Re: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434!

[Umit Tiric <umitt () softcom biz>]

In-Reply-To: <20030125021141.A23211 () romulus netgraft com>

We can confirm it here in Toronto, Canada. Even though the effect was 
minimal to us, we saw many major networks dissappear on the Internet.

The effect is like a LAN denial of service attack. The requests are 
distributed over port 1434 UDP to multicast addresses. If the multicast 
on the router is enabled, this can multiply the effect to WAN.

You have to patch your MS-SQL Server to the highest service pack. 

But, here is the funny thing, we had a MS-Project Server 2002 installed 
on a test machine with MSDE running. There is no service pack 3 for MSDE 
2000 yet, but there is a hotfix to solve the problem.

That hotfix requires service pack 2. When we tried to install service 
pack 2 for MSDE, it gave an error. On the Microsoft web site, it says 
that SOME! of the MSDE installations require the service pack 2 to be 
installed only from an update CD but not from the Internet.

I think it's going to be a while for all the networks to install these 
patches properly to stop these attack.

Meanwhile I also recommend the sys admins to block the outgoing 
1434TCP/UDP as well. Incoming blocking might protect some of your servers 
but if you are already effected, at least try to contain this in your LAN 
by blocking the outgoing ports.

I hope someone will reverse engineer this worm and tell us exactly what 
it did. 

Umit

> It looks like there's a worm affecting MS SQL Server which is
> pingflooding addresses at some random sequence.
>
> All admins with access to routers should block port 1434 (ms-sql-m)!
>
> Everyone running MS SQL Server shut it the hell down or make
> sure it can't access the internet proper!
>
> I make no guarantees that this information is correct, test it
> out for yourself!