Alerts
Microsoft SQL Sapphire Worm Analysis
Date:
January 25, 2003
Severity:
High
Systems Affected:
Microsoft SQL Server 2000 pre SP3
Microsoft Desktop Engine (MSDE) 2000
Overview:
The worm works by generating pseudo-random IP addresses to try to infect with its payload. The worm payload does not contain any additional malicious content (in the form of backdoors etc.); however, because of the nature of the worm and the speed at which it attempts to re-infect systems, it can potentially create a denial-of-service attack against infected networks.
We have been able to verify that multiple points of connectivity on the Internet have been bogged down since 9pm Pacific Standard Time.
It should be noted that this worm is not the same as an earlier SQL worm that used the SA/nopassword SQL vulnerability as its spread vector. This is a new worm is more devastating as it is taking advantage of a software-specific flaw rather than a configuration error. We have already had many reports of smaller networks brought down due to the flood of data from the Sapphire Worm
trying to re-infect new systems.
Detection:
We recommend that people immediately firewall SQL service ports at all of their gateways. The worm uses only UDP port 1434 (SQL Monitor Port) to spread itself to a new system; however, it is safe practice to filter all SQL traffic at all gateways. The following is a list of SQL server ports:
ms-sql-s 1433/tcp #Microsoft-SQL-Server
ms-sql-s 1433/udp #Microsoft-SQL-Server
ms-sql-m 1434/tcp #Microsoft-SQL-Monitor
ms-sql-m 1434/udp #Microsoft-SQL-Monitor
Once again this worm is taking advantage of a known vulnerability that has had a patch available for many months. Microsoft has also released a recent service pack for SQL (Service Pack 3) that includes a fix for this vulnerability.
Prevention:
Standalone patch:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS02-039.asp
SQL 2000 Service Pack 3:
http://www.microsoft.com/sql/downloads/2000/sp3.asp
Previous SQL Service Pack versions are vulnerable.
Free Retina Sapphire SQL Worm Scanner
http://www.eeye.com/html/Research/Tools/SapphireSQL.html
This alert was last updated on January 25, 2003.
January 25, 2003
Severity:
High
Systems Affected:
Microsoft SQL Server 2000 pre SP3
Microsoft Desktop Engine (MSDE) 2000
Overview:
The worm works by generating pseudo-random IP addresses to try to infect with its payload. The worm payload does not contain any additional malicious content (in the form of backdoors etc.); however, because of the nature of the worm and the speed at which it attempts to re-infect systems, it can potentially create a denial-of-service attack against infected networks.
We have been able to verify that multiple points of connectivity on the Internet have been bogged down since 9pm Pacific Standard Time.
It should be noted that this worm is not the same as an earlier SQL worm that used the SA/nopassword SQL vulnerability as its spread vector. This is a new worm is more devastating as it is taking advantage of a software-specific flaw rather than a configuration error. We have already had many reports of smaller networks brought down due to the flood of data from the Sapphire Worm
trying to re-infect new systems.
Detection:
We recommend that people immediately firewall SQL service ports at all of their gateways. The worm uses only UDP port 1434 (SQL Monitor Port) to spread itself to a new system; however, it is safe practice to filter all SQL traffic at all gateways. The following is a list of SQL server ports:
ms-sql-s 1433/tcp #Microsoft-SQL-Server
ms-sql-s 1433/udp #Microsoft-SQL-Server
ms-sql-m 1434/tcp #Microsoft-SQL-Monitor
ms-sql-m 1434/udp #Microsoft-SQL-Monitor
Once again this worm is taking advantage of a known vulnerability that has had a patch available for many months. Microsoft has also released a recent service pack for SQL (Service Pack 3) that includes a fix for this vulnerability.
Prevention:
Standalone patch:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS02-039.asp
SQL 2000 Service Pack 3:
http://www.microsoft.com/sql/downloads/2000/sp3.asp
Previous SQL Service Pack versions are vulnerable.
Free Retina Sapphire SQL Worm Scanner
http://www.eeye.com/html/Research/Tools/SapphireSQL.html
This alert was last updated on January 25, 2003.
