News

SQL Slammer Hits Web Hard

• By Scott Bekker
• January 27, 2003

The memory-resident worm, also known as Sapphire and SQL Hell, caused denial of service conditions on some machines, while slowing the Internet generally, especially in the United States and South Korea.

The attack started around 12:30 a.m. EST Saturday and in less than 15 minutes, more than 6,000 source systems were sending out more than 8,000 packets per minute, according to the SANS Internet Storm Center. Internet Service Providers responded quickly by closing access to Port 1434. "Single ms-sql servers have been reported to generate traffic in excess of 50 MBit/sec. after being infected," the Internet Storm Center reported.

The worm took advantage of vulnerabilities in the SQL Server Resolution Service, fixed on July 24, 2002, in a patch distributed with Microsoft Security Bulletin MS02-039. (Microsoft, however, recommended that users update their systems with Microsoft Security Bulletin MS02-061, released in October, because the more recent patch is a cumulative patch that includes the fixes in MS02-039 and other critical fixes). Users who have installed SQL Server 2000 Service Pack 3, released Jan. 17, are also protected.

The Resolution Service helps a server manage multiple instances of a SQL Server running on the same system. Multiple instances were a new feature of SQL Server 2000, which is why the Slammer worm doesn't affect SQL Server 7.0.

The vulnerabilities also affect the Microsoft Desktop Engine 2000 (MSDE 2000), which is installed as part of Visual Studio .NET, some versions of Office XP, Access 2002, Visual FoxPro 7.0 and 8.0 and some other products.

SQL Server normally listens on port 1433. However, when there are multiple instances of the database, they can't all share the port. The Resolution Service listens on port 1434, and directs traffic to the appropriate SQL Server instance. It also handles "keep alive" messages between active and passive instances of a database.

The worm exploited vulnerabilities discovered and reported to Microsoft by Next Generation Security Systems' David Litchfield and fixed in MS02-039. Two buffer overruns vulnerabilities in the Resolution Service can allow an attacker to overwrite portions of system memory and run code in the security context of the SQL Server service. A third problem with the Resolution Service makes it possible for an attacker to send a "keep alive" packet to the Resolution Service that will cause SQL Server 2000 to respond with the same information, creating a packet storm that effectively disables the server.

The worm sends itself as a 376-byte message to Port 1434 and overwrites the memory of vulnerable SQL Server 2000 systems. Once a machine is infected, the code delivered in the worm continuously sends copies of the worm to randomly generated IP addresses, attempting to link up with hosts that are running the Resolution Service.

While the continuous loop executed by SQL Slammer effectively acts as a denial of service attack against the infected machine, there are other dangers to leaving machines unpatched, according to security researchers at Sophos.

"Packets will be observed flowing freely from your SQL server to port 1434 on a wide range of randomly-generated IP addresses. This advertises that your server has already been compromised," Sophos warns. "Now, consider that the [SQL Slammer] worm is almost certainly derived from a very similar exploit published and documented by a Chinese hacking group. This exploit breaks into your SQL Server, starts a command prompt, and gives control over this command prompt to the remote attacker. Anyone who notices that your server is infected can easily and immediately get complete control over it."

Criminal investigators worldwide are working on finding the author of the virus, but the extremely compact size of the code and the lack of a copyright or identifying information make the job more difficult than usual.