Malicious Code Alert

Worm: W32/SQLSlammer.worm

 
Threat Type:IntelliShield: Malicious Code Alert
IntelliShield ID:5358
Version:7
First Published:2003 January 25 15:53 GMT
Last Published:2003 February 12 17:38 GMT
Port: 1434
Urgency:Incidents Reported
Credibility:Confirmed
Severity:Mild Damage
 
Version Summary:

Hewlett-Packard has released a security advisory and updated packages to correct the vulnerabilities exploited by W32/SQLSlammer.worm in affected HP products.

 
Aliases/Variants

Aliases of W32/SQLSlammer.worm include Sapphire (F-Secure), Slammer (F-Secure), New SQL Worm (F-Secure), Worm.SQL.Helkern (F-Secure, AVP), Win32/SQLSlammer.Worm (Computer Associates), WORM_SQLP1434.A (Trend Micro), DDOS_SQLP1434.A (Trend Micro), W32.SQLExp.Worm (Symantec), W32/SQL.Slammer (Central Command), SQL.Slammer (Central Command), Worm.SQL.Slammer (Hauri), W32/SQLSlammer (AVG), Win32.SQLSlammer?(Aladdin), SQLSlammer (Panda Software)?and?W32/SQLSlam-A (Sophos).

Virus Name: None
 

Description
 

W32/SQLSlammer.worm is a worm that is propagating widely across the Internet.? It exploits a known vulnerability in Microsoft SQL Server 2000.??The worm does not carry a malicious payload, but it does create a large amount of network traffic that could cause a denial of service (DoS) condition, not only in the victim SQL server but also in the network hosting the server.?

One?characteristic of this worm that is especially noteworthy is that it is memory-resident.? The positive aspect of this?characteristic is that a user of an infected system can remove the worm simply by rebooting the server.? However, a system?can easily become reinfected if not patched.? The negative aspect is that many antivirus applications fail to detect memory-resident malicious code.? As a result, some vendors probably will not issue updates to detect this worm.

The vulnerability is in the SQL Server Resolution Service.? An attacker can send a malformed packet to the SQL Server to cause a stack overflow or a?DoS condition.? Detailed information concerning these vulnerabilities and the patch are available in IntelliShield Alert 4256.

Some sources indicated that the worm could experience a surge in activity during the morning of Monday, January 27, 2003.? Increased computer and network activity associated with the beginning of the work week could?create conditions favorable to a new outbreak.? However, most of the activity will be generated by workstations, not servers.? Administrators should review contingency plans in case another large-scale outbreak does occur.?

Virus definition updates are unavailable, but workarounds, safeguards and scanning utilities are available to prevent an exploit and restore a system.


Impact
 
W32/SQLSlammer.worm does not contain a destructive payload, but it does have?an aggressive propagation routine that can significantly?impact network performance.

Warning Indicators
 

Unpatched systems running SQL Server 2000 prior to Service Pack 3 and the Microsoft Desktop?Engine (MSDE) 2000 are vulnerable.

The worm may start the process sqlservr, which?could consume 100 percent of CPU resources.


Technical Information
 

The worm exploits a known vulnerability in the Microsoft SQL Server 2000 Server Resolution service.? SQL servers running with Service Pack 2 and prior are vulnerable; the vulnerability was corrected in?Service Pack 3.?

The worm loads the?files kernel32.dll and ws2_32.dll and uses the Windows API function GetTickCount to generate random target IP addresses.? The worm?sends itself to those addresses.? It sends multicast packets, which causes all 254?addresses on?a subnet to receive only one send command.? This allows the worm to spread very quickly.? This technique does not produce any bias towards local networks, which might otherwise help to contain the propagation of the worm.?? The packets contain the following strings:

h.dllhel32hkernQhounthickChGetTf
hws2
Qhsockf
toQhsend

The worm exists only in the memory of the infected machine, and it can be removed?by rebooting the machine.

Microsoft has released a number of patches to correct SQL Server vulnerabilities.? The sequence in which these patches have been installed is important to determine which patch to install next.? If administrators have not installed any of the patches, they are?advised to install the latest cumulative patch found in MS02-061.? Customers?who have applied only the cumulative patch released in the original MS02-061 should apply the supplementary patch issued in Microsoft Knowledge Base article 317748.? Administrators?who have installed the original cumulative patch and the supplementary patch on their systems are fully patched and do not need to take further action.?


IntelliShield Analysis
 

This worm is memory-resident and does not create any files or make registry modifications?to the infected system.? The design of this worm is to propagate across SQL servers.? This worm is spreading quickly and has significantly affected the network?through its propagation method.? Administrators are advised to install the patch provided in IntelliShield Alert 4256 and reboot the SQL Server.?

The vulnerability the W32.SQLSlammer.worm exploits also affects Microsoft Desktop Engine (MSDE) 2000.? There have been no reports?that systems running MSDE 2000 have been exploited by the worm, but the worm may be able to infect these systems.? In addition, there are several?applications that may silently install Microsoft SQL Server or MSDE 2000.? Users can determine if they are running SQL Server or MSDE by?looking for?an icon in the System Tray?that looks like a computer with a white circle and a green "Play" button on it.

A reference to the?Chinese hacker group Honker in the code of the worm has?led to speculation that the?Chinese?group is responsible for W32.SQLSlammer.worm.???The worm reportedly started its propagation routine in Hong Kong and quickly spread to South Korea, lending some credibility to the speculation.


Safeguards
 

Administrators are encouraged to install the available Microsoft patches or SQL Server 2000 Service Pack 3.

Blocking packets on?port?1434 can limit propagation;?however, completely blocking the ports may prevent the system from functioning properly if the ports are needed to send or receive information.? Support issues could occur because port 1434 provides name resolution for the SQL server.


Patches/Software
 

The Aladdin Virus Alert for Win32.SQLSlammer is available at the following link: Virus Alert

The AVG Virus Description for W32/SQLSlammer is available at the following link: Virus Description

The AVP Virus Alert for Worm.SQL.Helkern is available at the following link: Virus Alert

The Central Command Virus Answer for?W32/SQL.Slammer is available at the following link: Virus Answer?

The Computer Associates Virus Threat and cleaning utility?for Win32/SQLSlammer.Worm?are available at the following link: Computer Associates?

The F-Secure Virus Description for?Slammer is available at the following link: Virus Description

The Hauri Virus Desciption for Worm.SQL.Slammer is available at the following link: Virus Description

Hewlett-Packard has released a security advisory for registered users at the following link: HPSBGN0302.? Hewlett-Packard recommends installing the latest Microsoft SQL Server 2000 Service Pack 3 to prevent an attack.

The McAfee Virus Description for?W32/SQLSlammer.worm is available at the following link: Virus Description.? The cleaning utility, stinger.exe, from McAfee to detect and clean W32/SQLSlammer.worm and other worms is available at the following link: Stinger.exe

The Panda Software?Virus Description for SQLSlammer is available at the following link: Virus Description

The RAV Virus Description for Win32/SQLSlammer.worm is available at the following link: Virus Description

The Sophos Virus Analysis for?W32/SQLSlam-A is available at the following link: Virus Analysis?

The Symantec Security Response for?W32.SQLExp.Worm is available at the following link: Security Response.? The Symantec removal tool for W32.SQLExp.Worm is available at the following link: W32.SQLExp.Worm Removal Tool

The Trend Micro Virus Advisory?for?WORM_SQLP1434.A is available at the following link: Virus Advisory.? The Trend Micro System Cleaner (TSC), as well as updated definitions for the cleaner,?can be downloaded at the following link: TSC

Microsoft has released two patches?that correct the vulnerability exploited by the worm.? The first is MS02-039, released July 24, 2002.? The second patch,?MS02-061 (released October 16, 2002), supercedes the MS02-039 patch.??Microsoft has re-released MS02-061.? The patch now incorporates a patch released in Microsoft Knowledge Base article 317748.? This patch corrects an operational issue with the original patch.? The new cumulative patch also includes an installer that automatically copies SQL Server files onto the system.? The previous patch required the administrator to copy these files manually.? The vulnerability is also corrected in SQL Server 2000 Service Pack 3, which is available at the following direct-download?link: SQL Server 2000 SP3.? Microsoft has also released an alert concerning the worm at the following link: Microsoft PSS Alert?

Cisco has released mitigation recommendations for the worm at the following link: Cisco


Signatures
 
Cisco Intrusion Prevention System (IPS) 5.1
Signature IDSignature NameReleaseLatest Release Date
4701/0MSSQL Resolution Service Stack OverflowS1612005 May 02 
Cisco Intrusion Prevention System (IPS) 6.0
Signature IDSignature NameReleaseLatest Release Date
4701/0MSSQL Resolution Service Stack OverflowS1612005 May 02 
4703/0MSSQL Resolution Service Stack OverflowS5092010 Aug 23 
 
Alert History
 

Version 6, January 28, 2003, 10:00 AM: Additional?virus definitions and cleaning tools have been released?for W32/SQLSlammer.worm.

Version 5, January 27, 2003, 12:07 PM: Additional information and safeguards have been released for W32/SQLSlammer.worm.

Version 4, January 26, 2003, 8:27 PM: Sources have indicated that W32/SQLSlammer.worm could experience a surge in activity on the morning of Monday, January 27, 2003.? Administrators are encouraged to review contingency plans in case the activity surge does take place.?

Version 3, January 26, 2003, 11:32 AM: Microsoft has re-released Security Bulletin MS02-061 to include an updated version of the cumulative security patch for SQL Server.? The?newly released cumulative patch includes a supplemental patch released in Microsoft Knowledge Base article 317748, which corrects an issue with the original cumulative patch that could cause SQL Server to malfunction.?

Version 2, January 25, 2003, 12:20 PM: W32/SQLSlammer.worm exploits a known vulnerability in MS SQL Server 2000 and is spreading quickly.? The worm is memory-resident and cannot be detected by many antivirus products; however, the worm can be removed by rebooting the infected system.?

Version 1, January 25, 2003, 10:53 AM: W32/SQLSlammer.worm exploits a known vulnerability in MS SQL Server 2000 and is spreading quickly.? The worm is memory-resident and cannot be detected by many antivirus products; however, the worm can be removed by rebooting the infected system.?



Product Sets
 
The security vulnerability applies to the following combinations of products.

Primary Products:
IntelliShieldMalicious Code Alert Original Release Base
Microsoft, Inc.Microsoft SQL Server Desktop Engine (MSDE) 2000 Base
Microsoft, Inc.SQL Server 2000 Base, SP1, SP2

Associated Products:
HPHP Systems Insight Manager (SIM) Original Release Base
HPOpenView Operations Original Release Base
HPSANworks Original Release Base




Alerts and bulletins on the Cisco Security Intelligence Operations Portal are highlighted by analysts in the Cisco Threat Operations Center and represent a subset of the comprehensive content that is available through Cisco Security IntelliShield Alert Manager Service. This customizable threat and vulnerability alert service provides security staff with access to timely, accurate, and credible information about threats and vulnerabilities that may affect their environment.


LEGAL DISCLAIMER
The urgency and severity ratings of this alert are not tailored to individual users; users may value alerts differently based upon their network configurations and circumstances. THE ALERT, AND INFORMATION CONTAINED THEREIN, ARE PROVIDED ON AN "AS IS" BASIS AND DO NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE ALERT, AND INFORMATION CONTAINED THEREIN, OR MATERIALS LINKED FROM THE ALERT, IS AT YOUR OWN RISK. INFORMATION IN THIS ALERT AND ANY RELATED COMMUNICATIONS IS BASED ON OUR KNOWLEDGE AT THE TIME OF PUBLICATION AND IS SUBJECT TO CHANGE WITHOUT NOTICE. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME.
Powered by  IntelliShield