January 25, 2003 Information Security Advisory Saturday 01/25/2002 6:50am This just in... The powerful Sapphire Internet Worm started to attack servers around the world about 10 hours ago. This is preliminary information. If you own a Microsoft SQL 2000 server on the Internet, you must read this right away. Workingarts recommends that you be particularly careful with email in the next few days as you may receive file attachments that are commonly used to spread viruses, such as .vbs, .bat, .exe, .pif and .scr files. to help propagate this worm. ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ SQL Sapphire Worm Analysis Release Date: 1/25/03 Severity:High Systems Affected: Microsoft SQL Server 2000 pre SP 2 Description: Late Friday, January 24, 2003 we became aware of a new SQL worm spreading quickly across various networks around the world. The worm is spreading using a buffer overflow to exploit a flaw in Microsoft SQL Server 2000. The SQL 2000 server flaw was discovered in July, 2002 by Next Generation Security Software Ltd. The buffer overflow exists because of the way SQL improperly handles data sent to its Microsoft SQL Monitor port. Attackers leveraging this vulnerability will be executing their code as SYSTEM, since Microsoft SQL Server 2000 runs with SYSTEM privileges. The worm works by generating pseudo-random IP addresses to try to infect with its payload. The worm payload does not contain any additional malicious content (in the form of backdoors etc.); however, because of the nature of the worm and the speed at which it attempts to re-infect systems, it can potentially create a denial-of-service attack against infected networks. We have been able to verify that multiple points of connectivity on the Internet have been bogged down since 9pm Pacific Standard Time. It should be noted that this worm is not the same as an earlier SQL worm that used the SA/nopassword SQL vulnerability as its spread vector. This is a new worm is more devastating as it is taking advantage of a software-specific flaw rather than a configuration error. We have already had many reports of smaller networks brought down due to the flood of data from the Sapphire Worm trying to re-infect new systems. Corrective Action We recommend that people immediately firewall SQL service ports at all of their gateways. The worm uses only UDP port 1434 (SQL Monitor Port) to spread itself to a new system; however, it is safe practice to filter all SQL traffic at all gateways. The following is a list of SQL server ports: ms-sql-s 1433/tcp #Microsoft-SQL-Server ms-sql-s 1433/udp #Microsoft-SQL-Server ms-sql-m 1434/tcp #Microsoft-SQL-Monitor ms-sql-m 1434/udp #Microsoft-SQL-Monitor Once again this worm is taking advantage of a known vulnerability that has had a patch available for many months. Microsoft has also released a recent service pack for SQL (Service Pack 3) that includes a fix for this vulnerability. Standalone patch: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/ bulletin/MS02-039.asp SQL 2000 Service Pack 3: http://www.microsoft.com/sql/downloads/2000/sp3.asp Previous SQL Service Pack versions are vulnerable. This worm has been dubbed the "Sapphire Worm" by eEye due to the fact that several engineers had to be pulled away from local bars to begin the investigation/dissection process. Credit: Riley Hassell Related Links: SQLSecurity.com http://sqlsecurity.com/ Microsoft Security Bulletin: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/ bulletin/ms02-039.asp Copyright (c) 1998-2003 eEye Digital Security * To ensure your privacy, your address is not visible to the recipients of this message. * If you would like to be removed from this list, please reply to this email * with "remove" in the body of the email. Scan your computer for viruses every week and don't forget to back up your files! Fredo http://www.workingarts.com/infosecarchives