[Elecraft] List up?

[email protected] [email protected]
Wed Jan 29 17:17:05 2003 

On Wed, 29 Jan 2003 [email protected] wrote:

> Bob, N7XY wrote:
> 
> "I haven't seen any official announcement, but it appears that qth.net
> had some problems, as several lists were extremely quiet."
> ==========
> A new virus hit many SQL servers world-wide a few days ago, slowing
> things down considerably.  By now they should be back in business.
> 
> 73, de Earl, K6SE

Earl,

The packets-per-second and bits-per-second issues (IE; The worm spreading)
have been mitigated fairly effectively by efforts of backbone providers.  
One problem that we still face in that area is that on many backbones, the
filters to stop the attack have been put on peering interfaces.  Peering
interfaces are the connections between providers.  This option was chosen
by many because it is easier (less manpower involved, less apt to
fat-finger a router config) to implement these filters on say 100 peering
interfaces than to do it on 10,000 customer facing interfaces.  While
these filters effectively keep infected customers of provider-A from
getting to providers B through ZZZZ, it does not prevent provider-A's
customers from hammering on other provider-A customers.

Something else to be aware of is this will most definately NOT be the last
worm/virus that we see exploit the vulnerability in the MS SQL 2000
server.  Why?  Because, as I outlined in my previous post, the filters
have some bad side effects on legitimate communications and they also
require router resources to remain in place.  Some backbone providers I've
been in communication with have stated that as soon as Friday January 31,
2003, they will be removing the filters.

The "SQL-slapper" worm did not modify anything on infected
hosts.  Rebooting the infected server would effectively remove the
infection.  Couple this with the fact that fast action on the part of
backbone operators who participate in the NSP-SECURITY community and the
end yield is:

(a) Many "vulnerable" SQL servers will remain unpatched because they never
got infected and there is (sadly) an "If it ain't broke, don't fix
it" mentality in many IT departments.

(b) Many IT departments don't realize that it is THEIR responsibility to
patch their servers and that the intervention that takes place on the part
of backbone operators is not and CAN NOT be a perminant fix for the
problem.  The (mistaken) IT departments figure that since we're blocking
the worm/virus in the internet core, it will never make it to the edge and
infect their server so, why should they take the server offline to patch
it? (Idiots!)

(c) This worm was by all indications simply a "proof of
concept" trial.  Granted, it was devistatively effective in spreading
itself and also causing hugh network related issues as a side effect but,
it didn't do anything besides attempt to replicate and it was not a
perminant infection (IE; reboot removes the worm code from the
server).  The _original_ exploit code was much different.  It allowed the
bad guy to seize control of the infected server to do much more nasty
things.  With the very fast replication rate of the exploit, it would be
fairly trivial to write the code in such a way as to remain under the
radar, yielding a "zombie" machine that is infected and controllable by
the bad guys at some future point.  The owner/administrator of the server
would not know of the infection until such time as their server were used
in an attack.  A crafty bad guy may obtain 200,000 "zombies" during the
infection process but only use say 2000 of them each time they
"activate" their army of zombies to attack a victim.  This means that even
if they lost EVERY zombie used in each attack, the single infection run
would give the bad guy enough "zombies" in his army to mount 100 seperate
devistating attacks. 

(d) You can be very certain that there are many, MANY miscreant
programmers out there going over the original exploit code and modifying
it to yield stealth zombies (sleeper cells to borrow a term from the news
media) that they will use to send SPAM, cause network disruption or worse
in the future.  They will test their code in their own private testbed
networks and get it ready.  Then, when the backbone providers remove the
UDP/1434 filters that we have in place now, the miscreants will launch
their infection phase, infecting servers outlined as remaining vulnerable
in points (a) and (b) above as well as new servers that are being put
online daily by administrators who don't bother to make sure that their
new installation is patched up to the latest revision.


So, in summary, the "back in business" comment is a sadly common
underestimate of the evil-doers.

I won't post any further on this topic to the Elecraft list as it is now
very off topic for the list.  If anyone wants to discuss this in private
email, I'll gladly do so.  The more people we have educated in network
security, the better.

73 de John - K4WTF