• Home
|
• Services
|
• Articles
|
• Resources
|
• Software
|
• News
|
• Career Opportunities
|
• About
|
• Contact Us

SQL Server "Slammer" Worm

On Friday, January 24th, a worm using a security flaw in SQL Server 2000 and MSDE began to propagate across the Internet.  This worm is called "Slammer" or "Sapphire" and exploited a security hole that Microsoft patched in July 2002.  The security patch was also included in the just released Service Pack 3 for SQL Server 2000 and MSDE. (1/28/2003)

---

Overview

The worm generates a denial of service attack and doesn't destroy any data.  Experts estimate that over 200,000 servers were compromised by Saturday night.  Providers such as DellHost, Interland and KT Corp (Korea's largest web access provider) were almost completely shut down.

Microsoft updated their original patch to include a stand-alone installer.  Previous security patches were delivered as individual files that needed to be copied to the proper locations.  According to Microsoft, future SQL Server patches will be delivered as stand-alone installers.  This should make patching SQL Server much easier.

Only unpatched servers that had port 1434 exposed to the Internet were vulnerable.  The addition of MSDE (Microsoft SQL Server 2000 Desktop Engine) as a target complicated the identification of infected system.  Many applications use MSDE as their database and install it as part of their own installation.  A very partial list of applications that use MSDE can be found here.

Prevention

The simplest way to protect is SQL Server is to keep up to date with patches.  With Microsoft's new method of distributing patches this should become easier in the future.  However, even Microsoft wasn't able to keep all their servers patched and they were affected by this worm.  You should also carefully evaluate whether your SQL Server needs to be exposed to the Internet.  In many cases, using a VPN to access the server can be a much better solution.

You download the Microsoft Baseline Security Analyzer to evaluate your systems.  You can also sign up to be notified when Microsoft issues new security bulletins.

Conclusion

Keeping patches up to date is difficult but necessary if you have Internet-facing SQL Servers.  SQLTeam.com was unaffected and none of ClearData Consulting's clients were affected.

Resources

Microsoft's Slammer page
Microsoft's PSS Security Response Team's alert about Slammer
Microsoft's Security Homepage

Copyright (c) 1999 - 2008 ClearData Consulting, Inc. All Rights Reserved.