OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: The SANS Institute (sans_at_sans.org)
Date: Mon Jan 27 2003 - 14:26:52 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    Special Invitation for Monday January 27 Web Broadcast

    The SQL Slammer Worm: Ask The Experts

    SANS has organized an "ask the experts" session so you can get your
    questions answered about the new SQL worm that caused so much damage
    over the weekend (and is still causing damage.)

    Time: 3:00 PM EST (2000 UTC)
    You must register right away if you want to come. We have only 2,500
    slots (6,000 registered for our last web broadcast so we must cut
    off the registrations as soon as 2,500 people register).

    How to register:
    Please visit http://www.sans.org/webcasts/012703.php to sign up.

    An archive of the audiocast will be available after the event at this
    same URL if you are unable to participate during the live broadcast.

    The panel includes technical experts from SANS, the White House Office
    of Cyberspace Security, and from leading security vendors that were
    working all weekend to try to understand and develop means of blocking
    the worm.

    This is an important event in educating management. It is another case
    that proves that asking every user to install the correct patches in
    a timely fashion is futile. There are better solutions we'll discuss
    in the web broadcast.

    Below is a preliminary analysis of the worm. Please email us (at
    sansrosans.org) with a (completely confidential) brief report of
    the damage that you experienced (your ISP was down, you couldn't get
    money from your ATM, etc.) from this worm. By combining these stories,
    we may be able to put an actual cost on the problem and thereby help
    justify better security.

    Also please send us one or two questions about SQL Slammer in advance
    of the briefing so we can make sure we get popular questions answered.

    Alan

    MS-SQL Server Worm (also called Sapphire, SQL Slammer, SQL Hell)

    A SPECIAL REPORT FROM THE SANS RESEARCH OFFICE

    A worm launched Saturday morning January 25, about 12:30 AM (EST),
    takes advantage of a buffer overflow vulnerability in Microsoft SQL
    Server 2000. The SQL vulnerability was initially reported in July
    of 2002. The worm is also being called Sapphire, SQL Slammer, and
    SQL Hell.

    Microsoft reports that the worm also infects MSDE 2000 systems,
    typically used by software developers.

    The worm attempts to infect systems at (approximately) randomly
    generated IP addresses. The worm has no back doors or code for
    flooding like other worms (Code Red). However, by using UDP packets
    for infection, the worm allows infected machines to generate huge
    amounts of traffic; even greater than that produced by most code
    written specifically for flooding. Thus, in attempting to infect
    other systems, the worm has powerful denial of service capabilities.

    The worm resides in memory, and not on disk, so it can be eliminated
    using a system reboot. However, if the defensive perimeter is not
    upgraded to block offending udp packets or the system is not patched,
    it will be quickly reinfected.

    The worm uses UDP port 1434, so the impact of the worm can be
    reduced by blocking inbound and outbound traffic destined for UDP
    port 1434. Sites should use caution when blocking all traffic to this
    port, since it is legitimately used by Microsoft SQL services. Some
    sites have reported high levels of UDP traffic to port 1433 as well.

    A CERT Advisory said the worm has caused various levels of network
    degradation across the Internet. One news story reported that
    ATMs of Bank of America were impacted by the worm. According to the
    various reports, about 35,000 hosts had been infected as of Saturday.
    Incidents.Org reports 120,000 IP addresses infected by Sunday at 10 AM
    (EST).

    Incidents.org preliminary analysis of worm (includes a packet trace):
    http://isc.incidents.org/analysis.html?id=180

    Original Vulnerability Analysis by David Litchfield:
    http://www.nextgenss.com/advisories/mssql-udp.txt

    CERT Advisory:
    http://www.cert.org/advisories/CA-2003-04.html

    Microsoft Advisory:
    http://www.microsoft.com/security/slammer.asp

    Cisco Security Notice (Recommendations):
    http://www.cisco.com/warp/public/707/cisco-sn-20030125-worm.shtml

    Cisco Security Advisory:
    http://www.cisco.com/warp/public/707/cisco-sa-20030126-ms02-061.shtml

    Microsoft Security Bulletin (originally posted July 24, 2002):
    http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS02-039.asp

    ===

    To change your subscription, address, or other information, visit
    http://www.sans.org/sansurl and enter your SD number or email address
    (from the headers.) You will receive your personal URL via email.

    Unsubscribing will take you off any news bulletin lists for NewsBites
    or Security Alert Consensus as well as any conference information
    notes.

    You may also email <sanssans.org> with complete instructions and
    your SD number for subscribe, unsubscribe, change address, add other
    digests, or any other comments.

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.2.1 (GNU/Linux)

    iD8DBQE+NYaK+LUG5KFpTkYRAgW4AJ4s2IQdCzwkQfbBGXHAQM2uRlbNKACfedVl
    EpdcGHt+NUKJBID6YAIyWeg=
    =3Wwl
    -----END PGP SIGNATURE-----