MS SQL Worm Roundup

Slammer (Helkern/Sapphire) is a worm that attempts to exploit vulnerabilities in Microsoft SQL 2000 servers and is causing increased traffic on UDP port 1434. This roundup contains the analysis, latest news updates, solutions, security advisories, AV vendor releases and a removal too for this worm.

CERT/CC – CERT Advisory CA-2003-04 – MS-SQL Server Worm

The CERT/CC has received reports of self-propagating malicious code that exploits multiple vulnerabilities in the Resolution Service of Microsoft SQL Server 2000. The propagation of this worm has caused varied levels of network degradation across the Internet, in addition to the compromise of vulnerable machines

Kaspersky Labs: “Helkern”: 367 Bytes That Shook The World

Kaspersky Labs, an international data security software developer, is warning users against the new Internet-worm “Helkern” (also known as “Slammer”) that infects servers running under the popular Web-enabled database Microsoft SQL Server 2000.

eEye – SQL Sapphire Worm Analysis

Late Friday, January 24, 2003 we became aware of a new SQL worm spreading quickly across various networks around the world. Besides the analysis, the disassembled worm code is available here.

NGSSoftware (HNS mirror) – Unauthenticated Remote Compromise in MS SQL Server 2000

NGSSoftware July 25th advisory described the security issue that this worm exploits. Microsoft’s database server SQL Server 2000 exhibits two buffer overrun vulnerabilities that can be exploited by a remote attacker without ever having to authenticate to the server.

Black Hat Briefings Archive – David Litchfield MS SQL UDP Speech (Real Audio)

This is an archive of the speech David Litchfield gave at the July’s Black Hat Briefing, in which he reveals the MS SQL UDP problem that turned into the SQL Hell/Slammer/Sapphire worm, fire up Real Player and check out the video.

Microsoft Security Bulletin MS02-039 – Buffer Overruns in SQL Server 2000 Resolution Service Could Enable Code Execution

Three vulnerabilities, the most serious of which could enable an attacker to gain control over an affected SQL Server 2000 installation. This Micosoft security bulletin deals with the issues the SQL worm is exploiting.

Cisco – MS SQL “Sapphire” Worm Mitigation Recommendations

Cisco customers are currently experiencing attacks due to a new worm that has hit the Internet. The signature of this worm appears to be high volumes of UDP traffic to port 1434. Affected customers have been experiencing high volumes of traffic from both internal and external systems. Symptoms on Cisco devices include, but are not limited to high CPU and traffic drops on the input interfaces.

Internet Storm Centar (SANS) – Port 1434 MS-SQL Worm Analysis and Spread Graphs

Starting 06:30 UTC ( 00:30 EST ) on Saturday Jan 25th 2003, worldwide traffic for port 1434 UDP increased rapidly causing major Internet links to fail. ISPs responded quickly by blocking port 1434. While traffic is still strong in some areas. It dropped significantly since its peak. About 35,000 hosts seem to be infected at this point.

Matthew Murphy’s Homepage – Analysis of Sapphire SQL Worm

When an SQL server is infected by this worm, the worm immediately sets up a stack frame with information that it needs for propogation. It locates the GetTickCount API as well as several other WinSock APIs. It does not search for the LoadLibraryA and GetProcAddress APIs, and instead locates them by searching the IAT of sqlsort.dll…

Veritas Support Center – SQL Slammer Causes MSDE Components Included with Backup Exec 9.0 and ExecView 3.1 to Flood the Network

VERITAS Technical Support has recently discovered that Backup Exec 9.0 servers may be susceptible to infection by the “W32.SQLExp.Worm” (also known as “SQL Slammer” discovered 1/24/2003). This TechAlert is to inform you of the circumstances and/or conditions under which this problem could occur and to provide the remedy for it.

Virus vendors on the MS SQL worm

Sophos: W32/SQLSlam-A
Kaspersky Lab: Worm.SQL.Helkern (aka SQLSlammer)
RAV: Win32/SQLSlammer.worm
BitDefender: Win32.Worm.SQLExp.Slammer.A
McAfee: W32/SQLSlammer.worm
F-Secure: Sapphire Worm
Norman: W32/SQLSlammer.A
NOD32: Worm Win32/SQL.Slammer
Symantec: W32.SQLExp.Worm
Trend Micro: WORM_SQLP1434.A

Press Release: New Code Red-Like Hacking Tool to “Slam” SQL Servers
Press Release: New Worm Slams The Internet – Hard
Press Release: Panda Software alerts on W32/SQLSlammer
Press Release: Panda: The First and Only Antivirus Developer to Integrate Protection Against SQLSlammer Type Worms

Removal tool: BitDefender Anti Slammer SQL Worm
Removal tool: Symantec W32.SQLExp.Worm Removal Tool

Article: Helkern – The Beginning of End As Anti-virus Experts Have Long Warned
Article: Slammer (Helkern) Worm Epidemic – Events Chronology
Article: Lack of Visible Symptoms Increases the Danger of SQLSlammer
Article: System administrators blame each other for spread of Slammer internet worm, Sophos poll reveals

News reports on the MS SQL worm

The Register: SQL worm slams the Net
Internet Week: SQL Server Worm Slows Internet Traffic To A Crawl
Bloomberg: Microsoft Says Virus Attacked Web Server Computers
Slashdot: MS SQL Server Worm Wreaking Havoc
BetaNews: MS SQL Server Worm Cripples Internet
Reuters: Computer worm slows Net, grounds South Korean surfers
eWeek: SQL Worm Pounds Internet
Yahoo: Worm bogs down S.Korean Internet
Island Packet: Fast-spreading virus strikes computers worldwide
SunSpot: Virus Overwhelms Global Internet Systems
CNN: Computer worm grounds flights, blocks ATMs
BBC: Virus-like attack hits web traffic
Ananova: Virus-like infection affects web use
InfoWorld: Slammer slugs Internet, down but not out
Reuters: Bank of America ATMs Disrupted by Virus
PR Newswire: Network Associates Avert Places High Risk Assessment on New Slammer Worm
Island Packet: Virus attack reveals flaw in network security strategies
Bloomberg: WorldCom, Verizon, Other Companies Recover From Internet Attack
JoongAng Daily: Virus knocks out Internet for 9 hours; origin sought
Times of India: Amazon, Ebay say no disruption from Net worm Firms Clean Servers, Desktops in Web Worm’s Wake ZDNet UK: Worm exposes laziness and Microsoft bugs
Korea Times: SQL Worm Not Hard to Remove
The Times of India: Slammer worm hits Korean shares
CNN: Slammer worm hits Korean shares
Oxygen3 (HNS Mirror): SQLSlammer Could Block the Enterprise Activities
Yahoo: Internet Attack Rattling Assumptions
CNN: Who’s to blame for massive Net attack?
FCW: Agencies thwart SQL worm
eWeek: Slammer Source Code Provides Clues
NWF: Slow Slammer response points to NIPC woes
The Register: Microsoft struggles to contain the Slammer worm