Click to return to BOL home page
Banker Store eCard Exchange Vendor Connect Career Connect Learning Connect Bankers Information Network
Home Compliance Lending Operations Security Marketing Technology/eBanking
Top Stories Bankers' Threads BOL Conferences CrimeDex Risk Management FREE Briefings Record Retention

   

















    Site Map

    Our Sponsors

    Home


Print Friendly! Email This Article! Discuss NOW!

MS-SQL Server Worm Alert (a.k.a. Sapphire, SQL Slammer, SQL Hell)
by Joseph Seaman, CISSP, GSEC
Enterprise Integration

On Saturday morning, January 25, at about 12:30am EST, a computer worm was released that took advantage of a buffer overflow vulnerability in Microsoft SQL Server 2000.

Recent reports show that the number of infected systems was approaching 200,000 as of January 27, 2003.

The worm attempts to infect systems at (approximately) randomly generated IP addresses. The worm has no back doors or code for flooding like other worms (Code Red). However, by using UDP packets for infection, the worm allows infected machines to generate huge amounts of traffic - even greater than that produced by most code written specifically for flooding. Thus, in attempting to infect other systems, the worm has powerful denial of service capabilities.

Although similar to the Code Red worm, this worm had a much higher propagation rate (less than 2 hours for network saturation) than Code Red (24 hours for network saturation).

A computer worm is a self-replicating virus that does not alter files but resides in active memory and duplicates itself. Worms use parts of an operating system that are automatic and usually invisible to the user. It is common for worms to be noticed only when their uncontrolled replication consumes system resources, slowing or halting other tasks.

The MS SQL Server worm resides in memory, and not on disk, so it can be eliminated using a system reboot. However, if the defensive perimeter is not upgraded to block offending UDP packets or the system is not patched, it will be quickly re-infected.

Microsoft first reported the vulnerability in July 2002, but due to the cumbersome requirements and steps needed to apply the patch, it was not applied to many systems. Microsoft has re-released the patch that automates and simplifies the installation process. The patch and installation steps can be downloaded at Microsoft's Technet site at:

Patch and Installation Steps

The latest information on the worm can also be viewed at Microsoft's Technet site at:

Microsoft's Latest Info on Worm

Microsoft initially reported that the worm affects Microsoft SQL Server 2000 but it also affects Microsoft SQL Desktop Engine (MSDE) Version 2000. Since many applications use MSDE such as Cisco applications, Compaq Insight Manager, Microsoft Office 2000/XP, and Veritas Backup Exec ver. 9.0 to name a few, you should check out SQLSecurity.com for a complete and dynamic listing of affected applications.

How do I know if I am running MSDE services?
The best way to determine if you have MSDE 2000 services running is to search for the file: "sqlservr.exe".

If you feel that you may have been infected here are the steps to remove the worm.
  1. If possible, block UDP port 1434 at your firewall.
  2. Stop your SQL services on the server.
  3. Set the services to "Manual" so that you do not become re-infected upon reboot.
  4. Reboot server to remove worm from memory.
  5. Apply patches (be sure you have proper backups before making any changes).
  6. Restart server.
  7. Perform SQL health check - i.e. make sure all other critical patches are applied, SA account has a proper password, and disable any unnecessary or unused ports on your firewall.
This latest worm highlights the problems associated with performing proper patch management as well as the difficulty in applying those patches especially for SQL Server. Close to 99% of all attacks occur based on known vulnerabilities of which most have patches or fixes to the vulnerability.

The following action steps should be taken to mitigate your exposure to potentially debilitating Internet worms and other system vulnerabilities:
  • If you are managing your servers in house, be sure you have a detailed plan on how your IS staff is notified as well as clearly defined decision criteria to determine if and when the patch is applied.
  • If you have outsourced your web presence to an ISP or third party vendor, be sure to obtain the process and procedures they employ when receiving notification of new security patches or vulnerabilities and the means they employ to apply those patches.
  • Check your service level agreements, which may highlight several weaknesses associated with your expectations in the proper handling of security incidents such as this latest.
Until Microsoft and other software vendors can release products without all of these vulnerabilities, we must continue to be vigilant in apply the patches and remain alert for new threats.

First published on BankersOnline.com 1/27/03


Home | Compliance | Lending | Operations | Security | Marketing | Technology | eBanking
BOL Archives    Privacy Policy    Important Disclaimer   Recommend This Site !   Contact Us


BankersOnline is a free service made possible by the generous support of our advertisers and sponsors. Advertisers and sponsors are not responsible for site content. Please help us keep BankersOnline FREE to all banking professionals. Support our advertisers and sponsors by clicking through to learn more about their products and services.