Security Basics mailing list archives
Re: SQL-Slammer Worm
From: "Nuzman" <nuzman () shreve net>
Date: Mon, 27 Jan 2003 13:26:38 -0600
Andy, There has been a significant amount of information on BugTraq, which is another list hosted by securityfocus.com. Also, don't slam Sybari too hard for not being completely aware over a weekend of a worm that only strikes SQL. Sybari's products are only for Exchange and Notes servers. Nuzman ----- Original Message ----- From: "Talisker" <talisker () networkintrusion co uk> To: <security-basics () securityfocus com> Sent: Sunday, January 26, 2003 12:55 PM Subject: SQL-Slammer Worm
Hi I have seen very little regarding Slammer on SF so I have roamed the AV sites looking at the various attempts to describe it. I was a little surprised at the variety of descriptions, some of this I put down to it being a weekend. The most disappointing was Sybari (what worm?) http://www.sophos.com/virusinfo/analyses/w32sqlslama.html Good Description but a little bland http://www.norman.com/virus_info/w32_sqlslammer_a.shtml Poor Description http://www.f-secure.com/v-descs/mssqlm.shtml Excellent Tech Detail ".... The worm code is 376 bytes in size which suggests that is was
written
and hand optimized using the Assembly language.... ....Sapphire uses GetTickCount() function from the Win32 API to initialize it's random
number
generator.... Sometimes the random generator returns numbers that are broadcast addresses (eg.: x.y.z.0 or x.y.z.255) causing all the hosts on
the
particular network to receive the malicious packet. This makes the
spreading
routine even more aggressive. .. "
http://support.ikarus.at/cgi-bin/lexikon/lexikon.pl?language=german&action=n
ame&value=I-Worm.SQLSlammer.A@mm good tech detail if you speak German http://vil.nai.com/vil/content/v_99992.htm Best detail (IMHO), good
graphic
"..... The malformed packet is only 376 bytes long (which is the full
worm!)
and carries the following strings: "h.dllhel32hkernQhounthickChGetTf", "hws2", "Qhsockf" and "toQhsend".....".
http://securityresponse.symantec.com/avcenter/venc/data/w32.sqlexp.worm.html
great Detail especially for how to utilise other symantec products eg Manhunt "...... alert udp $EXTERNAL_NET any -> $HOME_NET 1434 (msg:"W32.SQLEXP.Worm propagation"; content:"|68 2E 64 6C 6C 68 65 6C 33
32
68 6B 65 72 6E|"; content:"|04|"; offset:0; depth:1;)......"
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SQLP143
4.A Bland Detail http://www3.ca.com/solutions/collateral.asp?CT=27081&CID=39147 Another
Bland
one, though links to their IDS signatures It's worth checking around the various sites to see which you prefer,
noting
the URLs for the next time the S*** hits the fan. I would recommend
having
the "Emergency" alerts fed through to my mobile phone, I was a little disappointed in Sophos outputting theirs at 1349 some 4 hours after other mailing lists were starting to twitch. Having said that I still haven't seen some of the other alerts at all and the Sophos has been very much on the ball in the past ie Nimda. Take care -andy Taliskers Network Security Tools http://www.networkintrusion.co.uk
Current thread:
- SQL-Slammer Worm Talisker (Jan 27)
- Re: SQL-Slammer Worm Nuzman (Jan 27)