Re: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434!

[Dave Aitel <dave () immunitysec com>]

Yes, the 150DaySQLwurm (my new name for it, since we all get to make up
names today) does affect MSDE. And there's no SP3 for MSDE, but I've
installed the latest wrap-up patch and the resolver patch and either one
seemed to do it. You have to be careful that you: 

1. Make sure SQL Server is not running while you copy over the files
that install the patch 

2. Copy of the files onto all the instances of SQL server you have
installed 

3. Reboot before restarting SQL Server

You should be careful (on both MSDE and SQL Server 2000) not to install
just the patch for the resolver overflow, since you will then still be
vulnerable to the Hello bug. Of course, if you're still vulnerable to
either, you are most definately already owned, and likely should
reinstall Windows to unload whatever kernel trojans are fighting over
your internal data.

If anyone writes a worm for the Hello bug, I hereby pre-name it the "Yo
G! What's up! SQL!" worm. 

Dave Aitel 
Immunity, Inc.


On Sat, 25 Jan 2003 13:56:36 -0500
"trent dilkie" <trent () dilkie com> wrote:

> Can anybody confirm that this worm is spreading on the Desktop Engine
> too?(MSDE)
>
> Thanks,
>    Trent.
>
> -----Original Message-----
> From: H D Moore [mailto:sflist () digitaloffense net] 
> Sent: Saturday, January 25, 2003 6:49 AM
> To: bugtraq () securityfocus com
> Subject: Re: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434!
>
>
> A worm which exploits a (new?) vulnerability in SQL Server is bringing
>  the
> core routers to a grinding halt. The speed of the propagation can be
> attributed to the attack method and simplicity of the code. The worm 
> sends a 376-byte UDP packet to port 1434 of each random target, each 
> vulnerable system will immediately start propagating itself. Since UDP
>  is
> connection-less, the worm is able to spread much more quickly than 
> those using your standard TCP-based attack vectors (no connect 
> timeouts).
>
> Some random screen shots, a copy of the worm as a perl script, and a
> disassembly (sorry, no comments) can be found online at:
>
> http://www.digitaloffense.net/worms/mssql_udp_worm/
>
> -HD
>
> On Saturday 25 January 2003 01:11, Michael Bacarella wrote:
> > I'm getting massive packet loss to various points on the globe. I am
> >
> > seeing a lot of these in my tcpdump output on each host.
> >
> > 02:06:31.017088 150.140.142.17.3047 > 24.193.37.212.ms-sql-m:  udp
> > 376 02:06:31.017244 24.193.37.212 > 150.140.142.17: icmp:
> > 24.193.37.212 udp port ms-sql-m unreachable [tos 0xc0
> >
> > It looks like there's a worm affecting MS SQL Server which is 
> > pingflooding addresses at some random sequence.
> >
> > All admins with access to routers should block port 1434 (ms-sql-m)!
> >
> > Everyone running MS SQL Server shut it the hell down or make sure it
> >
> > can't access the internet proper!
> >
> > I make no guarantees that this information is correct, test it out
> > for yourself!
>
> -------------------------------------------------------