[linux-elitists] MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434!

Karsten M. Self kmself@ix.netcom.com
Thu Jan 30 13:18:30 PST 2003


on Thu, Jan 30, 2003 at 10:13:03AM -0500, Michael Bacarella (mbac@netgraft.com) wrote:
> > > You're wrong.  Number 8 (subitem 1 through three, sub-sub items one through 
> > > three) is SQL Server 2000.
> > 
> > As the unix-haters password prompt says, "close enough".
> > 
> > Robert Graham's analysis, posted separately, suggests that desktop
> > rather than server systems were principally involved in the porpogation
> > of this attack.  These likley outnumber W2KS installs by a factor of two
> > to four, and as the list notes, several desktop products would have
> > installed the MSDE.  Which dials us in a bit further.
> 
> Firstly, in case I'm off topic, let me state for the record that I am
> completely off topic and missing the point.

Sorry, you're wrong again ;-)

This actually *is* on point.


> Now, in addition to being annoyed at Microsoft for only the largest,
> most devastating infrastructure compromise to date, I'm also annoyed
> at how the media reported this.

That's a good point.  I hadn't reailized this until now....

> Naturally they would get the technical details wrong, but in such a
> case it could have made a huge difference if they had provided usable
> information.  

Note that "the media" == "people, many of whom don't particularly
understand the technical problem themselves, who are quoting the usual
suspects, largely recognized domain experts".  The problem isn't so much
that the media got this wrong, but that the domain experts did.

  - The worm affected principally desktops, not servers (by virtue of
    the MSDE-using apps).

  - Patching wasn't the appropriate prophylactic option in this case.

  - Pre-staged or not, the rapidity of the attack would likely not have
    mattered.  Propogation was so fast that the difference in infection
    rates between a single system and several hundreds or thousands
    would have been a matter of seconds.



> It's not JUST businesses and network admins who had to worry about
> this.  There's a good chance that YOU, the MCSE in training who
> installed MSDE 12 months ago and forgot about SQL Server are
> contributing to this.  Here's how to see if you are propagating a
> worm.  Here's what to do if you are infected.

True, though this information did eventually come out.

More to the point:  the initial response indicated on NANOG, Bugtraq,
and this list was *precisely the right thing to do*:  block UDP 1434.
Not only was it the appropriate response, but it halted propogation of
the worm (and likely avoided widespread rebound attacks Monday morning).
It's rare the the first instinct is the right one, in this case it was.

> If most sys admins don't even follow technical mailing lists,
> why would they think hobbyists and students would find the
> right information?  Didn't the AP speak to several security
> experts?  If the worm had a malicious nature, that one article
> would've been a good start to counteracting it.

This exploit violated conventional wisdom on a number of points.  It's
been retrospective analysis over the past week that's allowed us to
resolve how it works.  Systems security, like military science, is
always fighting the _last_ war.

Sapphire / Slammer / Slapper also seems to be a strong argument for
prospective security:  actively scanning for vulnerable system and
patching or disabling them.  Jay's suggestion for changepoint analysis
(I'm researching the topic) also sounds interesting.  I'd like to see a
further explanation of just how this would be applied in this case.

Peace.

-- 
Karsten M. Self <kmself@ix.netcom.com>        http://kmself.home.netcom.com/
 What Part of "Gestalt" don't you understand?
   There is no K5 Cabal:  http://www.kuro5hin.org/



More information about the linux-elitists mailing list