|
| |
SQL Slammer Prevention
Check
out out new sister company, Securigy,
a Global Provider of Security & Network
Management Solutions for Enterprises. Check out the Best-of-Breed Host
Intrusion Prevention Systems from the leading security vendors that you
need NOW.
What is it and
how it works
The worm we always knew was coming has arrived. The
SQL Slammer worm [W32/SQLSlam-A], also known as Sapphire, New SQL, Worm.SQL, and
Helkern, exploits a six-month-old vulnerability in Microsoft SQL Server. It
takes advantage of a vulnerability in SQL Servers to send Denial of Service
attacks against corporate network servers. It
has either slowed or choked off large national Internet service providers
worldwide. Internet service providers
worldwide reported significant slowdowns throughout the day Saturday as Slammer
overwhelmed backbones for hours before administrators were able to block the
malicious traffic. Initial reports from the east said large ISPs there were
overrun with traffic causing DoS conditions in several locations including South
Korea and Slovenia. End users will notice slower Web browsing and e-mail
delivery, but no other damage to systems.
It spreads without the assistance of
an e-mail attachment, the vehicle of choice for most worms, security experts
said. Instead, it
targets the UDP 1434 for the SQL Server Resolution Service, exploits a buffer
overflow on the servers that were not patched with six-month-old Microsoft
patch, and spreads to other hosts. It
looks through the network to find other SQL servers with the same vulnerability
and will install itself on them and replicate. It sends a 376 bytes package to
the 1434 UDP port (SQL Server Resolution Service Port). In order to send this
package, which includes the worm W32/SQLSlammer, it uses a function to create IP
addresses. Due to this continuous process and the great number of tries it may
cause a DoS (Denial of Service) attack. Thus, the damage of this malicious code
is, basically, a Denial of Service attack, able to cause different effects, such
as e-mail service failure, internet communication slowdown and network blocking,
among others.
SQL Slammer does not infect any files
- just memory, meaning an infected server can be cleaned just by rebooting.
However, he Microsoft patch must be applied to avoid re-infection. Gravity Storm
Software suggests that system administrators take this time to examine what
other patches their vulnerable servers may need.
Who is affected
At first look, it seemed that corporate environments running Windows 2000
systems will be the most affected but, since users can install SQL Server 2000
Desktop Engine (MSDE) in Windows 98/Me/NT/2000/2003 Pro, and it is frequently used by
home users and software developers, SQLSlammer can infect their computers as
well. In case the situation escalates, it could seriously damage corporate
activities and create significant economical losses, the same way it already
happened with Red Code infecting 250,000 Internet servers in several hours, two
years ago. Code Red and SQLSlammer worms have many common features and
properties. For example, they come from Asia, remain in memory and both send
Denial Of Service attacks. Also, it is impossible to spot them with traditional
virus detection programs; one of the best solutions is to install Microsoft
patch described in Microsoft Security Bulletin MS02-039,
that was first released on July, 24th 2002.
Prevention and Disinfections
The visible payload of SQLSlammer is a 1434 UDP (SQL Server Resolution
Service Port) traffic increase and also a slowdown - or even blocking - of the
affected server. Although no visible symptoms were detected, we recommend taking
into consideration the following actions to verify if the SQL server is vulnerable.
Use free evaluation version of Service Pack Manager 2000 to detect if a SQL
server is vulnerable to the worm. Due to the nature of the worm, an infected
server will show up on the scan as either it is vulnerable
"Not Installed" or not "Installed".
SQL Servers with Microsoft
SQL Server Service Pack 3 already applied are not impacted by Slammer. Here
is what Microsoft recommends:
It is important to note
that any customer who has patched their machines with the Microsoft Security
Bulletin MS02-039 patch, or any subsequent cumulative SQL security patch, is
completely safe from infection from the W32.Slammer. However, Microsoft
recommends customers apply Microsoft Security Bulletin MS02-061, which is the
most recent cumulative SQL security patch, if they have not applied the patches
for Microsoft Security Bulletin MS02-039, MS02-043, or MS02-056. Alternatively,
customers may install SQL Server 2000 Service Pack 3 or MSDE 2000 Service Pack 3
which incorporates the patches in Microsoft Security Bulletin MS02-061.
Read
full Microsoft alert article.
Here is what Gravity Storm Software recommends:
1. Download and install Full Functional Evaluation version of
Service Pack Manager 2000
2. Make sure
you are blocking TCP and UDP 1434/1433 inbound and outbound on your perimeter
firewalls.
3. Assume the worst: that is that the SQL Server was infected. To get rid of the
worm:
- Stop SQL Server.
This can be done with Service Pack Manager. Right-click on the SQL
Server machine on the network tree in Product Status tab. Select Stop SQL
Services menu item on the popup menu to stop SQL Services.
- Change SQL Server service to
"manual"
- Reboot the SQL
Server.
This can be done from the
right-click popup menu on the network tree of the Product Status tab in
Service Pack Manager. This way the worm code will be removed from
memory.
4. Using
Service Pack Manager (Product Status tab), check if the Microsoft Patch
offered and described by MS02-061
is already installed by selecting the SQL Server from the list of supported
Microsoft products, and then running NetQuery (Extended Scan). If the patch is
not installed, install it as follows:
- Select those machines on the network
tree that are running SQL Server and/or SQL MSDE by checking corresponding
checkboxes.
- Check the patch checkbox.
- Click on Install button on the
toolbar.
- After installation process is
completed, run NetQuery again to verify the installation.
5. Restart SQL service
This can be done with Service Pack Manager. Right-click on the SQL Server
machine on the network tree in Product Status tab. Select Start SQL Services
menu item on the popup menu to stop SQL Services.
6. Set the SQL service to
"automatic" again.
|
