Hewlett-Packard has released a security advisory and updated packages to correct the vulnerabilities exploited by W32/SQLSlammer.worm in affected HP products.
Description
W32/SQLSlammer.worm is a worm that is propagating widely across the Internet. It exploits a known vulnerability in Microsoft SQL Server 2000. The worm does not carry a malicious payload, but it does create a large amount of network traffic that could cause a denial of service (DoS) condition, not only in the victim SQL server but also in the network hosting the server.
One characteristic of this worm that is especially noteworthy is that it is memory-resident. The positive aspect of this characteristic is that a user of an infected system can remove the worm simply by rebooting the server. However, a system can easily become reinfected if not patched. The negative aspect is that many antivirus applications fail to detect memory-resident malicious code. As a result, some vendors probably will not issue updates to detect this worm.
The vulnerability is in the SQL Server Resolution Service. An attacker can send a malformed packet to the SQL Server to cause a stack overflow or a DoS condition. Detailed information concerning these vulnerabilities and the patch are available in IntelliShield Alert 4256.
Some sources indicated that the worm could experience a surge in activity during the morning of Monday, January 27, 2003. Increased computer and network activity associated with the beginning of the work week could create conditions favorable to a new outbreak. However, most of the activity will be generated by workstations, not servers. Administrators should review contingency plans in case another large-scale outbreak does occur.
Virus definition updates are unavailable, but workarounds, safeguards and scanning utilities are available to prevent an exploit and restore a system.
Warning Indicators
Unpatched systems running SQL Server 2000 prior to Service Pack 3 and the Microsoft Desktop Engine (MSDE) 2000 are vulnerable.
The worm may start the process sqlservr, which could consume 100 percent of CPU resources.
IntelliShield Analysis
This worm is memory-resident and does not create any files or make registry modifications to the infected system. The design of this worm is to propagate across SQL servers. This worm is spreading quickly and has significantly affected the network through its propagation method. Administrators are advised to install the patch provided in IntelliShield Alert 4256 and reboot the SQL Server.
The vulnerability the W32.SQLSlammer.worm exploits also affects Microsoft Desktop Engine (MSDE) 2000. There have been no reports that systems running MSDE 2000 have been exploited by the worm, but the worm may be able to infect these systems. In addition, there are several applications that may silently install Microsoft SQL Server or MSDE 2000. Users can determine if they are running SQL Server or MSDE by looking for an icon in the System Tray that looks like a computer with a white circle and a green "Play" button on it.
A reference to the Chinese hacker group Honker in the code of the worm has led to speculation that the Chinese group is responsible for W32.SQLSlammer.worm. The worm reportedly started its propagation routine in Hong Kong and quickly spread to South Korea, lending some credibility to the speculation.
W32/SQLSlammer.worm does not contain a destructive payload, but it does have an aggressive propagation routine that can significantly impact network performance.
Technical Information
The worm exploits a known vulnerability in the Microsoft SQL Server 2000 Server Resolution service. SQL servers running with Service Pack 2 and prior are vulnerable; the vulnerability was corrected in Service Pack 3.
The worm loads the files kernel32.dll and ws2_32.dll and uses the Windows API function GetTickCount to generate random target IP addresses. The worm sends itself to those addresses. It sends multicast packets, which causes all 254 addresses on a subnet to receive only one send command. This allows the worm to spread very quickly. This technique does not produce any bias towards local networks, which might otherwise help to contain the propagation of the worm. The packets contain the following strings:
The worm exists only in the memory of the infected machine, and it can be removed by rebooting the machine.
Microsoft has released a number of patches to correct SQL Server vulnerabilities. The sequence in which these patches have been installed is important to determine which patch to install next. If administrators have not installed any of the patches, they are advised to install the latest cumulative patch found in MS02-061. Customers who have applied only the cumulative patch released in the original MS02-061 should apply the supplementary patch issued in Microsoft Knowledge Base article 317748. Administrators who have installed the original cumulative patch and the supplementary patch on their systems are fully patched and do not need to take further action.
Safeguards
Administrators are encouraged to install the available Microsoft patches or SQL Server 2000 Service Pack 3.
Blocking packets on port 1434 can limit propagation; however, completely blocking the ports may prevent the system from functioning properly if the ports are needed to send or receive information. Support issues could occur because port 1434 provides name resolution for the SQL server.
Patches/Software
The Aladdin Virus Alert for Win32.SQLSlammer is available at the following link: Virus Alert
The AVG Virus Description for W32/SQLSlammer is available at the following link: Virus Description
The AVP Virus Alert for Worm.SQL.Helkern is available at the following link: Virus Alert
The Central Command Virus Answer for W32/SQL.Slammer is available at the following link: Virus Answer
The Computer Associates Virus Threat and cleaning utility for Win32/SQLSlammer.Worm are available at the following link: Computer Associates
The F-Secure Virus Description for Slammer is available at the following link: Virus Description
The Hauri Virus Desciption for Worm.SQL.Slammer is available at the following link: Virus Description
Hewlett-Packard has released a security advisory for registered users at the following link: HPSBGN0302. Hewlett-Packard recommends installing the latest Microsoft SQL Server 2000 Service Pack 3 to prevent an attack.
The McAfee Virus Description for W32/SQLSlammer.worm is available at the following link: Virus Description. The cleaning utility, stinger.exe, from McAfee to detect and clean W32/SQLSlammer.worm and other worms is available at the following link: Stinger.exe
The Panda Software Virus Description for SQLSlammer is available at the following link: Virus Description
The RAV Virus Description for Win32/SQLSlammer.worm is available at the following link: Virus Description
The Sophos Virus Analysis for W32/SQLSlam-A is available at the following link: Virus Analysis
The Symantec Security Response for W32.SQLExp.Worm is available at the following link: Security Response. The Symantec removal tool for W32.SQLExp.Worm is available at the following link: W32.SQLExp.Worm Removal Tool
The Trend Micro Virus Advisory for WORM_SQLP1434.A is available at the following link: Virus Advisory. The Trend Micro System Cleaner (TSC), as well as updated definitions for the cleaner, can be downloaded at the following link: TSC
Microsoft has released two patches that correct the vulnerability exploited by the worm. The first is MS02-039, released July 24, 2002. The second patch, MS02-061 (released October 16, 2002), supercedes the MS02-039 patch. Microsoft has re-released MS02-061. The patch now incorporates a patch released in Microsoft Knowledge Base article 317748. This patch corrects an operational issue with the original patch. The new cumulative patch also includes an installer that automatically copies SQL Server files onto the system. The previous patch required the administrator to copy these files manually. The vulnerability is also corrected in SQL Server 2000 Service Pack 3, which is available at the following direct-download link: SQL Server 2000 SP3. Microsoft has also released an alert concerning the worm at the following link: Microsoft PSS Alert
Cisco has released mitigation recommendations for the worm at the following link: Cisco
Signatures
Cisco Systems Cisco Intrusion Prevention System (IPS) 5.1
Version 6, January 28, 2003, 10:00 AM: Additional virus definitions and cleaning tools have been released for W32/SQLSlammer.worm.
Version 5, January 27, 2003, 12:07 PM: Additional information and safeguards have been released for W32/SQLSlammer.worm.
Version 4, January 26, 2003, 8:27 PM: Sources have indicated that W32/SQLSlammer.worm could experience a surge in activity on the morning of Monday, January 27, 2003. Administrators are encouraged to review contingency plans in case the activity surge does take place.
Version 3, January 26, 2003, 11:32 AM: Microsoft has re-released Security Bulletin MS02-061 to include an updated version of the cumulative security patch for SQL Server. The newly released cumulative patch includes a supplemental patch released in Microsoft Knowledge Base article 317748, which corrects an issue with the original cumulative patch that could cause SQL Server to malfunction.
Version 2, January 25, 2003, 12:20 PM:W32/SQLSlammer.worm exploits a known vulnerability in MS SQL Server 2000 and is spreading quickly. The worm is memory-resident and cannot be detected by many antivirus products; however, the worm can be removed by rebooting the infected system.
Version 1, January 25, 2003, 10:53 AM:W32/SQLSlammer.worm exploits a known vulnerability in MS SQL Server 2000 and is spreading quickly. The worm is memory-resident and cannot be detected by many antivirus products; however, the worm can be removed by rebooting the infected system.
The security vulnerability applies to the following combinations of products.
Primary Products:
IntelliShield
Malicious Code Alert
Original Release Base
Microsoft, Inc.
Microsoft SQL Server Desktop Engine (MSDE)
2000 Base
Microsoft, Inc.
SQL Server
2000 Base, SP1, SP2
Associated Products:
HP
HP Systems Insight Manager (SIM)
Original Release Base
HP
OpenView Operations
Original Release Base
HP
SANworks
Original Release Base
LEGAL DISCLAIMER The urgency and severity ratings of this alert are not tailored to individual users; users may value alerts differently based upon their network configurations and circumstances. THE ALERT, AND INFORMATION CONTAINED THEREIN, ARE PROVIDED ON AN "AS IS" BASIS AND DO NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE ALERT, AND INFORMATION CONTAINED THEREIN, OR MATERIALS LINKED FROM THE ALERT, IS AT YOUR OWN RISK. INFORMATION IN THIS ALERT AND ANY RELATED COMMUNICATIONS IS BASED ON OUR KNOWLEDGE AT THE TIME OF PUBLICATION AND IS SUBJECT TO CHANGE WITHOUT NOTICE. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME.
