That Microsoft SQL Server worm has a name now: Sapphire. eEye Digital Security has an analysis. SQL Sapphire Worm Analysis.
I’ve been lucky so far. There’s not so much as a peep on my firewall logs. Then again, I’m on a domestic broadband network, so the likely hood of it getting to my part of the net is less than some areas. My (linux based) hosting service hasn’t been affected either, and, by implication, neither has anywhere on the route between here and there.
Blog Times
More On The MS SQL Server Worm
The BBC have picked up on the story now Virus-like attack hits web traffic
In South Korea internet services were shut down nationwide for hours on Saturday, the country’s Yonhap news agency reported.
Users and news media also reported outages or slowdowns in Thailand, Japan, Malaysia, the Philippines and India.
New Microsoft SQL Server Worm On The Rampage
It looks like there is a new internet worm on the loose. This one exploiting a couple of buffer overflow bugs in Microsoft SQL Server.
It looks to be using this old exploit. Microsoft have had a patch available for months, but people don’t keep up with security as much as they should.
I picked up the buzz on the bugtraq mailing list this morning.
It looks like there’s a worm affecting MS SQL Server which is pingflooding addresses at some random sequence. All admins with access to routers should block port 1434 (ms-sql-m)!
This seems to have started for us about 4:30pm (GMT+11) today. Lucky for us we block all MS-SQL 1434/udp traffic. We have logged over 130,000 firewall blocked connections across 15 odd sites, and it’s comming in from all over the world.
Tier 1 backbones are reporting a bad night: routing instabilities, one major dropped most of its peering for a while, the volume from this triggers the Cisco netflow switching bug and is causing routers to lock up at places, etc.
Thankfully I don’t run MS SQL Server (or any servers that are visible to the outside world).
Update:
A worm which exploits a (new?) vulnerability in SQL Server is bringing
the core routers to a grinding halt. The speed of the propagation can be attributed to the attack method and simplicity of the code. The worm sends a 376-byte UDP packet to port 1434 of each random target, each
vulnerable system will immediately start propagating itself. Since UDP is connection-less, the worm is able to spread much more quickly than those using your standard TCP-based attack vectors (no connect timeouts).
Some random screen shots, a copy of the worm as a perl script, and a disassembly (sorry, no comments) can be found online at: http://www.digitaloffense.net/worms/mssql_udp_worm/
The Taggerung
I finished The Taggerung by Brian Jacques this morning. It was great. I really like his tales. I like his narrative style too. The plot is simple (it is for kids), but the characters and landscapes are rich.
Recommended.
Nu Metal Day
It’s been a ‘Nu Metal’ day. All I’ve listened to so far today, is Nickleback, The Calling, Creed, Puddle Of Mudd, etc. and of course Linkin Park. Mucho head boppin’ 🙂
GeoURL
This GeoURL thing is getting really popular. When I first posted about it, I had around 20 ‘neighbours’ within 500 miles. Now I have 100. I still think the alternative view is a more meaningful representation.
Google Searches and Doing It Right
I asked Aamir to whom he’d wanted to show my site. It turned out it was a client. He wanted a real world example of how to get consistent good results on search engines, (without having to reveal any secrets) and used a google search for my name as an example. I’ve been number one for a search on my name since a few days after I started my blog. I haven’t moved off the top spot since then. That was also up from about page 4 (from older, no longer updated, sites of mine). Cool. I wish he’d told me though, I could have told him about the post I made recently Bad Fellowship Of The Ring Captions which had me at number one (above the site about which I was posting) in less than 48 hours!