IDGNet Virus & Security Watch Friday 31 January 2003

This issue's topics: Introduction: * SQL worm, Outlook attachment bypass, Apache & susehelp updates Virus News: * SQL worm slams net * Beware the vagaries of Outlook... Security News: * SQL Server patches and service packs * Apache bug and security fixes * Remote shell in susehelp via web access

This issue's topics:


* SQL worm, Outlook attachment bypass, Apache & susehelp updates

Virus News:

* SQL worm slams net

* Beware the vagaries of Outlook...

Security News:

* SQL Server patches and service packs

* Apache bug and security fixes

* Remote shell in susehelp via web access


Of course, the story of the week has to be the SQLSlammer worm, which is covered extensively in one long article in the virus section below. We probably do not need to say anything more about it here...

The virus section also contains news of attempts to bypass content filtering with tricky MIME header constructions that also 'fool' Outlook into falsely displaying and handling attachments. And, aside from mentioning SQL Server/MSDE patches and service packs again, the security section describes a couple of important patches for the popular cross platform Apache web server and the susehelp system in SuSE Linux.

Virus News:

* SQL worm slams net

Apparently launched last Saturday morning around 5:30am UT (GMT) the SQLSlammer worm had a huge, albeit relatively short-lived, impact on the Internet. Traffic volumes generated by the worm caused localised disruptions to traffic in parts of the network where high concentrations of vulnerable machines became infested. This, in turn, caused various flow-on effects as DNS lookups, e-mail delivery and so were slowed or effectively blocked by traffic congestion. Over a period of several hours major service providers implemented UDP port 1434 filters to block the worm (and any legitimate traffic) and the severe impact trailed off.

SQLSlammer - also known as Sapphire, SQL-Hell, SQ-Hell and Helkern – is a 'network and memory only' worm. As such it, like CodeRed, is not detected by typical antivirus products as they do not scan all memory on Windows machines nor do they scan network traffic. SQLSlammer is simply a 376-byte UDP packet that exploits a buffer overflow in the SQL Server Resolution Service of MS SQL Server 2000 and its MSDE version, MSDE 2000. When a SQLSlammer packet arrives at a vulnerable machine the buffer overflow is triggered, returning control to code in the body of the packet that triggered the overflow. This code then runs an endless loop, generating random IP addresses and sending copies of its 376 bytes of code to UDP port 1434 of those machines.

As UDP makes very efficient use of bandwidth, not requiring the three-way handshake of TCP/IP to establish a connection between machines before they can start transmitting data back and forward, SQLSlammer can generate huge volumes of network traffic, often entirely flooding the local network connection bandwidth of its victims. A graph linked from the analysis (linked below) shows the initial, meteoric, rise in UDP port 1434 traffic seen by its reporting stations across the Internet.

The vulnerability SQLSlammer exploits was patched by the update initially released in July 2002 with the MS02-039 security bulletin and by other patches and service packs that subsequently superseded that patch. One of the reasons given for the relative success of SQLSlammer has been the difficulty of properly installing those patches, particularly for MSDE installations. As SQL Server Service Pack 3 had only just been released and some customers were wary of installing it without thorough testing (and there have been some complaints of stability and performance issues after installing it) Microsoft has re-packaged and re-released the MS02-061 cumulative patch for SQL Server and MSDE. This is the preferred installer for administrators who are not yet prepared to move to SP3. If you have potentially vulnerable machines and plan to use this patch please read the full, updated security bulletin and the notes in the associated KnowledgeBase article (linked from the bulletin) very carefully. Several other Microsoft resources pertinent to SQLSlammer, and the download page for the SQL Server/MSDE 2000 SP3, are linked below.

Another ongoing issue with SQL Server/MSDE issues is that many potential victims do not even know they are using the product. This is especially problematic with MSDE, which is not only shipped with several Microsoft products, but as a component in many products shipped by third-party software developers (independent software vendors or ISVs in Microsoft parlance). Microsoft provides a list of its own products that include MSDE (mainly as an optional component, but occasionally as one included in a default installation). However, a better list - in terms of sheer breadth of coverage - is maintained by and we have provided a link to their full list below.

Microsoft Application Center (often referred to as AppCenter) also includes a customised version of MSDE. This cannot be patched as an ordinary MSDE or SQL Server installation and special instructions for making sure AppCenter is properly updated to be immune to SQLSlammer have been posted by Microsoft. These are linked from several of the other SQLSlammer and SQL Server/MSDE patch pages linked below, so AppCenter administrators should look for these links while reading the broader background material on the worm.

Finally, as if all the other doom and gloom about the SQLSlammer outbreak was not enough, it seems even Microsoft had serious problems with this worm affecting some of its own machines and thrashing its internal network. Online IT news source The Register was leaked a series of internal Microsoft e-mail messages detailing the impact of the worm at Microsoft and the steps taken to clear up Microsoft's internal network.

New Worm: W32.Slammer -

Microsoft Security Bulletin MS02-061

SQL Server home page -

SQL Server 2000 Service Pack 3 -

FIX: W32.Slammer Worm in Application Center 2000 -

SQL Server/MSDE-Based Applications -

MS struggles to contain the Slammer worm - the

Port 1434 MS-SQL Worm preliminary analysis -

Computer Associates Virus Information Center

F-Secure Security Information Center

Kaspersky Lab Virus Encyclopedia

Network Associates Virus Information Library

Sophos Virus Info

Symantec Security Response

Trend Micro Virus Information Center

* Beware the vagaries of Outlook...

UK-based e-mail ASP MessageLabs has warned that an apparently little known flaw in Outlook is being used in attempts to sneak nasty e-mail attachments past some content management filters. In short, specially crafted MIME headers, presenting filenames with large but carefully crafted numbers of spaces and triple extensions can be used to fake the file-type that Outlook considers a message's attachment to be. Elements of this 'trick' can be used to further fool Outlook to display icons and filenames as the properties of the attachment which bear no resemblance to the way the attachment is actually treated by Outlook (elements of the 'Incorrect MIME Headers' vulnerability, used so successfully by several common viruses spring to mind...).

MessageLabs has detected several uses of these tricks recently. This includes the massive 'seed' mailing of a dropper for a new Trojan Horse program last weekend involving over 3000 copies intercepted en route to MessageLabs' customers alone.

Outlook quirks being exploited by viruses and trojans -

Security News:

* SQL Server patches and service packs

Administrators of pretty much any Windows systems should check the lists of software known to ship with SQL Server and/or MSDE mentioned in the SQLSlammer coverage in the virus news section. Windows system administrators should ascertain their patch status relative to the vulnerability used by SQLSlammer. Those interested in upgrading to SP3 can also find links to that service pack among the links at the end of that article. Note that although SQLSlammer only works on Windows 2000 machines hosting either MS SQL Server or MSDE, the vulnerability the worm exploits could easily be exploited on any other OS that can host those products.

* Apache bug and security fixes

Apache 2.x administrators should consider obtaining and installing the latest release of this popular web server. Aside from a raft of minor bug fixes, three security vulnerabilities in the Windows version have been fixed. The worst effects of exploiting these Windows vulnerabilities vary, depending on the hosting OS, but one of the vulnerabilities allows for remote arbitrary code execution on Windows 9x and ME platforms, and server DoS'ing is possible with the others.

Apache 2.0.44 release notes -

* Remote shell in susehelp via web access

The SuSE Security Team has uncovered some cases of improper metacharacter quoting and similar security flaws in the susehelp CGI scripts. If a SuSE machine is running a web server that allows remote access to susehelp, this vulnerability is remotely exploitable, allowing execution of arbitrary shell commands as the wwwrun user. Regardless, SuSE recommends that all installations either uninstall susehelp or update to the latest RPMs, as described in the SuSE Security Announcement linked below.

SuSE Security Announcement: susehelp (SuSE-SA:2003:005) -

Join the newsletter!

Error: Please check your email address.

More about ApacheCA TechnologiesCGIF-SecureKasperskyKasperskyLinuxMessageLabsMicrosoftSapphireSophosSuseSymantecTrend Micro Australia

Show Comments