Marc Flemming
Renovator
offline
Registered: Jan 2003
Local time: 04:11 PM
Location: Santa Cruz
Posts: 3663
|
Since about midnight EST almost every host on the internet has been receiving a 376 byte UDP payload on port ms-sql-m (1434) from a random infected server. Reports of some hosts receiving 10 per minute or more. internetpulse.net is reporting UUNet and Internap are being hit very hard. This is the cause of major connectivity problems being experienced worldwide. It is believed this worm leverages a vulnerability published in June 2002. Several core routers have taken to blocking port 1434 outright. If you run Microsoft SQL Server, make sure the public internet can't access it. If you manage a gateway, consider dropping UDP packets sent to port 1434." bani adds "This has effectively disabled 5 of the 13 root nameservers.
----------
A rapidly spreading computer worm on Saturday infested networks and bogged down Internet traffic across the globe, crippling online services in one of the world's most wired countries, South Korea.
Called "Sapphire" or "SQL Slammer," the worm carries a self-regenerating mechanism that enables it to multiply quickly across the Internet, said Mikko Hypponen, manager of anti-virus research at F-Secure, the Helsinki-based computer security firm.
"It is so good at replicating that it generates massive amounts of traffic that will slow down networks," Hypponen said. "The end user never sees it. They only experience the slowdown on the Net."
Security experts blamed the worm for crashing almost all Internet services in South Korea.
It was the first time South Korea's broadband and mobile Internet services have been shut down on such a scale, although hackers are fairly active in the country where 70 percent of households have Internet access.
"It is highly likely hackers have launched an all-out attack on the country's Internet system," Yonhap news agency quoted an official of the Ministry of Information and Communication as saying.
CODE RED SIMILARITIES
The problem was not limited to South Korea, with systems slowing from Japan to Europe to the United States, officials said.
The worm has been likened to the "Code Red" bug of July, 2001, an infestation that slowed traffic dramatically on the Internet. The authors of that malicious code remain a mystery.
The worm infects computer servers that run on Microsoft Windows 2000 SQL software. Once it attaches to a server it transmits multiple data requests in a random manner to other IP addresses on the Internet looking for more vulnerable servers to infect.
The effect is a flood of traffic that bogs down ISP networks and can even knock Web sites off-line, Hypponen said. He added the worm was probably installed on a faulty server by a virus writer or hacker within the past few days.
A patch is available on Microsoft's Web site, www.microsoft.com, he added.
Left unchecked, Hypponen warned that the worm could continue to create large network disruptions for ISP customers, plus knock out some Web sites over the coming days.
Hypponen said it had disabled the email server of a corporate client in Slovenia. Meanwhile, ISP customers in the United States and Britain lodged distress notes on Internet message boards on Saturday complaining about slowdowns in Internet traffic.
TARGET: SOUTH KOREA
The biggest impact appeared to be in South Korea, however, where police were called in to investigate the matter.
The infestation impacted the country's largest ISP, KT Corp, bringing down its entire Internet service, said a company spokesman.
He said services were down for several hours in the afternoon but were now recovering. However, the networks of number two operator Hanaro Telecom Inc and number three Thrunet Co were still experiencing trouble.
The crash was triggered by a huge volume of transmissions flowing into KT's Hyehwa service in Seoul, officials said.
All of South Korea's major high-speed Internet services use the KT server, so all suffered the same interruption of service.
Graham Cluley of Sophos Anti-Virus, a UK virus detection firm, said the first reports to his firm came from companies in Asia. A number of companies in Europe have also contacted the firm reporting a degradation in Internet speed, he added.
AOL, the world's largest ISP with over 35 million subscribers, appeared to survive unscathed. A spokesman for AOL the Time Warner Internet unit said the worm had no impact on its service.
|
01-25-2003 06:35 PM
