Help & HowTo: Slammer
Published: 27 Jan 2003 11:18 GMT
The havoc wreaked by the Sapphire worm, also known as Slammer and SQLExp, could have been avoided if a patch issued by Microsoft last July was administered.
As loopholes are found in products on a weekly basis, experts stressed that IT managers should keep abreast with the latest warnings and patches. One way is to subscribe to vulnerability mailing lists such as Microsoft's security bulletin.
"Companies need to take applying patches against new security threats seriously," said Graham Cluley, senior technology consultant at Sophos. "If you don't, then stopping new worms and viruses is as easy as catching smoke in a butterfly net."
"It takes companies anywhere from four to 12 months to apply patches -- the exposure window is far too big," said Viren Mantri, regional engineering manager, Network Associates.
Slammer causes increased traffic on UDP port 1434 and spreads via an exploit in Microsoft SQL 2000 Web servers, which in turn scans the Internet for other SQL servers to infect, according to Avert, the antivirus research division of security software maker Network Associates.
"The exploit uses a buffer overflow to gain control of a target server," Avert said.
To prevent external attacks from exploiting this vulnerability, administrators should block UDP port 1434 by downloading and applying Service Pack 3 from Microsoft.
After the server is restarted, the virus will be cleared from memory and reinfection can be deterred, said Network Associates' Mantri.
Cleaning up
Several antivirus firms have released advisories on next steps.
For Avert (Network Associates) users:
- Stinger will be able to locate the worm (in memory) on infected SQL servers and shut down the SQL processes.
Stinger is a standalone utility used to detect and remove specific viruses. It is not a substitute for full antivirus protection, but a tool to assist administrators and users when dealing with an infected system. Stinger utilises next generation scan engine technology, including process scanning, digitally signed DAT files, and scan performance optimisations.
Stinger must be run with administrator privileges to shut down SQL Server. Existing Sniffer users can use Sniffer filter to detect W32/SQLSlammer.worm traffic.
- A McAfee ThreatScan signature update is available to locate unpatched Microsoft SQL 2000 servers.
To effect the update, run the console auto update utility on the ePO server (not ePO console). Next, push out update tasks to all ThreatScan agents. After updating the ThreatScan installation, create a new ThreatScan task of type "Threat Scan".
Select the "Remote Vulnerability Detection" category and the "SQL Slammer Worm Vulnerability Check" on the scan options tab.
When this task is executed, all computers running Microsoft SQL Server 2000 that do not have service pack 3 will be reported.
- For users who have McAfee Desktop Firewall running on their SQL servers, simply create a rule that blocks incoming UDP port 1434.
Meanwhile, Trend Micro users can download its System Cleaner patch from its Web site.
Securing SQL Server 2000 On Jan. 15, Microsoft released a checklist of ways to improve the security of SQL Server installation:
- Install the most recent service pack.
- Security patches should be installed as they're released. Notifications are available via email.
- Use Microsoft Baseline Security Analyzer (MBSA) to assess a server's security.
- Use Windows Authentication Mode to shield a SQL Server installation from Internet-based attacks by restricting connections to Microsoft Windows user and domain user accounts.
- Isolate your server and back it up regularly.
- Assign a strong systems administrator password.
- Limit privilege level of SQL Server services.
- Disable firewall's SQL Server ports.
- Use secure file systems.
- Audit connections to SQL Server.
Delete or secure old setup files.
Let the editors know what you think in the Mailroom.
Did you find this article useful?
58 out of 121 people found this useful
- Share this article:
