Lock IT Down: Sapphire/Slammer worm attacks SQL Server and the Internet

by John McCormick | Jan 28, 2003 8:00:00 AM

Tags: Databases, Enterprise software, Cyberthreats, SECURITY, Viruses and worms, John McCormick, information technology, worm attack, Microsoft SQL Server, Microsoft Corp., server, attack, Internet, Microsoft Data Engine

Takeaway: Learn about a worm that attacks SQL Server over the Internet

The economy of South Korea was brought to a screeching halt on the morning of Jan. 25, and the rest of the Internet community suffered collateral damage as a new worm launched a massive attack against a well-known and presumably long-since-patched Microsoft SQL Server vulnerability. Known by various names, including W32.SQLExp.Worm, DDOS_SQLP1434.A, and most commonly, Slammer or Sapphire, the worm was launched against the Internet in general and possibly against South Korea in particular.

CNET News.com has reported that as of Jan. 26, about 120,000 systems had been attacked by Sapphire and that it had completely overwhelmed some South Korean ISPs. The News.com report also disclosed that the worm caused problems with 13,000 Bank of America automated teller machines, so the impact of this attack has spread far beyond the Korean peninsula.

Details
According to MessageLabs.com, a UK-based mail service, “[Slammer] can only spread as an in-memory process on unpatched Microsoft SQL Server 2000 and the Microsoft SQL Server Desktop Engine (MSDE).” Unpatched is the operative word here, since Microsoft has been urging users to update their software to fix the vulnerability exploited by Slammer since July 24, 2002, when it published Microsoft Security Bulletin MS02-039. Another recent bulletin regarding SQL Server threats and problems caused by the initial patch, MS02-061, was published on Oct. 16, 2002, and updated Jan. 26, 2003, to reflect this latest attack.

Symantec, which labels this as the SQLExp.Worm, reported that “it sends 376 bytes to UDP port 1434, the SQL Server Resolution Service Port. Beginning at 5:31 A.M. GMT, we started to see a significant increase in the unique number of source IPs scanning for UDP port 1434.” (The Internet Storm Center has a chart that shows an incredible surge in scans of port 1434 between January 24 and January 26.)

MessageLabs also said, “The majority of [South Korea’s] Internet services were unavailable for many hours. The effects were felt particularly harshly in most of South East Asia, Japan, and India.”

MSDE is found not just in SQL Server, but also in other Microsoft programs—including Visual Studio .NET and Office XP Developer Edition—so there is a possibility that this attack, or a related one, could spread beyond SQL Server database servers.

There are two CVE vulnerabilities for this port: CAN-2002-0650 and CAN-2002-0649. CERT Vulnerability Note VU#370308 (first published on July 26, 2002) also covers this threat.

Fix
Until the patch is applied, there is a simple way to block the spread of this virus: Configure the firewall to block all 1434/UDP traffic.

Final word
Of course, there are many reasons for not patching systems, but this worm—like others before it—has flourished by attacking a well-known vulnerability that has been left unpatched. In this instance, the original patch was flawed. In the words of MS02-061:

“Microsoft originally released this bulletin and patch on October 16, 2002, to correct a security vulnerability in a SQL Server stored procedure. The patch was and still is effective in eliminating the security vulnerability, and includes the fix for the vulnerability exploited by the 'Slammer' worm virus. (Note: Slammer affects only SQL Server 2000 and MSDE 2000.) However, while the patch was fully effective in eliminating the security vulnerability, in October 2002, it was found to interfere with SQL Server operations under some circumstances. As a result, on October 30, 2002, an additional non-security hotfix (317748) was required to ensure normal operations of SQL Server.”

In other words, the original patch sealed off SQL Server so well that some companies were unable to use it, which might explain why many companies were slow to implement the patch. However, although that caution was useful at the time, when MS02-061 was released to correct the problem, admins should have followed up on the problem and implemented that patch. Those who have not yet applied the patch should apply it immediately. If you want to block the worm before you apply the patch, you can block UDP port 1434 while performing the patch deployment.

Print/View all Posts Comments on this article

MS Hit By Slammer TOO!Tech Locksmith  | 01/27/03

Not a big deal...QAonCall  | 01/28/03

It was if you wanted to register XPTech Locksmith  | 01/28/03

Volume License XP in the Enterprise.admin@...  | 01/28/03

The real problemharuss@...  | 01/29/03

Re: The Real ProblemJOwen  | 02/04/03

It is a big dealtrichart  | 01/29/03

You still don't see itrivsys  | 01/29/03

Another person get's it.LordInfidel  | 01/29/03

You are exactly rightchrisamcp@...  | 01/30/03

Yeah it's a big dealmxTrader  | 01/29/03

Patch crashed the machinekathyk@...  | 01/28/03

Gotta love Microsoft?SRisner  | 01/28/03

So, you blame it on third party add-onsmxTrader  | 01/30/03

I hear yaTech Locksmith  | 01/28/03

The answer here was simpleLordInfidel  | 01/28/03

Assinine Comment!fab@...  | 01/30/03

None takenLordInfidel  | 01/31/03

The Real LordInfidel?Michael Roark - CCNA/DA MCP 3CSA  | 01/30/03

My profile did not get hackedLordInfidel  | 01/31/03

Fault not with failure to apply patch!LordInfidel  | 01/28/03

Dittoadmin@...  | 01/28/03

agreed, BUTTech Locksmith  | 01/28/03

busy or not does not excuse itLordInfidel  | 01/29/03

no excuse, butTech Locksmith  | 01/29/03

We are both saying the same thingLordInfidel  | 01/29/03

I AgreeIT Person  | 01/29/03

There's a problem with this thought....cbiltcliffe@...  | 02/05/03

for cbiltcliffe@yahoo.comLordInfidel  | 02/05/03

Amen Brother.redmonds@...  | 01/29/03

field people not protected as corp officSD6  | 01/29/03

I'm just not that sympatheticLordInfidel  | 01/29/03

No it's not....admin@...  | 01/30/03

SQL Slammer and Lord Infidel.eziots@...  | 01/30/03

firewalls are only a partTech Locksmith  | 01/30/03

I have read them.... and More....LordInfidel  | 01/31/03

MS Admins and Slammercrocd  | 01/28/03

patch patchTech Locksmith  | 01/29/03

patch patch again.crocd  | 01/29/03

Hey Guy'sharuss@...  | 01/29/03

Slammer hit home: SQL Eval Editionrgod8855  | 01/30/03

Who's to blame?twainiqolo@...  | 01/30/03

Totally safe from SQL SlammerISGeek77  | 02/04/03

PostgreSQLjust another guy  | 02/04/03

Lucky FewJcritch  | 02/05/03

Avoid Slammer altogether....stephenk@...  | 02/05/03

Go Novell?Jcritch  | 02/05/03

Threat ?! If you were smart, NObrian.wright@...  | 02/06/03

Installing early patch was hardSKovner  | 01/28/03

Free and fast alternative to MS patchTech Locksmith  | 01/28/03

FBI Response Was SlowTech Locksmith  | 01/28/03

Microsoft is at fault as wellKevin Graham  | 01/29/03

Need to make bigger point on MSDEM.R.  | 01/29/03

I agreeSD6  | 01/29/03

Even a bigger point is....LordInfidel  | 01/29/03

I don't get it...Norby  | 01/30/03

Another problem: telcos poor responsesunnyboy  | 01/30/03

Telco's...charles_j_smith@...  | 01/30/03

InterNap was on the ballLordInfidel  | 01/31/03

Why Not Be Responsible!admin@...  | 01/30/03

Ford-Continental TiresMichael Roark - CCNA/DA MCP 3CSA  | 01/30/03

Actually, I see your point.admin@...  | 01/30/03

Actually, I see your point.admin@...  | 01/30/03

I agree MS at faulttri_pacer_great01  | 01/30/03

The differnce here wasLordInfidel  | 01/31/03

stopping attacksMichael Roark - CCNA/DA MCP 3CSA  | 01/30/03