Technische Informationen zu W32/SQLSlammer

Wären die Server rechtzeitig gepatcht worden (SP3) wäre es nicht passiert.

Hier einige technische Informationen für Administratoren und andere Interessierte:

W32/SQLSlammer, as its being called now, does not act like SQL-Spida,
and the mitigators to prevent SQL-Spida are not necessarily effective in
preventing SQLSlammer.

SQLSlammer is delivered entirely in the single connection, 367 bytes of
attack code. It appears to be entirely memory resident, iows, it won't
drop anything. It does not appear to take advantage of weak passwords or
any stored procedures, it simply overflows the buffer and executes.
Also, SQL-Spida attacked 1433, whereas this attacks UDP1434.

If this attack is also employing the SQL Ping bounce described by David
Litchfield last July, then this could account for the amount of
bandwidth being consumed by this. Look in the NTBugtraq archives for
David's email.

There is some discussion occurring that ISPs are blocking this traffic,
so we should see recovery relatively quickly.

So far there have been no reports of SQL 7 or lower being affected.

More as its available.

Cheers,
Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor

oooooooooooooooooo­oooooooooo­oooooooooo­oooooooooo­oooooooooo­oooooooooooooooooo
Delivery co-sponsored by TruSecure Corporation
oooooooooooooooooo­oooooooooo­oooooooooo­oooooooooo­oooooooooo­oooooooooooooooooo
TICSA - Anniversary Special - Limited Time

Become TICSA certified for just $221.25 US when you register before 3/31/03
with PROMO "TS0103" at www.2test.com. NO membership fees, certification
good for 2 years. Price for international delivery just $296.25 US, with
this offer. Offer cannot be combined with any other special and expires
3/31/03. Visit www.trusecure.com/ticsa for full details.

oooooooooooooooooo­oooooooooo­oooooooooo­oooooooooo­oooooooooo­oooooooooooooooooo

Some additional errata;

1. Make sure you read Eric Schultze's comments in his note earlier today
titled "worm related sql patches and mssecure.xml/hfnetchk". MS02-061 is
the latest patch you should apply to prevent the worm and not apply SQL
SP3. Also note his comments about using Microsoft's XML file, for now
use Shavlik's;

mbsacli.exe /hf -x https://xml.shavlik.com/mssecure.xml

2. Here is the summary data from my router, YMMV;

12:00am - 12:59am
206 attacks from 95 unique hosts, 2.17 attacks/host, .06 attacks/sec.

1:00am - 1:59am
198 attacks from 79 unique hosts, 2.51 attacks/host, .06 attacks/sec.

2:00am - 2:59am
80 attacks from 34 unique hosts, 2.35 attacks/host, .02 attacks/sec.

3:00am - 3:59am
77 attacks from 32 unique hosts, 2.41 attacks/host, .02 attacks/sec.

4:00am - 4:59am
63 attacks from 24 unique hosts, 2.63 attacks/host, .02 attacks/sec.

5:00am - 5:59am
1474 attacks from 918 unique hosts, 1.61 attacks/host, .41 attacks/sec.

6:00am - 6:59am
5118 attacks from 1655 unique hosts, 3.09 attacks/host, 1.42
attacks/sec.

7:00am - 7:59am
4822 attacks from 1521 unique hosts, 3.17 attacks/host, 1.34
attacks/sec.

8:00am - 8:59am
4179 attacks from 1234 unique hosts, 3.39 attacks/host, 1.16
attacks/sec.

9:00am - 9:59am
2690 attacks from 654 unique hosts, 4.11 attacks/host, .75 attacks/sec.

10:00am - 10:59am
1373 attacks from 405 unique hosts, 3.39 attacks/host, .38 attacks/sec.

11:00am - 11:59am
353 attacks from 159 unique hosts, 2.22 attacks/host, .10 attacks/sec.

Cheers,
Russ - Surgeon General of TruSecure Corporation

oooooooooooooooooo­oooooooooo­oooooooooo­oooooooooo­oooooooooo­oooooooooooooooooo
Delivery co-sponsored by TruSecure Corporation
oooooooooooooooooo­oooooooooo­oooooooooo­oooooooooo­oooooooooo­oooooooooooooooooo
TICSA - Anniversary Special - Limited Time

Become TICSA certified for just $221.25 US when you register before 3/31/03
with PROMO "TS0103" at www.2test.com. NO membership fees, certification
good for 2 years. Price for international delivery just $296.25 US, with
this offer. Offer cannot be combined with any other special and expires
3/31/03. Visit www.trusecure.com/ticsa for full details.

ooooooooooooooooooooooooo