What are the characteristics of a SQL Killer worm attack?

The SQL killer worm attack is characterized by: massive consumption of network bandwidth. The SQL killer worm does not have the ability to destroy files and data. Its main impact is to consume a large amount of network bandwidth resources and paralyze the network.

The characteristics of the SQL killer worm virus are: massive consumption of network bandwidth

"SQL killer" virus (Worm The .SQL.helkerm worm) is an extremely rare worm that has an extremely short virus body but is extremely transmissible. The worm exploits a Microsoft SQL Server 2000 buffer overflow vulnerability to spread.

This virus does not have the ability to destroy files or data. Its main impact is to consume a large amount of network bandwidth resources and paralyze the network.

The worm attacks NT series servers installed with Microsoft SQL. The virus attempts to detect the 1434/udp port of the attacked machine (the default setting of Jiangmin Anti-Black King is to close port 1434, use Jiangmin Anti-Black King users will not be affected by the virus), if the detection is successful, a 376-byte worm code is sent.

1434/udp port is an open port for Microsoft SQL.

This port has a buffer overflow vulnerability on unpatched SQL Server platforms, which allows the worm's subsequent code to have the opportunity to run on the attacked machine and spread further.

The worm invaded the MS SQL Server system and ran in the application process space of the main program sqlservr.exe of MS SQL Server 2000. MS SQL Server 2000 has the highest level System permissions, so the worm also obtained System level permissions.

Attacked system: System without MS SQL Server2000 SP3 installed

Since the worm does not determine whether it has invaded the system, the harm caused by the worm is obvious and cannot be ignored. Failure to attempt an intrusion will cause a denial of service attack, causing the attacked machine to stop service and become paralyzed.

The worm attacks by the buffer overflow vulnerability in sqlsort.dll in the attacked machine and gains control.

Then obtain the GetTickCount function and socket and sendto function addresses from kernel32 and ws2_32.dll respectively.

Then call the gettickcount function, use its return value to generate a random number seed, and use this seed to generate an IP address as the attack object;

Then create a UDP socket and send its own code to The target is the 1434 port of the machine being attacked, and then enters an infinite loop, repeating the above to generate random numbers to calculate the IP address, and launch a series of attack actions.

For more related knowledge, please visit PHP Chinese website! !

The above is the detailed content of What are the characteristics of a SQL Killer worm attack?. For more information, please follow other related articles on the PHP Chinese website!