Security news27 January 2003
Sophos FAQ on Slammer worm (W32/SQLSlam-A)
What is SQLSlam, aka Slammer, aka Sapphire?W32/SQLSlam-A is a network worm which spreads entirely in memory. The worm infects the process space of Microsoft SQL Server 2000 by exploiting what is known as a buffer overflow. This allows W32/SQLSlam-A to begin running as part of your SQL server. Once running, the worm tries to send itself from your server to as many other internet sites as it can, until you stop it by shutting down your SQL server process. (The worm actually goes into what is known as an "infinite loop", so it will never stop spreading of its own accord.)
See: Detailed analysis of W32/SQLSlam-A
What is a buffer overflow?
Buffer overflows are caused by program bugs. They are exploited by sending more data to a program than it expects. If the program doesn't check for this, it will read in more data than it has reserved space for. The extra bytes it accepts may overwrite parts of memory which the operating system is using for other purposes. As an analogy, imagine that you are asked to check through 10 pages of a contract, and then to approve the contract by signing each page. Now imagine that you check carefully through the first 10 pages, but then blindly sign the bottom of all the pages you were given. If unscrupulous lawyers had prepared 12 pages instead of the 10 they asked you to check, you would have agreed to more than you intended.
Why hasn't the W32/SQLSlam-A buffer overflow been fixed?
The buffer overflow exploited by W32/SQLSlam-A was fixed six months ago. The vulnerability was first addressed by Microsoft in July 2002.
If you are a SQL Server 2000 user then you have probably invested a lot of time and money in both hardware and software, and you are probably using your SQL server to store and access information which is important to your company. So you owe it to yourself, to your company, and to your customers, to ensure that you keep yourself informed of security holes and patches. It is especially important to watch out for patches to the operating system itself, and for patches to software which you use to provide online services across your network.
See: Are your computers patched and secure?
See: Sophos Anti-Virus warns of SQLSlammer internet worm - W32/SQLSlam-A causes internet slowdown
Why can people on the internet connect to my SQL server?
This is a very good question to ask yourself.
In practice, there are few cases in which SQL servers need to be accessible directly off the internet. Few internet-oriented SQL servers deliver data directly to end users outside your company. Most deliver data to a web server, which converts the raw SQL data into HTML web pages and serves up these pages to the outside user.
Microsoft SQL Server 2000 uses two ports, 1433 and 1434. You should probably block these ports (inbound and outbound) at your internet router or firewall . In fact, you should block *everything* except for the traffic you have explicitly decided you want to allow.
Why can't anti-virus programs stop W32/SQLSlam-A getting into memory?
W32/SQLSlam-A arrives as a SQL server request packet. It gets into memory because your SQL server reads it into its own memory space quite intentionally. You need to block the malicious packet before it passes into the SQL server. If you have a packet-inspecting firewall, you can probably do this - but a much more effective solution is to block *all* packets aimed at port 1434, as SQL packets from outside your company are unlikely to be necessary. (A great many SQL packets from outside will, in fact, turn out to be malicious.)
What do I do to get rid of W32/SQLSlam-A?
W32/SQLSlam-A doesn't save itself onto disk, so stopping and restarting the SQL server processes (or, better still, rebooting your server) will disinfect it. But be sure to patch your SQL server before you restart it, or you run the risk of reinfection. Update your router or firewall rules at the same time.
Why isn't there a magic bullet to disinfect W32/SQLSlam-A and to fix my server without any effort?
When W23/SQLSlam-A infects your server, it overwrites memory which belongs to the SQL process. The worm then takes over a thread inside that process and enters an infinite loop. You cannot restore the memory image of your running SQL server to what it was before infection, so you should regard the SQL process as unsafe. (You could patch the worm in memory to stop it from spreading further, but the thread which the worm has taken over would remain in an infinite loop. You could patch the worm in memory to force it to terminate the thread it is running in, but this would still leave the SQL process in an unnatural state. You might even have multiple instances of the worm, each with its own "out of control" thread.)
To terminate any running instances of the worm, and to restore the system to a safe state, you need to terminate the process in which the worm is running. This means shutting down your SQL server, and bringing it back up again in proper control of all its own threads.
What happens if I simply do nothing?
If you are infected with W32/SQLSlam-A, then you will be advertising the fact on the internet. Packets will be observed flowing freely from your SQL server to port 1434 on a wide range of randomly-generated IP addresses. This advertises that your server has already been compromised.
Now, consider that the W32/SQLSlam-A worm is almost certainly derived from a very similar exploit published and documented by a Chinese hacking group. This exploit breaks into your SQL server, starts a command prompt, and gives control over this command prompt to the remote attacker. Anyone who notices that your server is infected can easily and immediately get complete control over it. (Because the SQL server runs with SYSTEM privilege, so does the command prompt in the "Chinese exploit". This means your attacker has administrative privilege on your server.)
Aside from the obvious risk to your server, allowing yourself to stay infected with W32/SQLSlam-A is bad internet citizenship. Infected servers may generate a huge volume of outbound traffic, all of which has to be carried across other people's networks.
I have a desktop computer running MSDE 2000 - am I also at risk?
MSDE 2000 is a database engine that is built and based on SQL Server 2000 technology. Some versions of MSDE 2000 (Microsoft SQL Desktop Engine) are also vulnerable to infection. Microsoft has published a list of its own applications that incorporate MSDE 2000 that may be vulnerable. Sophos recommends customers check Microsoft's advice on this subject to see if applying a patch is appropriate.
According to Microsoft users can verify if they are running MSDE 2000 by following these steps:
- Right-click on the My Computer icon
- Select Manage
- Double-Click on Services and Applications
- Double-Click Services
- If MSSQLSERVER is in the list of services, the default instance of MSDE is installed on the machine. Other instances may exist, if they do they will be listed as MSSQL$**** (where asterisks indicate the name of the instance)
Why didn't I know about these risks beforehand?
Once again, forewarned is forearmed. Microsoft operates a security mailing list to warn you of vulnerabilities in and patches for their products. So do many other vendors, as well as the open source community. Why not sign up today?
See: Are your computers patched and secure?
