10 Years After SQL Slammer

Malcontent · Jan 25, 2013

http://threatpost.com/en_us/blogs/inside-story-sql-slammer-102010

On Jan. 25, 2003, a new worm took the Internet by storm, infecting thousands of servers running Microsoft's SQL Server software every minute. The worm, which became known as SQL Slammer, eventually became the fastest-spreading worm ever and helped change the way Microsoft approached security and reshaped the way many researchers handled advisories and exploit code.
Click to expand...

siljaline · Jan 25, 2013

Points to Threatpost entry as well.
http://it.slashdot.org/story/13/01/25/1933238/10-years-after-sql-slammer

Rmus · Jan 25, 2013

Slammer (in January 2003) was a very informative event for those following the computer security scene.

sans.org published a FAQ about Slammer. I found many of the comments very revealing:

Malware FAQ: MS-SQL Slammer
http://www.sans.org/security-resources/malwarefaq/ms-sql-exploit.php

Exploited Vulnerability: Unauthenticated Remote Compromise in MS SQL Server 2000,

References:

Microsoft Security Bulletin MS02-039, [July 2002]
CERT® Advisory CA-2003-04, CERT® Advisory CA-2002-22, CAN-2002-0649.

Presuming you had a machine running MSDE 2000 with port 1434 open and directly connected to the Internet with no firewall filtering, no router port filtering or proper patches, an infected machine would send a non-infected machine the following packet: ...

How To Protect Against the SQL Slammer Worm

The UDP port 1434 is only used for SQL Server discovery, and all attempts to access it should be blocked at either the border router and/or firewall. Internal access to the SQL Server or MSDE application should also be minimized. For those individuals needing explicit internet access for their applications, I recommend the used of IPSec filtering, which is available on all Windows operating systems from 2000 on.

The following recommendations are more generic in nature, but serve as a benchmark to help prevent any and all future exploits.

A computer usually has a function whether it be as a home computer running simple office applications, a workstation running complex computer programs, a web server or whatever. Before one hooks up a computer, one should define its function and the services necessary to perform that function. If the computer is not going to be used as a database or web server, then those programs and services should not be running.

Use of the "netstat -an" command on a Windows or Unix machine will let you know what ports are open on your machine. For example, POP3 runs on TCP port 110. If your machine is not running a POP server, this port should not be open.

Use of filtering (IPSec filters in Windows, TCP wrappers on Unix) can help further shield the machine from attack, as well as contain the attack once a machine has been exploited.

Use ingress/egress filtering at firewall and/or border router to only allow access to the Internet those ports necessary on that machine for it to perform its function.

Click to expand...

Regarding patching:

SQL-Server SLAMMER WORM - McAfee Notification by Lee Fisher, NAI Security
http://www.myitforum.com/forums/SQLSLAMMER-WORM-HIGH-RISK-TO-UNPATCHED-SQLSERVER-2000-m21339.aspx
January 25, 2003

The worm appears to be utilising the vulnerabilities announced
within MS02-039

Patches for this vulnerability have been available since,
and anyone who took the appropriate actions to protect against
SQL-Spida worm look to be protected against this worm.

Those actions included;

a) Blocking inbound access to UDP1434, the SQL Server 2000 Resolution
Service port. This port is similar to the RPC End Point Mapper port
(TCP135) which redirects client requests for a server service to a
dynamically allocated port.

b) Patching

MS Patch :
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS02-039.asp
Click to expand...

EDIT: the above link no longer works. Here is the MS Bulletin from 2002:

FIX: MS02-039: Buffer Overruns in SQL Server 2000 Resolution Service Might Enable Code Execution
From July, 2002
http://support.microsoft.com/kb/323875

There are three security vulnerabilities here. The first two are buffer overruns...

The third vulnerability is a denial of service vulnerability...

RESOLUTION

To resolve this problem, obtain the latest service pack for Microsoft SQL Server 2000.
Click to expand...

Also:

Microsoft Security Bulletin MS02-061
Elevation of Privilege in SQL Server Web Tasks (Q316333)
October 16, 2002
http://technet.microsoft.com/en-us/security/bulletin/ms02-061

Recommendation:

System administrators should apply the patch to affected systems.

Affected Software:

Microsoft SQL Server 7.0
Microsoft Data Engine (MSDE) 1.0
Microsoft SQL Server 2000
Microsoft Desktop Engine (MSDE) 2000 (see the FAQ for a list of products that include MSDE 2000)
Click to expand...

The article Malcontent cites has this statement:

The worm, which became known as SQL Slammer ... helped change the way Microsoft approached security and reshaped the way many researchers handled advisories and exploit code.
Click to expand...

Well, many people didn't change their ways about advisories.

Remember the Conficker worm 5 years later?

An Analysis of Conficker's Logic
http://mtc.sri.com/Conficker/

Conficker propagates by exploiting the MS08-67 vulnerability in the Microsoft Windows server service.

The patch for this exploit was released by Microsoft on October 23 2008, and those Windows PCs that receive automated security updates have not been vulnerable to this exploit. Nevertheless, nearly a month later, in mid-November, Conficker would utilize this exploit to scan and infect millions of unpatched PCs worldwide.
Click to expand...

----
rich

Log in or Sign up

10 Years After SQL Slammer

Malcontent Registered Member

siljaline Registered Member

Rmus Exploit Analyst

Log in or Sign up

10 Years After SQL Slammer

Malcontent Registered Member

siljaline Registered Member

Rmus Exploit Analyst

Useful Searches