[linux-elitists] MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434!

Karsten M. Self kmself@ix.netcom.com
Wed Jan 29 18:09:47 PST 2003


on Wed, Jan 29, 2003 at 07:00:15PM -0500, Andrew (akohlsmith-le@benshaw.com) wrote:
> >   - Another number I've been pulling out of /dev/ass (mostly because
> >     nobody's provided anything more useful) is that there are 10m Win2K
> >     systems in existence.
> >
> >   - This means that the infected hosts were on the order of 1% of all
> >     potential hosts.  That is, Microsoft users were attaining a 99%
> >     patch and/or secure rate of systems publicly visible to the worm.
> >     This is a pretty good compliance rate.  It was also wholly
> >     inadequate in preventing this attack.
> 
> There are 10M win2k systems with SQL Server 2000 on them, or 10M win2k 
> systems, 

I'm positing the latter.  I know that there roughly 400m-500m PCs in
existence.  Presume somewhat more than half of those are Win(3x|9x|ME)
systems.  That would put a 10-20% marketshare for Win2K server at
between 5 and 10m units.  Hard data are hard to find -- Microsoft is
very fond of talking in percent growth, rather than units, and desktop
and server products are confounded.  Stories in the Jan-Mar 2000 period
cite 1m units/mo (not distinguishing server and desktop).  Apparently 1m
server units were shipped by  Feb 9, 2001. 

    http://archive.infoworld.com/articles/hn/xml/01/02/09/010209hnwinser.xml

My guess is that my 10m figure is probably high side, but not
outrageously so.  My point that a very small percentage of unpatched
systems provides a serious and disruptive vulnerability base remains.


> some (I am willing to bet very small) percentage of which have SQL 
> Server 2000 on them?   I also do not buy the next point:
> 
> >   - The MS SQL engine is incorporated into a large number of MSFT
> >     products.  While not absolving guilt, it does help to explain why
> >     so many exposed systems existed.  The overhead of knowing what
> >     services exist on a given system, and of keeping these systems
> >     patched, increases consequently.
> >
> >     http://www.microsoft.com/technet/security/MSDEapps.asp
> 
> While a drop in the bucket of 10M Win2k installs, The 100 or so that I
> am in direct or peripheral control over have nothing with the SQL
> Server 2000 engine in them.  Not by design, but rather because the
> software running on them simply doesn't have it.  Remember that SQL
> Server 7, while vulnerable to a bazillion other attacks, was
> completely unaffected in this particular one.  SQL Server 2000 is also
> not anywhere near a default install of Win2k.

If you read the link posted, you'll find a list of 18 product, (lord
forgive me for yelling) NOT INCLUDING MS SQL SERVER include the MSDE.

Of course, you've scanned your internal and external interfaces to
ensure they're clean, so no worries.



> Additionally, how many of the 10M systems have incoming ports open?
> That is, how many hundreds of thousands of them are behind even simple
> NATting firewalls, sitting in offices in corporate
> America/insert_country_here?

Well, we know for a fact that the baseline count is the 16k systems
Dartmouth logged.

Network Associates reports in a Reuters story that 150k-200k servers
worldwide were compromised (Vincent Gullotto, VP of Anti-virus Response
Team, Network Associates):

    http://ca.news.yahoo.com/030126/5/rioe.html 

...which raises us from 0.2% noncompliance to 2% noncompliance.


Again:  my point is that such small fractions and low numbers were
sufficient to take out major portions of the Net, such that the only
option to control the attack was to block port 1434 transmissions.

Or as a friend noted:  what if the infected system had been IIS (or
Apache for that matter).  Controlling _that_ mode of attach would
require port 80 blocking.  Globally.  Care to contemplate _that_
scenario?



> I'm not usually a betting man, but I am willing to wager that the
> number of systems running SQL Server 2000 which were capable of
> receiving the exploit and were successfully exploited are a damned lot
> higher than the 1% you estimate.

I've backed my comments with the best data I have available at present.
Much of which is very much conjecture, but let's assume it's decent
conjecture.  Again, if anyone can provide harder figures, we can dial
this in.

I've also pointed out that 99% compliance *is nowhere near good enough.
Any increase in the amount of deployed systems increases the vulnerable
population.  Any increase in the number of vulnerable systems indicates
that 1% noncompliance is an optimistic estimate.  In either case, the
point is merely emphasized:  existing protocols for retroactively
securing deployed systems are inadequate to a highly aggressive attack.

That's the lesson to take home.

Peace.


--------------------
Notes:

1.  Other deployment reports:

    Windows XP, The New Frontier
    http://www.netdesk.com/CourseInfo/Articles/ITProfessionals/WinXP.asp

        The consumer OS has the advantage of a huge install base (over
        300 million users worldwide
         

    http://www.microsoft.com/msft/earnings/FY03/Q03_2_channelbusiness.htm

    Dividing server revenues $4.566m by an assumed cost of $600/u for
    2H2002 gives 7.6m units.  This is in line with ~10m units sold
    total.  Server revenues aggregates both NT and 2K sales.  Pricewatch
    gives a nominal price of $550 - $650 for a server + 5 CALs.
            

-- 
Karsten M. Self <kmself@ix.netcom.com>        http://kmself.home.netcom.com/
 What Part of "Gestalt" don't you understand?
   The Amazon "one-click" patent boycott -- yes, it continues:
     http://www.fsf.org/philosophy/amazon.html#whyContinue



More information about the linux-elitists mailing list