You are here: HomeNews2003 01 28Article 32117

General News of Tuesday, 28 January 2003

Source:  

Ghanaweb Is Free From SQL Slammer Worm, But.....

Ghanaweb's service may experience periodic disruption due to the impact of the SQL Slammer Worm. Our server is NOT affected since we don't use Microsoft Windows, but other clients of our Internet Service Provider could be. Their servers may periodically jam the connection to our servers.

SQL Slammer: How it works--prevent it

The SQL Slammer worm (w2.SQLSlammer.worm), also known as Sapphire (F-Secure), w32.SQLexp.worm (Symantec), and Helkern (Kaspersky), exploits known vulnerabilities in Microsoft SQL 2000 servers. It has little impact on home or desktop PCs, and it does not infect Linux, Mac, or Unix systems.

SQL Slammer spreads by scanning the Internet for vulnerable systems, and it is this scanning activity that has degraded service across the entire Internet.

A patch issued by Microsoft last summer removes the buffer overflow vulnerability in SQL 2000 servers. The large number of unpatched systems, however, accounted for the worm's rapid spread across the Internet beginning at 12:30 a.m., January 25, 2003.

How it works

SQL Slammer exploits the way in which MS SQL servers process input on SQL Server Resolution Service port 1434. A specially crafted packet of only 376 bytes sent over the Internet can remotely compromise a vulnerable server. The SQL worm itself is file-less and resides only in memory, much as Code Red. It does not create or delete files but actively scans for other vulnerable MS SQL servers. The aggressive scanning done by SQL Slammer overloaded many networks on January 25, 2003, slowing Internet traffic.

SQL Slammer targets systems running MS SQL Server 2000 and/or systems running Microsoft Desktop Engine (MSDE) 2000, which is included in Visual Studio .Net, Asp.net Web Matrix Tool, Office XP Developer Edition, MSDN Universal and Enterprise, Microsoft Access, and Microsoft Application Center 2000.

Prevention The worm can be removed by rebooting an infected system, however that solution does not guard against infection again at a later time. The underlying Server Resolution service buffer overrun flaw exploited by SQL Slammer was first reported in June 2002 and patched in MS02-039. Additional information is available in the SQL Elevation of Privilege patch MS02-061. Systems already patched by installing SQL 2000 Service Pack 3 are not affected. Until a patch can be installed, system administrators may block the following SQL server ports at their firewall/gateway:

ms-sql-s 1433/tcp #Microsoft-SQL-Server ms-sql-s 1433/udp #Microsoft-SQL-Server ms-sql-m 1434/tcp #Microsoft-SQL-Monitor ms-sql-m 1434/udp #Microsoft-SQL-Monitor