Hosting Provided By

Sapphire SQL Worm Analysis Complete

From: Matthew Murphy <mattmurphy(at)kc.rr.com>
Date: Sat Jan 25 2003 - 19:07:34 EST

I've completed an analysis of the 'Sapphire' SQL worm targeting MS-SQL servers. Some have reported massive slowdowns. An interesting part of this worm results from its use of UDP. Attacked hosts/networks may generate ICMP Host/Port Unreachable messages in response to a Sapphire attack, amplifying the attack's strength. One other reason that this attack is worse for users of home systems, etc. that don't run any servers, is because Sapphire sends the entire 400 bytes or so in the initial packet, where scans from Code Red and bretheren only prompted a 26 byte (or so) TCP SYN packet.

The full analysis is available at:
http://www.techie.hopto.org/sqlworm.html Received on Tue Jan 28 12:48:26 2003

This message: [ Message body ]
Next message: kihong kim: "Why MSSQL resoultion service use the DNS service??"
Previous message: Mason, Samuel: "Sobig Mail Server Selection?"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:38 EDT