Re: SQL-Slammer Worm

["Nuzman" <nuzman () shreve net>]

Andy,

There has been a significant amount of information on BugTraq, which is
another list hosted by securityfocus.com.

Also, don't slam Sybari too hard for not being completely aware over a
weekend of a worm that only strikes SQL. Sybari's products are only for
Exchange and Notes servers.

Nuzman

----- Original Message -----
From: "Talisker" <talisker () networkintrusion co uk>
To: <security-basics () securityfocus com>
Sent: Sunday, January 26, 2003 12:55 PM
Subject: SQL-Slammer Worm


> Hi
> I have seen very little regarding  Slammer on SF so I have roamed the AV
> sites looking at the various attempts to describe it.  I was a little
> surprised at the variety of descriptions, some of this I put down to it
> being a weekend.  The most disappointing was Sybari (what worm?)
>
> http://www.sophos.com/virusinfo/analyses/w32sqlslama.html Good Description
> but a little bland
> http://www.norman.com/virus_info/w32_sqlslammer_a.shtml Poor Description
> http://www.f-secure.com/v-descs/mssqlm.shtml Excellent Tech Detail
> ".... The worm code is 376 bytes in size which suggests that is was
written
> and hand optimized using the Assembly language....  ....Sapphire uses
> GetTickCount() function from the Win32 API to initialize it's random
number
> generator....  Sometimes the random generator returns numbers that are
> broadcast addresses (eg.: x.y.z.0 or x.y.z.255) causing all the hosts on
the
> particular network to receive the malicious packet. This makes the
spreading
> routine even more aggressive. ..  "
http://support.ikarus.at/cgi-bin/lexikon/lexikon.pl?language=german&action=n
> ame&value=I-Worm.SQLSlammer.A@mm good tech detail if you speak German
> http://vil.nai.com/vil/content/v_99992.htm Best detail (IMHO), good
graphic
> "..... The malformed packet is only 376 bytes long (which is the full
worm!)
> and carries the following strings: "h.dllhel32hkernQhounthickChGetTf",
> "hws2", "Qhsockf" and "toQhsend".....".
http://securityresponse.symantec.com/avcenter/venc/data/w32.sqlexp.worm.html
> great Detail especially for how to utilise other symantec products eg
> Manhunt "...... alert udp $EXTERNAL_NET any -> $HOME_NET 1434
> (msg:"W32.SQLEXP.Worm propagation"; content:"|68 2E 64 6C 6C 68 65 6C 33
32
> 68 6B 65 72 6E|"; content:"|04|"; offset:0; depth:1;)......"
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SQLP143
> 4.A Bland Detail
> http://www3.ca.com/solutions/collateral.asp?CT=27081&CID=39147 Another
Bland
> one, though links to their IDS signatures
>
> It's worth checking around the various sites to see which you prefer,
noting
> the URLs for the next time the S*** hits the fan.  I would recommend
having
> the "Emergency" alerts fed through to my mobile phone,  I was a little
> disappointed in Sophos outputting theirs at  1349 some 4 hours after other
> mailing lists were starting to twitch.  Having said that I still haven't
> seen some of the other alerts at all and the Sophos has been very much on
> the ball in the past ie Nimda.
>
> Take care
> -andy
>
> Taliskers Network Security Tools
> http://www.networkintrusion.co.uk