::space:.TUNA:..

Vulnerable Systems
==================

Microsoft SQL Server 2000

Microsoft Desktop Engine 2000 ( MSDE 2000)
which is installed as part of:
* SQL Server 2000 (Developer, Standard, and Enterprise Editions)
* Visual Studio .NET (Architect, Developer, and Professional Editions)
* ASP.NET Web Matrix Tool
* Office XP (various versions)
* MSDN (various subscription levels)
* Access 2002
* Visual FoxPro 7.0/8.0

(see below for patch / service pack details)

Summary
=======

Starting 06:30 UTC ( 00:30 EST ) on Saturday Jan 25th 2003, worldwide traffic for port 1434 UDP increased rapidly causing major Internet links to fail. ISPs responded quickly by blocking port 1434. While traffic is still strong in some areas. It dropped significantly since its peak. About 35,000 hosts seem to be infected at this point.

Up to now, this worm has been named ‘Sapphire’,'SQL-Hell’ and ‘MS-SQL Slammer’.

The worm is sending a 376 byte long UDP packet to port 1434 using random targets at a very high rate. Vulnerable systems will immediately start sending identical 376 byte packets once they are infected. The worm is sending traffic to random IPs, including multicast IPs, which may improve its Denial of Service (DOS) capability.

Single ms-sql servers have been reported to generate traffic in excess of 50 MBit/sec. after being infected.

Keystone’s Internet Health report is still reporting a link degradation: http://www1.internetpulse.net/ As a result of degraded links, root DNS servers and other resources have been unavailable at times.

Mitigation
==========

- block port 1434 UDP inbound and outbound.
- verify, that you applied all patches to MS-SQL servers, in particular
MS02-039: Buffer Overruns in SQL Server 2000 Resolution Service Could
Enable Code Execution (Q323875) prevents infection:

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS02-039.asp

Important: (From NTBugtraq post by Eric Schultze)
” MS02-039 is applicable to SQL Server 2000 and MSDE 2000 SP2. Those running SQL without an SP, or SQL 2000 SP1 will need to upgrade to SP2 in order to apply this patch, or install SQL 2000 SP3.

The relevant file in MS02-039 is ssnetlib.dll. You need to have 2000.80.636.0 or later of this file to be considered patched. ”

- monitor your network for hosts sending large number of UDP 1434 packets.

- CISCO recomendations:
http://www.cisco.com/warp/public/707/cisco-sn-20030125-worm.shtml

Cleanup
=======

- disconnect system from network
- shutdown system
- power system down
- reboot system.
- apply patches (see above)
- reconnect to network and monitor system

The worm does not write to disk and stays in memory. A simple reboot will clean an infected machine. Note that due to the high volume in traffic this worm generates, any vulnerable system connected to the internet is likely to be infected within minutes.

Detection
=========

SNORT rule from SANS ISC - Stephane Nasdrovisky;

alert udp any any -> any 1434 (msg:”mssql-030125-1″; content:”dllhel32hkern”; offset:150; depth:100)
alert udp any any -> any 1434 (msg:”mssql-030125-2″; content:”|01 01 01 01 01 01 01 01 01 01 01 01 01|”; offset:44; depth:10)

- SNORT rule from SANS ISC - Pedro Bueno:

alert udp $EXTERNAL_NET any -> $HOME_NET 1434 (msg:”MS-SQL Slammer Worm Activity”; content:”|04 01 01 01 01 01 01 01|”; classtype:bad-unknown; sid:9994; rev:1;)

Anecdotal list reports (below) say that the worm may be triggering the netflow switching bug - Cisco Bug ID CSCdu72555 - which is addressed in “Resolved Caveats Cisco IOS Release 12.0(18)S2″ (link below).

Details
=======

This worm is using a vulnerability is SQL-Server’s ‘Monitor Port’.
The monitor port is used to discover which connection methods are offered by a particular server. The message sent by the client is usually a single byte (0×02). The response depends on the server’s configuration.

However, David Lichtfield ( http://www.ngssoftware.com/advisories/mssql-udp.txt ) discovered two buffer overflow conditions in this service, which can be used to execute arbitrary code in the security context of the server.

The worm code will, once it infected a server, generate UDP packets against random IPs. No other payload is known at this time and based on the compact code it is unlikely that another payload exists.

–Source: http://isc.incidents.org/analysis.html?id=180