IP attack!!!

[black2]

Today my Kaspersky Internet Security display this notice:
--------------------------------------------------------------------------------------------------------------------
Intrusion.Win.MSSQL.worm.Helkern! Attack's IP addres: 219.133.37.40. Protocol/service: UDP on local port 1434. Time: 30/03/2008 8:18:19 PM
--------------------------------------------------------------------------------------------------------------------

I often got this. Does anyone got this notice before??

[Ceyfer √]

( I think u should have post this --> Spyware/Viruses thread <--)

Infos here:

Kaspersky Lab, an international data security software developer, is warning users to look our for the new Internet-worm "Helkern" (also known as "Slammer" or "Sapphire") that infects servers running under the popular Web-enabled database Microsoft SQL Server 2000. The extremely small size of the worm (only 376 bytes), a unique technology it employs for penetrating target computers and an extraordinarily high spreading speed allow us to proclaim "Helkern" one of the biggest dangers threatening the normal operation of the Internet to come along in years. There have already been reports of serious disruptions to Internet functioning in South Korea, Australia and New Zealand.

It is possible to say the worm has caused one of the largest virus outbreaks in history that has affected user from all corners of the globe: messages describing infections from "Helkern" are being received from Europe, the United States and Eastern Asia.

"Helkern" belongs to the "fileless" worms category. This type of malicious programs performs all operations (including infection and spreading) exclusively in the computer's operating memory without using any permanent or temporary files. These features seriously complicate the detection and disinfection of such worms using contemporary anti-virus technologies (on-demand and on-access scanners). The first malicious code of this type, "CodeRed", was discovered on July 20, 2001. At that time it caused a wide-scale outbreak infecting dozens of thousands of systems around the world. Up until now, with the exception of "CodeRed", "fileless" worms had not shown themselves.

"Helkern" infects only computers running Microsoft SQL Server 2000, a multi-functional database system widely used primarily on Web-servers. To home users of any Windows version without the installion of Microsoft SQL Server the worm poses no threat.

"Helkern" exploits a security breach ("Buffer Overrun") in Microsoft SQL Server that was first detected in July, 2002. To accomplish the "buffer overrun" exploit the worm sends a special request to a target computer. When the request is processed the system automatically executes the worm's code contained in this request. In this way a malefactor can run malicious code without a user's knowledge.

Next, "Helkern" initiates its spreading routine. This process features the extremely rapid sending of the worm's copies to other Internet users: "Helkern" starts an endless spawning loop that many times increases network traffic. "Within just 3 hours from the start of the outbreak began we have detected more than 20 thousand attempts by "Helkern" to penetrate our network, - says Igor Mitiurin, Head of the Information Security Department at Russlavbank, a major Russian financial institution, - Fortunately all these penetration attempts were successfully blocked thanks to our implementation of an effective information security policy that includes the timely installation of security patches for all software used in our corporate network."

Nowadays Microsoft SQL Server is one of the acknowledged leaders in the Web-enabled database market and is used on hundreds of thousands of computers the world over. These events show that many of these systems still contain the security breach allowing infection at the hands of "Helkern". "Helkern" is a real threat that can cause serious interruption to the workings of Internet because the worm generates a huge amount of redundant network traffic that jams data transmission channels. Moreover, in the future, there is a possibility that such attacks will happen with increasing frequency. These circumstances underline the necessity to develop a new approach confronting Internet virus outbreaks. Contemporary technologies have shown a low effectiveness when dealing with such challenges," said Eugene Kaspersky, Head of Anti-Virus Research for Kaspersky Lab.

the link is here: http://www.kaspersky.com/news?id=970183
: http://www.viruslist.com/en/viruslist.html?id=59159

[Ceyfer √]

I got that msg before but don't have problem with it coz KIS always saves my day...any decent firewall could block it

It's a stupid worm that keep running and finding victims from port to port...

[woody]

It's fileless? Doesn't use any permanent or temporary files? I've never heard of something like this yet it's been around since 01. Thanks for posting ceyfer.

[Infinite]

I got this message from Kaspersky too and the one thing I can do is just block that IP address by

kaspersky firewall.

[black2]

The IP Address changes everytime!!!

[Infinite]

I see that the IP Address change everytime that kaspersky report you but the port is remain constant

in 1434 so you can use your Kaspersky firewall to block this port too.

PS. I block the attacker by IP Address when Kaspersky report intrusion from that IP more than once.

[Rusty]

Hey Ceyfer If this virus is fileless and uses no memory how the heck do you scan for it and nuke it.

[Ceyfer √]

Read this : KAV and other security suites will defy this worm...unless a new variant will shown up?

Helkern (aka Helkern, aka Sapphire) is an extremely small (just 376 bytes) Internet worm that affects Microsoft SQL Server 2000. To get into victim machines the worm exploits a buffer overrun vulnerability (see below).

When the worm code gets into a vulnerable SQL server it gains control (by using a buffer overrun trick), it then assumes three Win32 API functions:


GetTickCount (KERNEL32.DLL)
socket, sendto (WS2_32.DLL)

The worm then gets a random counter by using the GetTickCount function and goes into an endless spreading or "spawning" loop. In the spreading loop the worm sends itself to random IP addresses (depending on the random counter), to the MS SQL port 1434.

The worm sends multicast packets, meaning with only one "send" command hits all 255 machines in a subnet. As a result this worm is spreading 255 times faster than any other worm known at the moment.

Because MS SQL servers are often used on the Web this worm may cause a global INet DoS attack, because all infected servers will try to connect to other randomly selected machines in an endless loop - and this will cause a global INet traffic overflow.

The worm is memory only, and it spreads from an infected machine's memory to a victim machine's memory. The worm does not drop any additional files and does not manifest itself in any way.

There are text strings visible in the worm code (a mix of worm code and data):

h.dllhel32hkernQhounthickChGet
Qh32.dhws2_f
etQhsockf
toQhsend

source-> viruslist.com