Saturday, January 25, 2003

New Worm Crippling the Internet

If you have noticed that many sites are off-line or hard to get to, it is due to a new worm that is affecting servers running Microsoft SQL. It's affecting the core Internet routers. Here's a picture of the state of the Internet as of 8:00AM GMT 1/25/2003:



The techy explanation (Thanks to HD Moore (sflist_at_digitaloffense.net and Worm Info) for this):

A worm which exploits a (new?) vulnerability in SQL Server is bringing the core routers to a grinding halt. The speed of the propagation can be attributed to the attack method and simplicity of the code. The worm sends a 376-byte UDP packet to port 1434 of each random target, each vulnerable system will immediately start propagating itself. Since UDP is connection-less, the worm is able to spread much more quickly than those using your standard TCP-based attack vectors (no connect timeouts).

And also from HD Moore:

While there were some intermittent network problems before, it wasn't until about 12:00 AM CST (01/25/03) that the worm started causing seriouis trauma to UUNET/Worldcom's backbone.

The worm appears to be abusing a stack overflow vulnerability reported a few months ago by David Litchfield, the original advisory can be found here:

http://www.nextgenss.com/advisories/mssql-udp.txt

There are still reports of the worm successfully exploiting patched systems as well, but I have not been able to verify that.

Disabling the worm is as easy as killing the sqlserver.exe process or just rebooting the box. Just make sure that you unplug the system from the network before it comes back up.

The patch: Q323875_SQL2000_SP2_en.EXE

More disassemblies:

http://www.boredom.org/~cstone/worm-annotated.txt
http://www.snafu.freedom.org/tmp/1434-probe.txt


I posted a local mirror to the Switch to....Linux post I made below because it was offline, and wondered what was going on. This explains it.