That Microsoft SQL Server worm has a name now: Sapphire. eEye Digital Security has an analysis. SQL Sapphire Worm Analysis.
I’ve been lucky so far. There’s not so much as a peep on my firewall logs. Then again, I’m on a domestic broadband network, so the likely hood of it getting to my part of the net is less than some areas. My (linux based) hosting service hasn’t been affected either, and, by implication, neither has anywhere on the route between here and there.

I’ve added a graph of blog posting times over the last 30 days to the bottom of the page. It’s updated every hour. Thanks to Matt for the heads up and to Sanjay for the code.

The BBC have picked up on the story now Virus-like attack hits web traffic

In South Korea internet services were shut down nationwide for hours on Saturday, the country’s Yonhap news agency reported.
Users and news media also reported outages or slowdowns in Thailand, Japan, Malaysia, the Philippines and India.

It looks like there is a new internet worm on the loose. This one exploiting a couple of buffer overflow bugs in Microsoft SQL Server.
It looks to be using this old exploit. Microsoft have had a patch available for months, but people don’t keep up with security as much as they should.
I picked up the buzz on the bugtraq mailing list this morning.

It looks like there’s a worm affecting MS SQL Server which is pingflooding addresses at some random sequence. All admins with access to routers should block port 1434 (ms-sql-m)!

This seems to have started for us about 4:30pm (GMT+11) today. Lucky for us we block all MS-SQL 1434/udp traffic. We have logged over 130,000 firewall blocked connections across 15 odd sites, and it’s comming in from all over the world.

Tier 1 backbones are reporting a bad night: routing instabilities, one major dropped most of its peering for a while, the volume from this triggers the Cisco netflow switching bug and is causing routers to lock up at places, etc.

Thankfully I don’t run MS SQL Server (or any servers that are visible to the outside world).

Update:

A worm which exploits a (new?) vulnerability in SQL Server is bringing
the core routers to a grinding halt. The speed of the propagation can be attributed to the attack method and simplicity of the code. The worm sends a 376-byte UDP packet to port 1434 of each random target, each
vulnerable system will immediately start propagating itself. Since UDP is connection-less, the worm is able to spread much more quickly than those using your standard TCP-based attack vectors (no connect timeouts).
Some random screen shots, a copy of the worm as a perl script, and a disassembly (sorry, no comments) can be found online at: http://www.digitaloffense.net/worms/mssql_udp_worm/

This GeoURL thing is getting really popular. When I first posted about it, I had around 20 ‘neighbours’ within 500 miles. Now I have 100. I still think the alternative view is a more meaningful representation.

I asked Aamir to whom he’d wanted to show my site. It turned out it was a client. He wanted a real world example of how to get consistent good results on search engines, (without having to reveal any secrets) and used a google search for my name as an example. I’ve been number one for a search on my name since a few days after I started my blog. I haven’t moved off the top spot since then. That was also up from about page 4 (from older, no longer updated, sites of mine). Cool. I wish he’d told me though, I could have told him about the post I made recently Bad Fellowship Of The Ring Captions which had me at number one (above the site about which I was posting) in less than 48 hours!