Shulou(Shulou.com)06/03 Report--

This article is about what is the characteristics of the SQL killer worm attack. I think it is very practical, so I share it with you. I hope you can get something after reading this article. Let's take a look at it.

The characteristic of SQL killer worm attack is that it consumes a lot of network bandwidth. Sql killer worm does not have the ability to destroy files and data, the main impact is the consumption of a large number of network bandwidth resources, making the network paralyzed.

The outbreak of the SQL killer worm is characterized by massive consumption of network bandwidth.

The "SQL Killer" virus (Worm.SQL.helkerm worm) is an extremely rare worm with extremely short virus but highly contagious. The worm spreads by exploiting a Microsoft SQL Server 2000 buffer overflow vulnerability.

This virus does not have the ability to destroy files and data, the main impact is the consumption of a large number of network bandwidth resources, making the network paralyzed.

The worm attacks NT series servers with Microsoft SQL installed, which attempts to detect the 1434/udp port of the attacked machine (Jiangmin Anti-Black King defaults to close port 1434, and users using Jiangmin Anti-Black King will not be affected by the secondary virus). If the detection is successful, it sends 376 bytes of worm code.

1434/udp port is an open port for Microsoft SQL.

There is a buffer overflow vulnerability in this port on the unpatched SQL Server platform, allowing subsequent code of the worm to run and spread further on the attacked machine.

The worm invades the MS SQL Server system and runs in the sqlservr.exe application process space of the MS SQL Server 2000 main program, while MS SQL Server 2000 has the highest level of System privileges, so the worm also gets System level privileges.

Attacked system: a system without MS SQL Server2000 SP3 installed

Because the worm does not determine whether it has invaded the system, the harm caused by the worm is obvious, constant attempts to invade will cause a denial of service attack, resulting in paralysis of the attacked machine.

The worm is exploited by a buffer overflow vulnerability in sqlsort.dll in the attacked machine to gain control.

Then the addresses of GetTickCount function and socket and sendto function are obtained from kernel32 and ws2_32.dll respectively.

Then call the gettickcount function, use its return value to generate a random number seed, and use this seed to generate an IP address as the target of attack

Then create a UDP socket, send its own code to port 1434 of the target machine to be attacked, then enter an infinite loop, repeat the above to generate random numbers to calculate the ip address, and launch a series of attacks.

These are the characteristics of the SQL killer worm attack, and the editor believes that there are some knowledge points that we may see or use in our daily work. I hope you can learn more from this article. For more details, please follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.