SQL Sapphire Worm Analysis
Release Date:
1/25/03
Severity:
High
Systems Affected:
Microsoft SQL Server 2000 pre SP 2
Description:
Late Friday, January 24, 2003 we became aware of a new SQL worm spreading
quickly across various networks around the world.
The worm is spreading using a buffer
1. Its not even bad enough that people are not firewalling... they are not
patching.
2. Yes there are proof of concept exploits out there for the vulnerability
that Sapphire uses.
One of those was by [EMAIL PROTECTED] You can check it out on:
http://www.cnhonker.net/index.php
At 376 bytes, is this new Sapphire worm the world's smallest computer
worm? The only competition I can think of is the Morse worm. Anybody
know how big it was?
Richard
-Original Message-
From: cstone [mailto:[EMAIL PROTECTED]]
Sent: Saturday, January 25, 2003 7:08 AM
To: Michael
rs == Richard M Smith [EMAIL PROTECTED] writes:
rs At 376 bytes, is this new Sapphire worm the world's smallest
rs computer worm? The only competition I can think of is the
rs Morse worm. Anybody know how big it was?
The Morris worm was bigger:
,[ worm-src.tar.gz ]
|
At 08:49 PM 1/25/03 +, Roland Postle wrote:
I suspect the morse worm was bigger, therefor I'm prepared to offer a
flashy World's smallest internet worm award (solid gold statuette on
a marble stand with attached chrome plate which will be etched at a
later date) to the author of this one. If
I remember seeing (alledged) Morris worm source code on PacketStorm
awhile ago.
Kevin Spett
SPI Labs
http://www.spidynamics.com/
- Original Message -
From: Roland Postle [EMAIL PROTECTED]
To: Full-Disclosure [EMAIL PROTECTED]
Sent: Saturday, January 25, 2003 3:49 PM
Subject: Re:
worldwide website at http://www.cisco.com
/warp/public/707/cisco-sn-20030125-worm.shtml. In addition to worldwide web
posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP
key and is posted to the following e-mail and Usenet news recipients:
* [EMAIL PROTECTED]
* [EMAIL
However, this worm might not be so harmless as it appears because of
collateral damage:
Bank of America ATMs Disrupted by Virus
http://story.news.yahoo.com/news?tmpl=storyncid=578e=3cid=569u=/nm/2
0030125/tc_nm/tech_virus_dc
SEATTLE (Reuters) - Bank of America Corp. said on
Saturday
Bank of America should never have allowed their ATM network to rely on
routes that could be impacted by non-ATM network computer systems.
That Sapphire might have had this effect makes the sensibility behind
writing and releasing it even more apparent, if this was in fact defensive
work of a
I've completed an analysis of the 'Sapphire' SQL worm targeting MS-SQL
servers. Some have reported massive slowdowns. An interesting part of this
worm results from its use of UDP. Attacked hosts/networks may generate ICMP
Host/Port Unreachable messages in response to a Sapphire attack,
You'll find that you underestimate the number of banks and credit related
transactions that use internet connectivity to transact transfers and
payment activity. Pay attention next time you use a ATM or credit card at
the gas pumps or the grocery, or a card in those ATM's in various malls
and
I suspect the morse worm was bigger, therefor I'm prepared to offer a
flashy World's smallest internet worm award (solid gold statuette on
a marble stand with attached chrome plate which will be etched at a
later date) to the author of this one. If they would just like to stand
up and claim
Richard M. Smith said:
Bank of America ATMs Disrupted by Virus
http://story.news.yahoo.com/news?tmpl=storyncid=578e=3cid=569u=/nm/2
0030125/tc_nm/tech_virus_dc
SEATTLE (Reuters) - Bank of America Corp. said on
Saturday that customers at a majority of its 13,000
automatic teller
.: Multiple Cross Site Scripting Vulnerabilities in Nuked-Klan :.
Security Corporation Security Advisory [SCSA-003]
PROGRAM: Nuked-Klan
HOMEPAGE:
Guys,
This puppy is FAR from harmless and I mean far, This SOB is gonna
wind up worse than Code Red, Nimda, or even the great worm of '88. I
doubt very much the Morris Worm downed ENTIRE COUNTRIES, as Sapphire did
to South Korea today. Cyberterrorism has been spoken of for years.
Well, guess
We had a lot of requests to put together a quick free scanner, like we've
done in the past, for this SQL worm.
This is the first version and it is bound to have bugs. Feel free to email
me any issues directly and we can work on them.
The scanner is non-intrusive, wont crash your servers, in
[ On Saturday, January 25, 2003 at 18:11:12 (-0500), Richard M. Smith wrote: ]
Subject: RE: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434!
However, this worm might not be so harmless as it appears because of
collateral damage:
Bank of America ATMs Disrupted by Virus
At 08:29 PM 1/25/03 -0500, Matt Smith wrote:
Guys,
This puppy is FAR from harmless and I mean far, This SOB is gonna
wind up worse than Code Red, Nimda, or even the great worm of '88. I
doubt very much the Morris Worm downed ENTIRE COUNTRIES, as Sapphire did
to South Korea today.
On Sat, 2003-01-25 at 21:05, Benjamin Krueger wrote:
* Jason Coombs ([EMAIL PROTECTED]) [030125 16:49]:
Bank of America should never have allowed their ATM network to rely on
routes that could be impacted by non-ATM network computer systems.
It's a little early to be assuming that the
G0BBL3S UNM4SK3D
A cross-site tracing error that is revealed through EtherLeak has
been discovered regarding the information released by g0bbl3s!%!#%^
While investigating the source of our backdoored mp3 files, we have
found that gobbles is not only not a reader of the securityfocus, but
it is,
20 matches
Mail list logo
