Virus

W32/SQLSlammer

Analysis

  • Threat is comprised of a 376 byte UPD packet which travels across TCP port 1434
  • Threat exploits a vulnerability in MS SQL Server 2000 Server Resolution Service (SSRS); the vulnerability exists in SQL service pack 2 and prior - recommendation to all systems is to upgrade to SP3
  • MS SQL Server 2000 SSRS listens on port 1434 and replies to ping messages sent from other SQL Server systems as a means to acknowledge the other server across a network; a vulnerability exists if a hacker creates a forged ping message that is directed at one SQL Server which appears to originate from another SQL Server - the result is both Servers acknowledging each other until one or both Servers incur inactive status or locked
  • When the threat attacks an SQL Server, the initial part of the packet contains a buffer overflow which induces the initiation of the code that follows the buffer overflow
  • Threat then runs memory resident on that system, until the system is restarted, and continuously attacks random IP addresses, flooding UPD packets on TCP port 1434

Recommended Action

  • FortiGate units detect this attack if using a minimum IDS attack defintion 2.01 - the attack may be reported in the Attack log
  • Customers not implementing SQL communication with other sites may choose to disable inbound access to TCP/UDP ports 1433 and 1434 (EXT -> INT)
  • Customers are urged to update Windows servers to a minimum patch update, or if possible SP3 for MSDE/SQL server systems
  • For additional information, also see details on our website