A new
"fileless" worm causes a global outbreak
Kaspersky
Labs are warning users against the new Internet-worm "Helkern"
(also known as "Slammer") that infects servers running under the
popular Web-enabled database Microsoft SQL Server 2000. The extremely small
size of the worm (only 367 bytes), a unique technology of penetrating target
computers and extraordinarily high speed of spreading allow us to proclaim
"Helkern" one of the biggest dangers
threatening the normal operation of the Internet to come along in recent years.
There have already been reports of serious disruptions in Internet operation in
"Helkern" belongs to the "fileless" worms category.
This type of malicious programs performs all operations (including infection
and spreading) exclusively in the computer's operating memory without using any
permanent or temporary files. These features seriously complicate the detection
and disinfection of such worms using contemporary anti-virus technologies
(on-demand and on-access scanners). The first malicious code of this type,
"CodeRed", was discovered on
"Helkern" infects only computers running
Microsoft SQL Server 2000. This software is a multi-functional database system
widely used primarily on Web-servers. For home users of any Windows versions
who have not installed Microsoft SQL Server the worm poses no threat.
"Helkern" exploits a security breach
("Buffer Overrun") in Microsoft SQL Server first detected in July,
2002. To complete this task the worm sends a special request to a target
computer. When the request is processed the system automatically executes the
worm's code contained in this request. In this way a malefactor can run
malicious code without a user's knowledge. Next, "Helkern"
initiates its spreading routine. This process features extremely rapid sending
of the worm's copies to other Internet users: "Helkern"
starts an endless spawning loop that many times increases network traffic. . Nowadays
Microsoft SQL Server is one of the acknowledged leaders in the Web-enabled
database market and is used on hundreds of thousands of computers the world
over. These events show that many of these systems still contain a security
breach allowing infection at the hands of "Helkern".
"Helkern" is a real threat that can cause
serious interruption to the normal operation of the Internet because the worm
generates a huge amount of redundant network traffic jamming data transmission
channels. Moreover, in the future, there is a possibility that such attacks
will happen with increasing frequency. These circumstances prove the necessity
to develop a new approach confronting Internet virus outbreaks. Contemporary
technologies have shown a low effectiveness when dealing with such
challenges," said Eugene Kaspersky, Head of
Anti-Virus Research for Kaspersky Labs.
Besides generating a large volume of redundant network traffic "Helkern" carries no other malicious payload, including
destructive payload. Nevertheless Kaspersky Labs
urges users to install a patch for the Microsoft SQL Server security system. The
patch is available free of charge at Microsoft's Web-site: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=40602.
PC
Magazine January 2003