Contact Info

sean [at] coreitpro [dot] com gpg key

Mastodon

sc68cal on Libera

Surveying The Landscape

On Full Disclosure recently there was discussion about Ford Motor company, with one subscriber asking around for a contact within the company about a possible SQL Slammer infection on their corporate network. To think, a worm that has lasted for five years (comparable to entire lifetimes when keeping in mind rapid security and patch cycles) and is still active and possibly infecting more systems. Unbelievable!

The SQL Slammer worm was released in January 2003 which exploits a buffer overflow vulnerability in Microsoft SQL Server. The beauty of the worm itself is the size. The entire worm is able to be fit inside a single UDP packet.

The worm was based on proof of concept code demonstrated at the Black Hat Briefings by David Litchfield, who had initially discovered the buffer overflow vulnerability that the worm exploited. It is a small piece of code that does little other than generate random IP addresses and send itself out to those addresses. If a selected address happens to belong to a host that is running an unpatched copy of Microsoft SQL Server Resolution Service, the host immediately becomes infected and begins spraying the Internet with more copies of the worm program.

Most computers reside behind routers and other bits of hardware that shield them from the Big Bad Internet. Probably the most popular residential method is by having a wireless router share the internet connection, which employs NAT to map the internal network (typically a 192.168.1.0/24) to the outside IP address given to you by your provider. While this works well, this setup also doesn’t allow you to sample network traffic that is being directed at your external IP address. Recently I placed a FreeBSD server on my network facing outward. Now all that traffic that comes along reaches the FreeBSD box. Naturally I employ a very conservative firewall ruleset where all traffic except for HTTP requests coming from the outside is logged and dropped to keep myself out of trouble.

What I found surprised me, since I had just finished reading the mail message about suspected worm activity “originating” (it could have been spoofed) from a Ford network. Pouring over my logs, I actually noticed that there was SQL Slammer worms knocking on my doorstep. There also seems to be quite a bit of traffic destined to port 13182. Either way, you can easily see why many assert that Windows can’t survive long directly plugged into the internet. There is quite a bit of nasty traffic just waiting to pick you off.