Data Management

Lock IT Down: Sapphire/Slammer worm attacks SQL Server and the Internet

Learn about a worm that attacks SQL Server over the Internet

The economy of South Korea was brought to a screeching halt on the morning of Jan. 25, and the rest of the Internet community suffered collateral damage as a new worm launched a massive attack against a well-known and presumably long-since-patched Microsoft SQL Server vulnerability. Known by various names, including W32.SQLExp.Worm, DDOS_SQLP1434.A, and most commonly, Slammer or Sapphire, the worm was launched against the Internet in general and possibly against South Korea in particular.

CNET News.com has reported that as of Jan. 26, about 120,000 systems had been attacked by Sapphire and that it had completely overwhelmed some South Korean ISPs. The News.com report also disclosed that the worm caused problems with 13,000 Bank of America automated teller machines, so the impact of this attack has spread far beyond the Korean peninsula.

Details
According to MessageLabs.com, a UK-based mail service, “[Slammer] can only spread as an in-memory process on unpatched Microsoft SQL Server 2000 and the Microsoft SQL Server Desktop Engine (MSDE).” Unpatched is the operative word here, since Microsoft has been urging users to update their software to fix the vulnerability exploited by Slammer since July 24, 2002, when it published Microsoft Security Bulletin MS02-039. Another recent bulletin regarding SQL Server threats and problems caused by the initial patch, MS02-061, was published on Oct. 16, 2002, and updated Jan. 26, 2003, to reflect this latest attack.

Symantec, which labels this as the SQLExp.Worm, reported that “it sends 376 bytes to UDP port 1434, the SQL Server Resolution Service Port. Beginning at 5:31 A.M. GMT, we started to see a significant increase in the unique number of source IPs scanning for UDP port 1434.” (The Internet Storm Center has a chart that shows an incredible surge in scans of port 1434 between January 24 and January 26.)

MessageLabs also said, “The majority of [South Korea’s] Internet services were unavailable for many hours. The effects were felt particularly harshly in most of South East Asia, Japan, and India.”

MSDE is found not just in SQL Server, but also in other Microsoft programs—including Visual Studio .NET and Office XP Developer Edition—so there is a possibility that this attack, or a related one, could spread beyond SQL Server database servers.

There are two CVE vulnerabilities for this port: CAN-2002-0650 and CAN-2002-0649. CERT Vulnerability Note VU#370308 (first published on July 26, 2002) also covers this threat.

Fix
Until the patch is applied, there is a simple way to block the spread of this virus: Configure the firewall to block all 1434/UDP traffic.

Final word
Of course, there are many reasons for not patching systems, but this worm—like others before it—has flourished by attacking a well-known vulnerability that has been left unpatched. In this instance, the original patch was flawed. In the words of MS02-061:

“Microsoft originally released this bulletin and patch on October 16, 2002, to correct a security vulnerability in a SQL Server stored procedure. The patch was and still is effective in eliminating the security vulnerability, and includes the fix for the vulnerability exploited by the 'Slammer' worm virus. (Note: Slammer affects only SQL Server 2000 and MSDE 2000.) However, while the patch was fully effective in eliminating the security vulnerability, in October 2002, it was found to interfere with SQL Server operations under some circumstances. As a result, on October 30, 2002, an additional non-security hotfix (317748) was required to ensure normal operations of SQL Server.”

In other words, the original patch sealed off SQL Server so well that some companies were unable to use it, which might explain why many companies were slow to implement the patch. However, although that caution was useful at the time, when MS02-061 was released to correct the problem, admins should have followed up on the problem and implemented that patch. Those who have not yet applied the patch should apply it immediately. If you want to block the worm before you apply the patch, you can block UDP port 1434 while performing the patch deployment.
0 comments

Editor's Picks