Author Topic: You just can't buy entertainment this good! (slammer part 2)  (Read 795 times)

voidmain

  • VIP
  • Member
  • ***
  • Posts: 5,605
  • Kudos: 184
    • http://voidmain.is-a-geek.net/
http://www.theregister.co.uk/content/56/29040.html
 
quote:

ATMs, ISPs hit by Slammer worm spread
By John Leyden
Posted: 27/01/2003 at 11:41 GMT

The bandwidth-crunching Slammer worm caused all manner of damage since its appearance on the Net in the early hours of Saturday morning.

On Saturday, the spread of the worm was so severe that the majority of Bank of America's 13,000 automatic teller machines "were unable to process customer transactions", the
Washington Post reports. The paper quotes the bank saying it was able to restore services on Saturday evening but a Seattle-based Reg reader tells us he was "unable to make a deposit to my Bank of America Account on Sunday at about noon Pacific time".

"I observed several others having similar problems accessing their accounts," he adds.

Over in Redmond, Windows XP activation servers were thrown offline while in Korea (whose Net connections were particularly hard hit by the worm) shares in the country's two largest ISPs, KT Corp and Hanaro Telecom Inc, fell sharply while computer security stock rose sharply, Reuters reports.

The news agency states "almost all KT customers lost their connections during the attack".

The DDoS potential of the worm on Net access was also felt in Europe.

In Portugal over 300.000 subscribers to Cable ISP Netcabo were without Internet access for more than 12 hours due to the worm, Reg reader Nuno Alves tells us.

Slammer hammers Net
The Slammer (aka Sapphire) worm, takes advantage of a six-month-old vulnerability in MS SQL Server 2000 (a server resolution service buffer overflow flaw), to spread.

Although Slammer is not destructive to an infected host (like Code Red it only exists in memory), it generates a damaging level of network traffic when it scans for additional targets. The worm continuously sends 367 bytes of exploit and propagation code across port 1434/UDP until the SQL Server process is shut down. Unlike Nimda these attacks are not directed towards local sub-nets but spread across the wider Internet.

During peak hours of infection, security firm Symantec observed more than 22,000 unique systems infected by the worm. Infection rates have, thankfully, dropped markedly since but that still leaves a labour-consuming mop-up operation ahead.

On Saturday we reported that afflicted servers are relatively easy to cure, once identified. Although Microsoft has supplied a patch fixing the problem turns out to be far from trivial, as IT staff who spent an unscheduled weekend at work in the City have found.

"Well, after spending the weekend in the office (thanks to the SQL Slammer worm), I can confirm that at least two City investment banks have been severely impacted by this," one technician, who asked to remain anonymous, tells us.

"Of course, Microsoft have made our jobs easier (not!) by having two different patches that need to be installed for SQL Server 2000 and Microsoft Data Engine (MSDE), although there's very little to tell the difference between the two installations so as to target them correctly. Not to mention conflicting security bulletins, and a service pack that needs to be installed before the patch can be applied," he adds.

Security firms recommend that all MS-SQL server system admins audit their machines for known security vulnerabilities. Since Slammer spreads on UDP port 1434, users are been urged to update firewall or router tables to block this traffic as a workaround, prior to putting patches in place.
Someone please remove this account. Thanks...

Calum

  • Global Moderator
  • Member
  • ***
  • Posts: 7,812
  • Kudos: 1000
    • Calum Carlyle's music
You just can't buy entertainment this good! (slammer part 2)
« Reply #1 on: 27 January 2003, 17:49 »
ah! so this explains why all but 'Core IT Applications' are offline at work today. i work in a large accounting firm at the moment and they sent me an email saying everybody using SQL had to disconnect from the network immediately and ring up the helpdesk (!) because of a virus. At this point i was thinking 'yes, yes, if your servers weren't running Lotus-Domino/5.0.6 on Windows 2000* you might not have such a problem with viruses'. I'm just a lowly office dude though. what do i know?


* according to netcraft.com/whats
visit these websites and make yourself happy forever:
It's my music! | My music on MySpace | Integrational Polytheism

voidmain

  • VIP
  • Member
  • ***
  • Posts: 5,605
  • Kudos: 184
    • http://voidmain.is-a-geek.net/
You just can't buy entertainment this good! (slammer part 2)
« Reply #2 on: 27 January 2003, 19:14 »
At least they aren't running Exchange so you can give them half credit. Now they just need to make the rest of the switch and they won't have to have their users log off.  
Someone please remove this account. Thanks...

Calum

  • Global Moderator
  • Member
  • ***
  • Posts: 7,812
  • Kudos: 1000
    • Calum Carlyle's music
You just can't buy entertainment this good! (slammer part 2)
« Reply #3 on: 27 January 2003, 20:45 »
it's not going to happen. IT is some sort of mystical voodoo to these people. they just outsource the upkeep of their current junk to little IT companies that hire MCSEs. remember these are an accountancy and financial services company. they can afford to waste thousands on shitty expensive proprietary software (and hardware, this IT dept really shocks me sometimes at the waste)
sorry, i;m really off topic now...
visit these websites and make yourself happy forever:
It's my music! | My music on MySpace | Integrational Polytheism

avello500

  • Member
  • **
  • Posts: 344
  • Kudos: 0
    • http://www.suicidaltendencies.com/
You just can't buy entertainment this good! (slammer part 2)
« Reply #4 on: 27 January 2003, 23:38 »
im concerned if my bank had trouble with this virus. if it has ill be closing my account. this wont have any impact on them stop using m$ but ill feel safer.
How can you say im crazy? You wouldnt know what crazy was if Charles Manson was eating Fruit Loops on your front porch.  -- mike muir/suicidal tendencies