Sapphire SQL Worm Analysis Complete

From: Matthew Murphy (mattmurphyat_private)
Date: Sat Jan 25 2003 - 15:52:03 PST

Next message: Ron DuFresne: "Re: [Full-Disclosure] RE: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434!"

Previous message: Jason Coombs: "[Full-Disclosure] RE: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434!"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I've completed an analysis of the 'Sapphire' SQL worm targeting MS-SQL
servers.  Some have reported massive slowdowns.  An interesting part of this
worm results from its use of UDP.  Attacked hosts/networks may generate ICMP
Host/Port Unreachable messages in response to a Sapphire attack, amplifying
the attack's strength.  One reason that this attack is worse for users of
home systems, etc. that don't run any servers, is because Sapphire sends the
entire 400 bytes or so in the initial packet, where scans from Code Red and
bretheren only prompted a 26 byte TCP SYN packet.

The full analysis is available at:
http://www.techie.hopto.org/sqlworm.html

Next message: Ron DuFresne: "Re: [Full-Disclosure] RE: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434!"
Previous message: Jason Coombs: "[Full-Disclosure] RE: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434!"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sat Jan 25 2003 - 17:12:52 PST