New MS SQL Server Worm
From: H D Moore (sflist@digitaloffense.net)
Date: 01/25/03
- Previous message: Scott C. Kennedy: "Is anyone else seeing a real heavy incrase in TCP/1434?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: H D Moore <sflist@digitaloffense.net> To: incidents@securityfocus.com Date: Sat, 25 Jan 2003 03:15:40 -0600
A worm which exploits a (new?) vulnerability in SQL Server is bringing the
core routers to a grinding halt. The speed of the propagation can be
attributed to the attack method and simplicity of the code. The worm
sends a 376-byte UDP packet to port 1434 of each random target, each
vulnerable system will immediately start propagating itself. Since UDP is
connection-less, the worm is able to spread much more quickly than those
using your standard TCP-based attack vectors (no connect timeouts).
Some random screen shots, a copy of the worm as a perl script, and a
disassembly (sorry, no comments) can be found online at:
http://www.digitaloffense.net/worms/mssql_udp_worm/
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
- Next message: Christian Vogel: "Re: SNMP Weirdness"
- Previous message: Scott C. Kennedy: "Is anyone else seeing a real heavy incrase in TCP/1434?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
