New Microsoft SQL Server Worm On The Rampage

It looks like there is a new internet worm on the loose. This one exploiting a couple of buffer overflow bugs in Microsoft SQL Server.
It looks to be using this old exploit. Microsoft have had a patch available for months, but people don’t keep up with security as much as they should.
I picked up the buzz on the bugtraq mailing list this morning.

It looks like there’s a worm affecting MS SQL Server which is pingflooding addresses at some random sequence. All admins with access to routers should block port 1434 (ms-sql-m)!

This seems to have started for us about 4:30pm (GMT+11) today. Lucky for us we block all MS-SQL 1434/udp traffic. We have logged over 130,000 firewall blocked connections across 15 odd sites, and it’s comming in from all over the world.

Tier 1 backbones are reporting a bad night: routing instabilities, one major dropped most of its peering for a while, the volume from this triggers the Cisco netflow switching bug and is causing routers to lock up at places, etc.

Thankfully I don’t run MS SQL Server (or any servers that are visible to the outside world).


A worm which exploits a (new?) vulnerability in SQL Server is bringing
the core routers to a grinding halt. The speed of the propagation can be attributed to the attack method and simplicity of the code. The worm sends a 376-byte UDP packet to port 1434 of each random target, each
vulnerable system will immediately start propagating itself. Since UDP is connection-less, the worm is able to spread much more quickly than those using your standard TCP-based attack vectors (no connect timeouts).
Some random screen shots, a copy of the worm as a perl script, and a disassembly (sorry, no comments) can be found online at: