a hold of the payload and making it
    more malicious before everyone can respond? Remember, most people won't
    know about this until Monday and won't be able to fix the problem until
    later that day, or perhaps later in the week.

    >
    > Before you get upset at your vendor, or anyone else's, consider the
    bigger
    > picture and recognize the increased security hardening the Internet
    just
    > received.
    >

    It shouldn't have needed it. Microsoft released a patch for the
    vulnerability some time ago (granted it wasn't easy to install,
    especially for MSDE installations) but the real problem is those system
    administrators who don't apply patches when there is no good reason not
    to, and the network and firewall administrators who, for some
    incomprehensible reason, leave open ports like this in their firewalls
    and routers.

    Maybe the time has come to draft legislation to prosecute not only the
    writers of such malware, but those who recklessly leave their systems
    vulnerable and defenseless and, through their negligence, help propagate
    malware. Lastly, Microsoft and all other vendors need to make their
    patches available for all configurations and easier to install (a quick
    check shows that SQL Server SP3 is still not available for MSDE).

    John Howie CISSP MCSE
    President, Security Toolkit LLC



    Relevant Pages

    • << Small Biz Server news of the week Jan 31>>
      ... A new version of the Forbot worm, ... Johannes Ullrich of the SANS Internet ... Though identity theft using the Internet is a hot security issue, ... majority of financial loss as a result of fraud is perpetrated offline, ...
      (microsoft.public.backoffice.smallbiz2000)
    • << Small Biz Server news of the week Jan 31>>
      ... A new version of the Forbot worm, ... Johannes Ullrich of the SANS Internet ... Though identity theft using the Internet is a hot security issue, ... majority of financial loss as a result of fraud is perpetrated offline, ...
      (microsoft.public.windows.server.sbs)
    • << Small Biz Server news of the week Jan 31>>
      ... A new version of the Forbot worm, ... Johannes Ullrich of the SANS Internet ... Though identity theft using the Internet is a hot security issue, ... majority of financial loss as a result of fraud is perpetrated offline, ...
      (microsoft.public.backoffice.smallbiz)
    • Re: H.D. content visible on web
      ... This Bugbear worm, the Klez thing and many other known types of infections ... are still running wild out here on the Internet. ... that has the MS O/S to the public Internet. ... those statements say a whole lot to me about the security issues ...
      (comp.security.firewalls)
    • Re: help! "your system is shutting down"
      ... "putting up with" the security gap represented by these messages is ... Messenger Service Window That Contains an Internet Advertisement ... Popup-killer from http://12ghosts.com/ghosts/popup.htm, Pop-Up Stopper ... What You Should Know About the Blaster Worm ...
      (microsoft.public.security.virus)