Print this article  |  E-mail this article  |  Comment on this article

MS SQL Server Worm Cripples Internet

By Nate Mook, BetaNews

January 25, 2003, 7:50 AM

Internet traffic slowed to a crawl early Saturday morning as a virus-like worm exploited a known flaw in Microsoft SQL Server 2000 and flooded the world's digital backbones. The attack used a buffer overflow to execute code on a vulnerable SQL Server, causing that system to randomly seek out other computers to infect and in the process consume massive amounts of bandwidth.

Major Internet providers began to block the malicious traffic by mid-morning Saturday, although UUNet continued to report major slowdowns.

Microsoft issued a security bulletin and patch for the SQL Server 2000 flaw last July, but many network administrators had apparently not updated their systems. One such administrator told BetaNews that a tool offered by Microsoft to confirm all hot fixes were applied, HFNetChk, did not correctly identify the missing patch.

The worm, called "Sapphire" or "SQL Slammer," specifically targeted UDP port 1434 in order to find SQL Servers to compromise. By blocking all traffic on that port and the primary SQL Server port, 1433, network administrators were able to quell the floods. Affected servers had to be rebooted in order to stop the flow of data.

It is unclear how many variants of the worm were spreading, as the damage is still being assessed. Along with flooding Internet pipelines, administrators reported the worm modified SQL Server settings such as encryption and default port configuration.

Anti-virus company Symantec estimated that at least 22,000 systems were affected worldwide.

Add a Comment (43 Comments)

BetaNews reserves the right to remove any comment at any time for any reason. Please keep your responses appropriate and on topic. Foul language and personal attacks will not be tolerated.

Name (required):

E-mail (required):

Enter Your Comment:

By maxshoes

posted Nov 28, 2008 - 8:54 AM

cheap sneakers,cheap nike shoes,
Air JordanWe Offer Cheap Jordan Shoes,Nike Air
jordan shoesJordanS,Cheap Jordan ShoesNike ShoesWholesale Jordans
Air jordan shoesNike Shox,Jordan shoes.Wholesale
Wholesale Jordan Shoeswholesale jordans,nike
Wholesale air Jordanscheap jordans,cheap Jordan
Cheap Air Jordans on Sale, Wholesale nike
Wholesale ShoesCheap Air Force Ones
wholesale nike shoes
Air Jordan Shoes, New Jordans,Cheap Jordans, New Air Jordans,
Nike Jordan Shoes
Air Jordan ShoesCheap Air Force
Nike Air Jordan ShoesNike Air Force
Nike Air Jordan
Nike Dunks
cheap nikes,cheap nike shox,cheap nike,cheap air jordans,cheap
Wholesale Air Force ones
Nike Air Jordan ShoesCheap Air Jordan
Jordan Shoes wholesaleWholesale SHoes
Nike Jordan Shoes
cheap nikes,cheap nike shox,Nike Jordan Shoescheap nike,cheap air jordans.

Score: 0

By FunkyFred3k

posted Jan 25, 2003 - 8:55 PM

could have been worse.... imagine if this had happened in 3 or 4 years time when longhorn was out there with the yukon based file system on most desktop pc's!

the more i think about this though I wonder if the telecom and ISPs werent more to blame than anyone else. I mean, I suspect part of the problem was that this is the first time ever they have experienced so many broadband lines running at 100% utilisation - and their back bones just werent fast enough to handle so many broadband connections running at full usage.

I bet most ISPs buy their backbones with the theory that there will never be more than 10% of their users demanding the full bandwidth at any one time. Today they were proved wrong and they simply werent ready for it.

Score: 0

By wendor

posted Jan 27, 2003 - 5:16 PM

"could have been worse.... imagine if this had happened in 3 or 4 years time when longhorn was out there with the yukon based file system on most desktop pc's!"

Wouldn't have made any difference at all. The Yukon based filesystem, while using SQL DB features under the hood, will not have a publicly accesible port for SQL Server administration.

As for who is to blame....that's a whole 'nother story. But there are no confirmed reports of any systems being infected at all that had properly applied the security patch released back in July.

Are the Apache org and/or Linux distribution vendors to blame for the fact that large numbers of Linux/Apache installations on the internet have not applied the necessary patches for a worm that already exists in the wild?

Is Sun to blame for the fact that an estimated 65% of Solaris/SunOS systems on the internet (still the most common server connected to the internet) haven't applied patches needed to prevent wide open root access, despite the fact that the patches were released over two years ago?

Score: 0

By FunkyFred3k

posted Jan 25, 2003 - 8:44 PM

Imagine if the programmer of this virus had picked maybe one of the several security issues in BIND to exploit, or any other of the many MANY security issues of software included with most linux distributions have had in the last year.

Linux is supposedly much more efficient (if you listen to linux users - not that they are biased at all...) so that would mean even more CPU time available for the virus to make use of right? hmmm...

so what would you linux users be saying then if it was linux PC's being infected (which it VERY EASILY could have been if the author had chosen a linux exploit).

Oh and dont use the linux/unix admins wouldnt make this mistake argument again. Fact is linux and unix IS more stable. The downside of this is that there are many MANY unix boxes out there that admins havent touched (because they didnt have a reason to) in a long time which dont have updated versions of BIND etc on them.

Score: 0

By wendor

posted Jan 27, 2003 - 5:23 PM

Ah, but the inevitable response to this argument is that "Linux" is perfectly secure because the problem isn't in "Linux"....it's in BIND, or Apache, or login, or telnetd.

Funny how they never want an apples-to-apples comparison. Because if you stick to the strict definition of "Linux" as being just the kernel.....then "Linux" is completely useless as a server and can't do anything useful at all.

If we define the common usage of "Linux" to be "an entire GNU/Linux distribution including all those other pieces like Apache, etc." then Linux has just as many (if not more) security patches, holes, problems, and exploits as Windows.

If we define "Linux" as just the kernel then there is no comparison. Windows is by definition infinitely better because, by that definition, Linux can't do any of the things that Windows can (GUI interface, web server, file sharing, etc.)

Score: 0

By Aitvo

posted Jan 27, 2003 - 6:16 PM

"Ah, but the inevitable response to this argument is that "Linux" is perfectly secure because the problem isn't in "Linux"....it's in BIND, or Apache, or login, or telnetd."

no no no no no, there are just as many holes in Linux applications (technically it isn't Linux). The correct claim is that the fixes are available faster, and don't incur downtime to install (Unless it's a kernel bug). No OS is perfectly secure especially out of the box.

Score: 0

By diaphanein

posted Jan 27, 2003 - 11:47 PM

I don't know what you qualify as downtime, but I'm serving a web application, and I have to take the web server offline to apply a patch to it (even if I don't have to reboot the machine), that's downtime. Downtime is anytime the server is unavailable to fulfill specified requests - not just time spent rebooting.

Score: 0

By Aitvo

posted Jan 28, 2003 - 11:13 AM

Which is more detrimental?

-- Scenario A
install update
service whatever restart

-- Scenario B
stop service
install update
(maybe) oh, stop other services too
(maybe) install update
reboot

Downtime in Scenario A will barely be noticable. Downtime in Scenario B will cause your phone to ring. Partnered servers are the way to go to eliminate that, but in the real world budgets usually don't allow for it.

Score: 0

By chris_kabuki

posted Jan 28, 2003 - 6:54 AM

You do realise that it is possible to patch a system like an application server or a web server without incurring a downtime? (well we'll ignore the few milliseconds). Obviously this is not possible if you only have a single app server or web server etc.

Score: 0

By wendor

posted Jan 27, 2003 - 7:27 PM

I agree.

Unfortunately, many of the "Linux advocates" seem to be unable to make that distinction.

Which has more issues: Windows or Linux? Definitely Windows.

Which has more issues: Windows or Linux + all the apps needed to duplicate the functions included in Windows? Now that's a toss up.

I do agree that being able to update a Linux app to fix a problem without having to restart the server is often a huge benefit.....I'm glad to see Microsoft trying to move that way. I don't think Microsoft will ever get 100% there becuase they use the philosophy that the performance and feature benefits acheived though shared code/tight integration are worth the penalty of having one app affect another. Both approaches have benefits and drawbacks....and both camps seem to be slowly moving towards the middle.

Score: 0

By jrepin

posted Jan 25, 2003 - 8:26 PM

It happened once before and now again. Why don't these admins learn a thing and stop using this insecure Microsoft bloatware for serious tasks like runing a server. Windows is just not up to the job. Especialy with those lazy and stupid Windows admins.

Score: 0

By franzj

posted Jan 27, 2003 - 11:00 AM

Let's keep in mind that much of this weekend's headaches resulted from Internet port scanning and/or flooding. Had ALL computers connected been running Linux or UNIX at the time of the attacks, we still would've experienced some of the straining effects.

Score: 0

By diaphanein

posted Jan 25, 2003 - 8:41 PM

This isn't just a Windows problem. The same thing happens any time admins don't take care to protect against known (and unknown) threats. You can't just say its MS. Alot of products out there, including those which you might consider for a 'serious server' have just as potentially dangerous flaws. Just because someone has written a worm to exploit one and not the other doesn't mean that either one is any better at providing security. You might as well stick your head in the sand.

Score: 0

By FunkyFred3k

posted Jan 25, 2003 - 9:01 PM

exactly. sooner or later someone WILL write a worm that exploits one of the many holes in some common GPL software out there. wonder what the unix admins and linux kiddies will say then? Im far from convinced all unix boxes are kept up to date like some people in here claim.

Score: 0

By Phaseburn

posted Jan 25, 2003 - 11:07 PM

Oh, you are absolutly right. Not all Unix machines are kept up to date. Neither are windows machines. There's morons on both sides of the fence. However records from Symantec about rate of infection, and total number of machines, show that the number of windows machines vulnerable in worms like this is much higher than the number of Unix machines affected, by say, slapper, the ramen worm, or any of the other Unix worms out in the wild. There have been some major bind exploits over the years as well, some almost as severe as this worm. However note that you've never once heard about a massive Unix outbreak on the same scale.

Score: 0

By wendor

posted Jan 27, 2003 - 5:44 PM

"However note that you've never once heard about a massive Unix outbreak on the same scale."

And THERE'S the key. "...you've never once heard about...."

It's not that they haven't happened....they have. (Heck, the Morris worm back in 1988 completely shut down 10% of ALL machines connected to the Internet....this worm caused slowdowns, but shut down almost none)

The difference is how they are reported. The press far more readily reports security problems/issues involving Microsoft and Windows than they do with say RedHat and Linux or Sun and Solaris because far more of their readers have heard of Microsoft and Windows than have ever heard of RedHat, Linux, Sun, or Solaris.

A great example was the sadmind/IIS worm back in 2001. It completely root exploited Solaris systems and left them completely wide open to the entire world, then instead of modifying the web pages on the Solaris systems themselves, it simply used the Solaris systems to scan for and modify web pages on Windows servers running IIS.

How did the press report it? As a Microsoft/IIS problem. Never mind the fact that Microsoft had issued a patch seven months earlier and that Sun had fixed their problem TWO YEARS earlier......the press reported it as an OS security probelm and blamed it on Microsoft, hardly bothering to mention Sun or the fact that both companies had already provided patches to prevent the problem.

Score: 0

By jr

posted Jan 25, 2003 - 11:01 PM

Not "sooner or later": such worms exist *now*. Search Google for "openssl worm" for one example.

Score: 0

By clones

posted Jan 25, 2003 - 8:19 PM

All of cingular was down today because they run ms sql server.

Score: 0

By wendor

posted Jan 27, 2003 - 6:11 PM

"All of cingular was down today because they run ms sql server. "

No. Not at all.

All of cingular was down because they made mission critical database servers publicly available on the internet and then also failed to apply necessary security patches or even take the most basic, elementary security precautions. (like blocking server admin port numbers from incoming public access)

Score: 0

By k3vmo

posted Jan 25, 2003 - 7:33 PM

I heard more than half the ISP's in South Korea and china were offline for a number of hours. Funny because since then, I haven't received a single spam. :)

Score: 0

By eddie

posted Jan 25, 2003 - 7:53 PM

k3vmo, you are very correct. Not much spam over this way either.

Score: 0

By franzj

posted Jan 27, 2003 - 11:02 AM

Someone should write a malicious program that targets spam E-Mail servers.

Oops... I can't believe I said that.

Score: 0

By Phaseburn

posted Jan 25, 2003 - 5:03 PM

Blaming people/companies/worm authors ultimatly is pointless. Why not just secure the systems in question?

Windows bugs causing mass destruction again? Format, install linux. (Warning: This may cause data loss).

Personally I'm getting just a little sick of MS's bad code/security, and the end user's stupidity, clogging my backbones. This is like the 5th time in as many years (Code Red, Nimda, ILoveYou, Melissa, and now, this)

Score: 0

By FunkyFred3k

posted Jan 25, 2003 - 8:48 PM

>>Format, install linux.

Score: 0

By Tripwire

posted Jan 25, 2003 - 6:23 PM

Ah here comes the Linux crowd that claims again that their OS is secure as hell. As someone said before, all admins of the affected systems missed to install a 1/2 year old patch. So guess WHOSE FAULT it is.

Score: 0

By Aitvo

posted Jan 27, 2003 - 11:19 AM

"As someone said before, all admins of the affected systems missed to install a 1/2 year old patch."

Bulls***, one of my patched systems was infected! SERVICE PACK 3 was needed to really fix it, which I was forced to install WITHOUT TESTING!

Score: 0

By wendor

posted Jan 27, 2003 - 5:07 PM

"Bulls***, one of my patched systems was infected!"

Yeah, right. I strongly suspect it was an "I'm pretty sure it was patched" system. There have been absolutely zero reports of infection on systems where the patch was properly installed.

"SERVICE PACK 3 was needed to really fix it, which I was forced to install WITHOUT TESTING!"

NO (and I do mean NO) version of the patch requires SP3 in order to prevent this particular attack/infection. It does (as the documentation says) require SQL2K SP2 to be properly installed first, but SP3 is not needed in any manner. (Though the patch itself is also included in SP3)

I am surprised that one of your systems was infected though. You know way too much about network security to have actually had a database server machine publicly accesible on the Internet without blocking critical ports from external access.

Score: 0

By Aitvo

posted Jan 27, 2003 - 6:13 PM

My servers aren't on the internet, they are intranet only. It didn't have to be though unfortunately once someone elses had it. I'm 100% sure that server was patched, I patched it myself, then rebooted and had another admin verify the timestamps on the patch Saturday, then Sunday morning when I checked it again it was infected.

Score: 0

By wendor

posted Jan 27, 2003 - 7:31 PM

OK, if you went through all of that I'll apologize and retract my claim.

I thought perhaps you were just throwing out a knee jerk reaction without having checked the details.

Sorry.

As far as getting it via someone else's machine....the same logic applies and they should be beaten about the head and shoulders with the biggest book on "common sense network security" that you can find.

Score: 0

By Aitvo

posted Jan 27, 2003 - 6:18 PM

I didn't though use the "rereleased" patch that included the installer, I enjoyed the manual process of copying files and executing SQL statements instead. LOL

Score: 0

By beatstriken

posted Jan 26, 2003 - 12:50 PM

Yeah, Linux is good, i use it from time to time, but for your general user ( as for now ) can be a major pain in the a** for doin some tasks that should be very simple. Granted installation of software has become easier, there are just some things that can be a pain.

Score: 0

By Phaseburn

posted Jan 25, 2003 - 7:45 PM

Don't blame the linux crowd for windows "admins" failing to apply a patch; that isn't our fault. While most people think Unix's biggest downfall is that it's hard to use, there's a lot of Unix admins that think it's actually the best thing about it: it keeps the morons off the platform. Yes, Unix has it's problems as well, and it's own security issues, however on average, Unix system admins know twice as much about how their system works than their windows counterparts. People who know their systems are more likely to keep them UP TO DATE which is the ISSUE here. Check your facts.

Score: 0

By wendor

posted Jan 27, 2003 - 5:55 PM

"Check your facts."

I have. An estimated 65% of all Solaris/SunOS systems on the internet have still not had a patch applied in order to prevent wide open root shell access. A patch that was made available two years ago. An esitmated 45% have still not had a patch applied to prevent the root exploit used by the sadmind/IIS worm. A patch that was released FOUR years ago.

This is not a trivial matter. Solaris/SunOS is still the most common server platform for internet-connected servers.

"People who know their systems are more likely to keep them UP TO DATE which is the ISSUE here."

This is a true statement. Unfortunately your generalization that Unix/Linux/etc. admins are more likely to know their systems and therefore more likely to keep then up to date is wrong. The facts show otherwise. Perhaps as FunkyFred3k suggested, part of the problem is that Unix/Linux sysadmins are so used to their systems being stable that they get complacent about keeping them updated.

Score: 0

By ATMAvatar

posted Jan 25, 2003 - 7:05 PM

"One such administrator told BetaNews that a tool offered by Microsoft to confirm all hot fixes were applied, HFNetChk, did not correctly identify the missing patch. "

To their credit, it's hard for admins to apply a patch they either don't know about or think has already been applied.

It is pathetic that the software was set up in such a way that this could even happen. If Microsoft hadn't been so stupid as to make a server send a reply that is identical to a request, this wouldn't happen.

So, it seems Microsoft is at fault on two counts - poor programming of the actual server and then poor programming of the tool to check for missing patches.

Score: 0

By FunkyFred3k

posted Jan 25, 2003 - 8:36 PM

quote from the microsoft site:

"MBSA and HFNetChk were developed for Microsoft by Shavlik Technologies LLC"

(just so you get your facts straight).

however on this occasion I think it was microsofts fault as I believe they maintain the xml file with the lists of patches in that HFNetChk uses.

Score: 0

By Phaseburn

posted Jan 25, 2003 - 11:03 PM

I've known they didn't write that tool - they just control it. However they provide the patch file listing, they missed it, they are to blame. My facts are straight.

Score: 0

By FunkyFred3k

posted Jan 27, 2003 - 6:16 AM

"poor programming of the tool to check for missing patches."

ooooooooooook.................

Score: 0

By somesysadmin

posted Jan 25, 2003 - 2:49 PM

We missed a patch. We had software controlling our doors with stand along ms sql that we did not realize was in the software.

We sent out enough traffic to cripple small websites. We found it fast, but sometimes things get very complicated on networks.

Watch those slide card access doors.

Score: 0

By wendor

posted Jan 27, 2003 - 7:32 PM

You should seriously take your vendor to task over this.

Part of supporting their product/solution includes the responsibility for supporting/maintaining/patching any tools (like SQL Server) that they used as part of the solution.

Score: 0

By towerdave

posted Jan 25, 2003 - 2:34 PM

"Internet traffic slowed to a crawl early Saturday morning as a virus-like worm exploited a known flaw in Microsoft SQL Server 2000 and flooded the world's digital backbones."

Should read:

"Internet traffic slowed to a crawl early Saturday morning as a virus-like worm exploited a flaw in MS SQL Server Admins, who failed to apply a patch available since June 2002, and flooded the world's digital backbones."

End of story

TowerDave

Score: 0

By somesysadmin

posted Jan 25, 2003 - 2:52 PM

I'm just wondering how many vendor products offer stand alone ms sql that haven't released updates.

I don't agree with JUST blaming sys admins. They are only part of a larger problem.

Score: 0

By StingK

posted Feb 7, 2003 - 6:38 AM

Fact is. Anyone who leaves their database server open to the public internet deseves to be infected. No matter what the bug was targeting. Be it MS-SQL, Oracle, Postegres, DB2, hell even MYSQL. A database should not be in the "wild".

Score: 0

By Slic[K]

posted Feb 12, 2003 - 6:55 PM

I think a database should be "wild" because not everyone can afford to pay for hosting!

Score: 0

Dec 1 - 4:58 PM ET Blockbuster downloads headed for more devices via Live Mesh

Dec 1 - 4:55 PM ET AOL's PlaySavvy speaks to game-shy parental units

Dec 1 - 4:41 PM ET Less bad news than anticipated for the semiconductor industry in 2008

Dec 1 - 3:51 PM ET 'Xohm' makes way for 'Clear,' as Sprint/Clearwire merger moves ahead

Dec 1 - 2:01 PM ET Chasing down the latest Cyber Monday tech deals

Dec 1 - 12:50 PM ET Will 'Cyber Monday' fare better than a weak 'Black Friday?'

Dec 1 - 12:38 PM ET Microsoft Cashback goes offline to Black Friday shoppers

Dec 1 - 11:19 AM ET DTV broadcasters could make another transition to mobile next year

Nov 29 - 1:41 PM ET Teacher must still surrender license in bizarre 'exposure to porn' suit

Nov 26 - 9:19 PM ET Spambots edge back online post-McColo