Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

SQL-Slammer Worm

From: "Talisker" <talisker () networkintrusion co uk>
Date: Sun, 26 Jan 2003 18:55:05 -0000
Hi
I have seen very little regarding  Slammer on SF so I have roamed the AV
sites looking at the various attempts to describe it.  I was a little
surprised at the variety of descriptions, some of this I put down to it
being a weekend.  The most disappointing was Sybari (what worm?)

http://www.sophos.com/virusinfo/analyses/w32sqlslama.html Good Description
but a little bland
http://www.norman.com/virus_info/w32_sqlslammer_a.shtml Poor Description
http://www.f-secure.com/v-descs/mssqlm.shtml Excellent Tech Detail
".... The worm code is 376 bytes in size which suggests that is was written
and hand optimized using the Assembly language....  ....Sapphire uses
GetTickCount() function from the Win32 API to initialize it's random number
generator....  Sometimes the random generator returns numbers that are
broadcast addresses (eg.: x.y.z.0 or x.y.z.255) causing all the hosts on the
particular network to receive the malicious packet. This makes the spreading
routine even more aggressive. ..  "
http://support.ikarus.at/cgi-bin/lexikon/lexikon.pl?language=german&action=n
ame&value=I-Worm.SQLSlammer.A@mm good tech detail if you speak German
http://vil.nai.com/vil/content/v_99992.htm Best detail (IMHO), good graphic
"..... The malformed packet is only 376 bytes long (which is the full worm!)
and carries the following strings: "h.dllhel32hkernQhounthickChGetTf",
"hws2", "Qhsockf" and "toQhsend".....".
http://securityresponse.symantec.com/avcenter/venc/data/w32.sqlexp.worm.html
great Detail especially for how to utilise other symantec products eg
Manhunt "...... alert udp $EXTERNAL_NET any -> $HOME_NET 1434
(msg:"W32.SQLEXP.Worm propagation"; content:"|68 2E 64 6C 6C 68 65 6C 33 32
68 6B 65 72 6E|"; content:"|04|"; offset:0; depth:1;)......"
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SQLP143
4.A Bland Detail
http://www3.ca.com/solutions/collateral.asp?CT=27081&CID=39147 Another Bland
one, though links to their IDS signatures

It's worth checking around the various sites to see which you prefer, noting
the URLs for the next time the S*** hits the fan.  I would recommend having
the "Emergency" alerts fed through to my mobile phone,  I was a little
disappointed in Sophos outputting theirs at  1349 some 4 hours after other
mailing lists were starting to twitch.  Having said that I still haven't
seen some of the other alerts at all and the Sophos has been very much on
the ball in the past ie Nimda.

Take care
-andy

Taliskers Network Security Tools
http://www.networkintrusion.co.uk
Previous By Date Next
Previous By Thread Next

Current thread: