SQL Clone
SQLServerCentral is supported by Redgate
 
Log in  ::  Register  ::  Not logged in
 
 
 


Another SQL Server Virus Hits the Internet


Another SQL Server Virus Hits the Internet

Author
Message
Brian Knight
Brian Knight
SSCrazy Eights
SSCrazy Eights (8.1K reputation)SSCrazy Eights (8.1K reputation)SSCrazy Eights (8.1K reputation)SSCrazy Eights (8.1K reputation)SSCrazy Eights (8.1K reputation)SSCrazy Eights (8.1K reputation)SSCrazy Eights (8.1K reputation)SSCrazy Eights (8.1K reputation)

Group: Moderators
Points: 8091 Visits: 235
Comments posted to this topic are about the content posted at http://www.sqlservercentral.com/columnists/bknight/sapphirevirus.asp

Brian Knight
Free SQL Server Training Webinars
Tatsu
Tatsu
SSCrazy
SSCrazy (2.8K reputation)SSCrazy (2.8K reputation)SSCrazy (2.8K reputation)SSCrazy (2.8K reputation)SSCrazy (2.8K reputation)SSCrazy (2.8K reputation)SSCrazy (2.8K reputation)SSCrazy (2.8K reputation)

Group: General Forum Members
Points: 2836 Visits: 307
Some additional comments and corrections (from experience):

the 039 patch is not sufficient to keep a server from becoming infected and, from what I have seen, SP3 does not keep SQLSlammer out either.

Information on how to combat and prevent attacks is available from Microsoft at http://www.microsoft.com/security/slammer.asp

There was a significant amount of confusion due to early incorrect reports from anti-virus suppliers and even Microsoft on how to fix systems.

A stop-gap measure to calm the network down if you are already under attack is to use an AD policy to block UDP port 1434 on all computers. This will prevent further infestation but you will still need to reboot infected servers to get the worm out of memory. Some applications may need ot be configured to use named pipes if you are blocking UDP port 1434 as they will not be able to resolve the port for named instances. Also, this will only work for Windows 2000 and XP environments; NT4/Windows Me do not support AD policies and may still be at risk if running SQL or MSDE 2000.


Bryant E. Byrd, MCDBA
SQL Server DBA/Systems Engineer
Intellithought, Inc.
bbyrd@intellithought.com

Bryant E. Byrd, BSSE MCDBA MCAD
Business Intelligence Administrator
MSBI Administration Blog
K. Brian Kelley
K. Brian Kelley
Keeper of the Duck
Keeper of the Duck (43K reputation)

Group: Moderators
Points: 43806 Visits: 1917
I'm not following here. The postings I've seen indicate it's using the Buffer Overflow vulnerability found by NGSSoftware and reported in MS02-039. SP3 and the patch from MS02-039 (to include the one available in MS02-061) cover that vulnerability. Are you seeing another attack vector? If so, what else are you seeing is required?


K. Brian Kelley
http://www.truthsolutions.com/
Author: Start to Finish Guide to SQL Server Performance Monitoring
http://www.netimpress.com/shop/product.asp?ProductID=NI-SQL1

K. Brian Kelley
@‌kbriankelley
Brian Lockwood
Brian Lockwood
Ten Centuries
Ten Centuries (1.2K reputation)Ten Centuries (1.2K reputation)Ten Centuries (1.2K reputation)Ten Centuries (1.2K reputation)Ten Centuries (1.2K reputation)Ten Centuries (1.2K reputation)Ten Centuries (1.2K reputation)Ten Centuries (1.2K reputation)

Group: General Forum Members
Points: 1218 Visits: 2
thx for the article. I have a few basic sql slammer questions ...

1) if you hit the link on sqlservercentral main page for sp3 "SQL Server 2000 Quick Info" you will get http://www.sqlservercentral.com/javen@dbassociates.com.au which produces an error page

2) at http://www.microsoft.com/sql/downloads/2000/sp3.asp I find it kind of confusing as to what exactly is the sp3 download. if you click the link to direct to next page for download there are 3 files at the bottom

"Below are links to the separate files available for this download."

sql2kasp3.exe
SQL2KDeskSP3.exe
sql2ksp3.exe

there is no description for these files. which one exactly should you download?

3) if you go to the slammer link at http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/virus/alerts/slammer.asp it offers you instructions for "recovery" for those already affected.

step 1 is "Set the SQL Server Service to Manual." - can you humor a knucklehead and clarify this? Where can I find this and how do I change it to manual?

4) What would be interesting would be a subjective description of the virus -

is it a query, script file etc?

Is there a way to examine your SQL Server to see if you are infected?

What was the means of infection? It seems having a sql server without sp3 exposed to the internet might be enough.

tia - Brian

Brian Lockwood
LockwoodTech Software
http://www.lockwoodtech.com

Brian Lockwood
President
ApexSQL - SQL Developer Essentials

http://www.apexsql.com/blog

Stand up for an Independent SQL Community - be Informed
K. Brian Kelley
K. Brian Kelley
Keeper of the Duck
Keeper of the Duck (43K reputation)

Group: Moderators
Points: 43806 Visits: 1917
2) at http://www.microsoft.com/sql/downloads/2000/sp3.asp I find it kind of confusing as to what exactly is the sp3 download. if you click the link to direct to next page for download there are 3 files at the bottom

"Below are links to the separate files available for this download."

sql2kasp3.exe
SQL2KDeskSP3.exe
sql2ksp3.exe

there is no description for these files. which one exactly should you download?


sql2kasp3.exe - Analysis Services. Not important for Slammer.
SQL2KDeskSP3.exe - MSDE. If you have MSDE, very important, as MSDE is vulnerable.
SQL2KSP3.exe - Core SQL Server. Important for Slammer.


3) if you go to the slammer link at http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/virus/alerts/slammer.asp it offers you instructions for "recovery" for those already affected.

step 1 is "Set the SQL Server Service to Manual." - can you humor a knucklehead and clarify this? Where can I find this and how do I change it to manual?


If you are on a Win2K Server (Advanced Server, etc.), go to Start | Programs | Administrative Tools | Services. Find MSSQLServer and any that start with MSSQL$. Double click, change start-up to manual.

The worm is in memory only. It doesn't write or change anything permanently. The reason you set it to manual is upon startup you don't get reinfected immediately. It gives you a chance to apply the patch.

4) What would be interesting would be a subjective description of the virus -

is it a query, script file etc?

It is a buffer overflow attack. Specifically, some mean person has crafted a network packet to hit UDP port 1434. It exploits a known SQL 2K vulnerability. The vulnerability allowed the packet to overwrite a portion of active memory. That portion gets overwritten with the worm, who's sole purpose to propogate itself as quickly as possible. It picks out IP addresses psudeo-randomly and fires off the UDP packet. Since UDP is connectionless, it's really a fire and forget, meaning a single worm can generate a ton of traffic and infect unpatched systems extremely fast.

Is there a way to examine your SQL Server to see if you are infected?

If you are infected, you have no bandwidth. It brought down trunks at BellSouth. Internet availability and reachability dropped from greater than 99.99% to 85%.


What was the means of infection? It seems having a sql server without sp3 exposed to the internet might be enough.

A UDP packet destined for port 1434 (SQL Server Listener). SP3 and systems with SP 2 and MS02-039 or MS02-061 are patched. There is a proviso with the SP 2 patches... apparently one of the patches after July undid the MS02-039 patch for the vulnerability (wrong files in the patch). That's why some MS02-061 or MS02-039 systems were infected.



K. Brian Kelley
http://www.truthsolutions.com/
Author: Start to Finish Guide to SQL Server Performance Monitoring
http://www.netimpress.com/shop/product.asp?ProductID=NI-SQL1

Edited by - bkelley on 01/28/2003 10:39:41 PM

K. Brian Kelley
@‌kbriankelley
Brian Lockwood
Brian Lockwood
Ten Centuries
Ten Centuries (1.2K reputation)Ten Centuries (1.2K reputation)Ten Centuries (1.2K reputation)Ten Centuries (1.2K reputation)Ten Centuries (1.2K reputation)Ten Centuries (1.2K reputation)Ten Centuries (1.2K reputation)Ten Centuries (1.2K reputation)

Group: General Forum Members
Points: 1218 Visits: 2
great reply - thx much for the detailed info

Brian Lockwood
LockwoodTech Software
http://www.lockwoodtech.com

Brian Lockwood
President
ApexSQL - SQL Developer Essentials

http://www.apexsql.com/blog

Stand up for an Independent SQL Community - be Informed
Go


Permissions

You can't post new topics.
You can't post topic replies.
You can't post new polls.
You can't post replies to polls.
You can't edit your own topics.
You can't delete your own topics.
You can't edit other topics.
You can't delete other topics.
You can't edit your own posts.
You can't edit other posts.
You can't delete your own posts.
You can't delete other posts.
You can't post events.
You can't edit your own events.
You can't edit other events.
You can't delete your own events.
You can't delete other events.
You can't send private messages.
You can't send emails.
You can read topics.
You can't vote in polls.
You can't upload attachments.
You can download attachments.
You can't post HTML code.
You can't edit HTML code.
You can't post IFCode.
You can't post JavaScript.
You can post emoticons.
You can't post or upload images.

Select a forum







































































































































































SQLServerCentral


Search