Please believe that we have tried our best to recall the years we have experienced, but some feelings, once forget, it is difficult to remember. We have fallen to such a close communication to rely on the network, and it is March, there is a desire to be uneasy in the heart, winter with a far away. When a piece of collapsed years, I urged me, I know that I am looking for you. Just starting, full of eager to walk in March, walking in the spring Yang, who has been shining, in the eyes of billion thousand eyes, proud reveals us about the wisdom ... It is March ... On the afternoon of January 25, 2003, the Korean National Intelligence Communications Suddenly found a large area in China similar to hacker attack web servers, and the area and speed of attack were extremely violent. This continuous and fierce attack leads to several major DNS domain analysis servers in South Korea to be forced to close. The entire Korean network service is fully interrupted, and Korea Telecom Freetel and South Korea's network servers have been hit hard. Military Internet users cannot use Internet services. , Mobile phone text messages and other services have also been forced to stop service due to violent attacks. South Korea is one of the most popular countries in the world. Two-thirds of the country's 46 million people are netizens, more people enjoy various service projects provided by the Internet, and sudden accidents make through the Internet Various ticket reservations, online shopping, email, web phone and other services have been seriously affected, and the Internet cafes operating throughout Korea have also suffered a serious blow. Fortunately, the accident occurred on Saturday afternoon, therefore the Internet financial services such as South Korea's online stock exchanges were not affected. The system was saved after hours, but South Korea official said the speed is still very slow. At the same time, the nationwide nationwide has also emerged a large-area vicious denial of service attack, so that Americans can't touch the mind, the attacked location comes from various regions around the world, and violent attacks have caused the Internet network to block seriously. Browse Internet web pages and speeds up the speed of transmission and receiving email. The attack storm quickly spreads to every corner of the world. Most banks of the United States have stopped working with persistent attacks. The third largest banks of the United States have a large area, hand-held credit card but cannot consume. The long queues were found in the ATM and the supermarket. In the subsequent time, the network in mainland China has also fallen into a comprehensive state. At 0:30 in the morning, some users cannot connect to the international server; Japan NHK TV news report huge data traffic has blocked the country's internet connection. A National University's server is subject to more than 200,000 attacks within an hour. The network security agency has been involved in this matter; Chunghwa Telecom, one of the largest ISPs in Taiwan, said that its system is difficult, and some customers cannot connect to the Internet. The specific losses are not clear; Malaysia private ISP Timedotcom claims to receive countless complaints, call some or completely unable to access the Internet; India New Delhi reports network services to be fully interrupted, but the software R & D center Hedera Bad and Bangalore have no What is reported; a Philippine ISP found that the momentum was wrong earlier on Saturday, so it was temporarily closed. The company means that too much external data they can't distinguish, trying to enter their system forced to make this decision.
[Global Network on January 27, 2003] What is the power of a few hours, the network server in Western Europe, Asia, North America and other regions, all of which have been hit hard, a time rumor, "China's Hongke" attack global internet The servers of the server are all around. FBI, CIA and other agencies immediately point the Lenovo and suspicion of the spearhead to all the evil axis and rogue countries. Some of the non-knowledge of the red guest banner is even if the remarks of the world hacker war broke out, it is afraid of the world. The rumor is not attacked from the broken, the truth of things gradually floats ... [The global Internet suddenly increases in the packet loss rate on January 25] [Global backbone network lost response - the delay time of the response exceeds 180 milliseconds] Human one Thinking, God smiled. The most dramatic scene appeared in the most dramatic place. On November 23, 2002, the world's largest computer anti-virus organization Avar came to an end in Seoul Korea. The main issues of this meeting involve two areas: anti-virus technology and strategic discussion and exchanges of intergovernmental viruses control operation experience, Koreans don't think of a short month after a few months, it is a use of Microsoft SQL Server2000 The loopholes of computer worms are stirred through the whole South Korea, and this worm is also the beginning of the incident. US East Time January 24, 2003 (Beijing time January 25) This code is "w32.sqlexp.worm" (China's code "Worm.SQLEXP.376" worm appeared in Hong Kong, China, and amazing The geometry speed propagation, the large area attacked network servers around the world, resulting in the above network traffic clogging. The truth is already covered, although this virus does not directly attack the personal computer, but because the poisoning server will send a large number of attack information blockage network, the global Internet is already half paralysis. On January 27th, all anti-virus companies in the world launched an emergency solution for W32.sqlexp.worm, Microsoft is more important to each of the customers he finds, SQL Server SP3 is very important! Although this virus was on Saturday, but because of its adhesion, it can remove its eradicate after the server is restarted. Therefore, in just two days, the global rapid spread is basically effective. control. But "SQL SLAMMER" ("SQL SLAMMER" ("SQL SLAMMER" is still killed in the top ten of virus damage. Foreign media reports, including South Korea, Japan, China and other Asian countries, "SQL SLAMMER" is up to $ 1.2 billion in economic losses around the world. According to information technology (IT) Industrial Network C.NET, the British market survey institution MI2G predicts that on the 5th day of the "SQL SLammer" virus, productive loss in the world reached 950 million US dollars, the highest It can reach 1.2 billion US dollars. Such a loss is compared with the previous "professional virus" such as "Search Letter", "Love Letter", is still a small witch. According to predictions, the productive loss of viruses such as esteriority, red code, is 9 billion, 8.8 billion, 2.6 billion US dollars, etc. In the company's statistics, the "SQL SLammer" virus ranked ninth.
The main losses listed by MI2G include: 1. The paralyzed sects of domain-based domain analysis servers (DNS). Operation of bank automated billing machines 3. The operation of the online booking system such as ticket 4. The payment system such as credit card has failed 5. Internet paralyzed events in Asia, South Korea, China. According to the analysis, most of the "SQL SLammer" virus is mostly the ordinary people who cannot connect the Internet and the ticket cannot be booked. Therefore, "direct loss" is larger than the past, the worm era is open ... The origin - worm The concept of virus comes from John Brunner in 1975, a classic science fiction "oscillation wave knight". The novel describes a hegemonic government to control the real world through powerful computer networks, and a programmer of a rebel organization prepares a program named "polyester" in the network, "polyester" continues to copy, large-scale resistance After breaking the network, the government has forced closing the network in order to control and kill "polyester", and the insurgents overturned the government at the time of the network, and changed their freedom. Now that we feel this story is very familiar, the "polyester" procedure in the story is not numb in today's worms. On April 26, 1998, we have become a history we can never be erased. Every computer enthusiast can recall everything that happened in that day, and CIH has given the pain that the pain brought by Chinese computer users is always in every In a person's memory, China's domestic computer users feel the existence and threat of viruses. For a long time, individual single-alone anti-virus software is hot, and domestic computer users' virus prevention awareness is significantly improved. However, some of the viruses in the next few years seem to be less close to us, especially worms such as job-seeking letters, although the name is noisy, but these pest worms climb to China, the basic power has been reduced, and a large part of the reason is Due to the increase in personal protection awareness of domestic users, almost everyone's computer is equipped with anti-virus software, so the scope of the victim has been controlled, but the careful people found that only the worms in the most threatened ten viruses in 2002 His 6 positions, Nima, Funlove, seek ambassador, red code, Mr. CAM, at this time, the public found that the worm has begun to surface. The worm is not a new virus group, Robert Pant Morris, US National Security Administration former Chief Network Security Expert Bob Morris, a crazy computer wonderful. On November 12, 1988, Morris used Unix's system vulnerability to develop the world's first worm "Morris Worm", and then 1 hour Morris released his insect baby in the US MIT artificial intelligence experiment. Room, after a few minutes, this creep nasal ancestor was crazy about hundreds of computers. Wait until Morris is ready to enjoy dinner, his insect baby has attacked nearly 10,000 computers. All major scientific research institutions and laboratories are fully paralyzed. Morris paid 3 years to probation, 400 hours of public community service and the cost of $ 10,000. However, due to the requirements of the physical environment, worms did not have greater power in the decades of this decade. However, with the increasing popularity of the Internet, 2000, "Melissa" This quasi-worm once again awakened the memory of people's brain, that is, from then, the worm family is increasing.
The birth of worms has greatly improved the complexity of safety protection. Through these years of worms, we can not find almost every large-scale worm use the software itself, first look for a loopholes, then Then the infection reaches the purpose of attack. The manufacturer of anti-virus software depends on the virus movement to the era of all the best. The new generation of viruses not only need anti-virus software manufacturers to pay attention to the improvement of their own virus libraries, but also is increasingly important to security loopholes. The attack object of this worm event is mainly for enterprise users' server vulnerabilities to engage the attack, which is largely higher than the damage to the individual users, and the degree of destruction of the virus event is sufficient to explain everything. The birth of "w32.sqlexp.worm" not only lets more people begin to pay attention to worms, the combination of network worms and denial service attacks is not the first time in our face, but "w32.sqlexp.worm" propagation technology And the timing is obviously accurate, making the destructive power have reached an unprecedented height. The combination of viruses and hacking starts from the red code, continuously proposing new topics for cyber security, manufacturing new horror, this worm event allows domestic manufacturers to pay more attention to the market, catching insects, . Deconstruction - This worm event is caused by a buffer overflow of Microsoft's SQL Server 2000, in fact, this vulnerability was published by a security organization called NGSsoftware Insight Security Research on July 25, 2002. Vulnerability Discovery David Litchfield The risk level of this vulnerability is defined as a high risk. NGSSoftware Insight Security Research posted this vulnerability report in the Internet, and this security number is a detailed description of the security announcement of # NISR25072002. This detailed security report warn SQL Server2000 user, Microsoft SQL Server 2000's Resolution Services lists the user's UDP package deficient processing, and remote attackers can use this vulnerability to make stack-based buffer overflow attacks. The original text of the report pointed out that Microsoft SQL Server 2000 supports an instance of servo multiple SQL servers on a single physical host, each instance operation needs to pass separate services, but multiple instances cannot all use standard SQL service session session port (TCP 1433) So SQL Server Resolution service monitoring is in the UDP 1434 port, providing a way to enable client querying the appropriate network end for special SQL service instances. When the SQL Server Resolution Services receives the UDP 1434 port to receive the UDP package set to 0x04, the SQL monitoring thread gets the data in the UDP package and uses the information provided by this user to try to open some of the registry. Key value, such as send / x04 / x41 / x41 / x41 / x41 similar UDP package, SQL service programs open the following registration key: HKLM / Software / Microsoft / Microsoft SQL Server / AAAA / MSSQLServer / CurrentVersion
This report clearly warned administrator, an attacker can add a large number of string data after this UDP package, when trying to open the key value corresponding to this string, a stack-based buffer overflow, by including "JMP ESP "or" Call ESP "instructions The returned address saved in the stack can result in any instructions in the system in the system in the system with the permissions of the SQL Server process. However, this report only caused Microsoft's attention, Microsoft then launched an emergency patch to repair this vulnerability, but this patch is very few people to download, which has become a larger hidden danger of worms. Why is such a major vulnerability not attracted the attention of the database administrator and NMS? The safety expert should be pointed out that this "worm" virus is initiated from the so-called "1434 port" to enter the path, this port is a standard entry to access the Microsoft Database server. To prevent the "worm" virus attack, it can be taken again. Of course, you can also take a cut off this port, just do it, the main business function of the server is lost, so this is not the best solving the problem. way. Although Microsoft launched a patch against this vulnerability, it happened that after Microsoft launched SQL Server2000 SP2 patch packs, many companies' administrators thought they had called SP2 patch, and they should have no worries in a period of time. Directly affected by the vulnerabilities of the system include: Microsoft SQL Server 2000 SP2 Microsoft SQL Server 2000 SP1 Microsoft SQL Server 2000 Desktop Engine Microsoft SQL Server 2000 -Microsoft Windows NT 4.0 SP6a -Microsoft Windows NT 4.0 SP6 -Microsoft Windows NT 4.0 SP5 -Microsoft Windows NT 4.0 -Microsoft Windows 2000 Server SP3 -Microsoft Windows 2000 Server SP2 -Microsoft Windows 2000 Server SP1 -Microsoft Windows 2000 Advanced Server SP3 -Microsoft Windows 2000 Advanced Server SP2 -Microsoft Windows 2000 Advanced Server SP1 Second, Microsoft is taking to fight every day to their own system The patch is often only the effect of the drop in the salary. Microsoft's patch to the system is of course a good thing, but the shortcomings of this practice are also obvious: First, the company uses Microsoft Systems to personal thousands, Microsoft's staff, the staff, is obviously I'm busy with my legs. Second, Microsoft keeps issuing patchware, and it will be wrong in hasty. Many users reflect that Microsoft's different patch software itself will also lead to conflicts, which also makes many users have taken the attitude towards Microsoft Patch Software. Third, if the online attack has happened, you wanted to download patch software and it is impossible to complete. This kind of embarrassment may even have not thought of Microsoft.
"W32.sqlexp.worm" worms are using Microsoft's deadly soft ribs, installing Microsoft Microsoft SQL Server 2000 and Microsoft Desktop Engine (MSDE) 2000 servers UDP / 1434 port, the resolution service port of SQL servers The package to the UDP 1434 port is transmitted. After the overflow is successfully obtained, it will start to send a copy of the virus to the random IP address. Since this is a dead cycle process, the hair pack density is only the machine performance. Related to network bandwidth, so the amount of data sent is very large. Each analyzer that is infected with the infected machine has received nearly a thousand packets per second. Because of a large amount of packets, the worm also causes an attack with the "Deny Service" (DOS) effect. The network performance of the worm is extremely declining, which will lead to a comprehensive paralysis of the entire network after reaching a certain degree. This virus mechanism is very like cancer, benign cancer does not kill cells in the human body, only constantly growing, swallowing all nutrients until all cells in the human body are dead. The worm, a bandwidth 100M local area network only has one or two computers infected, and the worm will cause access to the entire network. Get the following chart data from the famous security organization SANS (http://www.sans.org): "w32.sqlexp.worm" worm is poorer by an algorithm, and it does not detect IP Whether IP in the list exists, no detection has been attacked, of course, no detection if the computer under the IP address is turned on, so the happloth speed is abnormal, as long as there is a server infection, the switch in the entire network segment will be affected. Very large data processing pressure, when 2-3 sets are infected, the entire local area network will fall into the status. Because there is no restriction in its propagation, the backbone routing of all levels also has a great pressure, so huge impact on the entire backbone network, and huge economic losses will inevitably. Security experts recommends that all users who run Microsoft SQL Server 2000 and DOS are operated by following the following Solution: 1. We strongly recommends Microsoft SQL Server 2000 or MSDE 2000 users review the security vulnerabilities of the machine according to Microsoft Security Bulletin MS02-039 and Microsoft Security Bulletin MS02-061. Or to the URL: Microsoft.com/downloads/release.asp? Releaseid = 40602 Download Microsoft's Vulnerability Patch or Install Microsoft SQL Server 2000 SP3: http://www.microsoft.com/sql/downloads/2000/sp3.asp. 2. Access to the external pair and internal external UDP / 1434 port on the firewall or router. If the system reflects slowly due to DOS, you can disconnect the network connection, and then force the process SQLServr.exe in the Windows Task Manager, and then restart this service in the SQL Server Manager after doing the corresponding prevention.
Then who made "w32.sqlexp.worm"? This mystery has become the most suspected topic, and a Chinese-American senior security expert revealed to the author. Although the root of this worm first episodes is in Hong Kong, China, but it is too boring that the Chinese . First, based on the habit of Chinese virus writers, the Chinese prepared similar worms are combined with targeted goals, such as only attacking the US or Japan IP segment. Secondly, the code analysis of the virus is more likely to write the way is more like a European manner. He firmly believes that the writer of this virus should be a computer hacker, not a professional virus writer, because "w32.sqlexp.worm" only attacks and propagation ingredients, there is no data destruction, second "w32.sqlexp. "WORM" has a low amazing, and the server only needs to be restarted, and then the patch can take it root. Analysis of the programming ability of viral authors, if he really wants to use "W32.SQLEXP.Worm" to achieve data destruction is a very easy thing, whereby the writer of the virus is not very interested in the data of the server. Mun - this worm storm has already fallen, maybe you will believe that the fear of worm will feel far away with time and years of scouring, but those crazy virus manufacturers standing in electronics In quiet, the next virus is made, and the transformation of the virus! A new mail virus appeared on the Internet in 2001, which will not only attack the network TV (WebTV) device, but also affect the emergency telephone service network. The virus is first exposed to the webtv user group bulletin board, such as the webtv's Alt. Discuss the newsgroup. According to reports, once the infected attachment is opened, the webtv will be closed, restarted, and then the coament 911. Microsoft's customer service supervisor also confirmed that 18 customers called them to report this suspicious webtv weird. WebTV is currently called MSNTV, but some old brands are still WebTV. According to Microsoft, these two are affected. As early as April 2000, the National Infrastructure Protection Center (NIPC) has issued a security announcement, warnings a virus that can remove the hard disk and make the computer coament 911 spread. However, the virus did not spread. It is currently concerned that this virus can affect the response services to emergency events. Microsoft recommends that the affected user deletes suspicious emails and pulls 1-800-469-3288. Technicians recommend the victim to remove WebTV, or enter a new disease to restart the machine. Microsoft said that this virus is currently being investigated and studies how it is copied and controls WebTV Modem. The virus can infect Microsoft WebTV / MSNTV. Windows PCS, MACS, UNIX and Linux machines are not affected. Digital equipment virus's figure begins to walk into the public's life. The concept of digital equipment virus has been concerned with public and media in 1998. On April 26, the year is the massive attack of the Century Virus CIH, destroying millions of computers. CIH not only breaks the myth of antivirus software, but also makes hardware manufacturers for the first time. CiH has changed our traditional understanding of the virus. It can latency within the computer's memory. When the episode will write "garbage code" into the BIOS in the computer motherboard, so that your motherboard is immediately paralyzed. Such viral failure theory is equally suitable for most digital devices that are popular, today's digital equipment products, more or less have a memory or hardware such as BIOS. Such as mobile phones, PDAs, GPS, digital cameras, etc., which undoubtedly provide a powerful environment for the latent and outbreak of viruses.
The first truly virus appeared in Spain in 2000. This virus gave up the concept of most traditional viruses. In addition to creating computer operations, they also provided through mobile phone system operators. "EMAIL Tune to Mobile" (SMS) function interferes with users. This kind of attack mode is similar to a mail bomb, which delivers a large number of news to mobile users to accept normal short messages, but it does not cause any damage to the phone itself. This kind of mobile phone attack method has also appeared in the country, and some mobile phone short message bombs have a amazing similarity. This tool can send a large amount of spam or advertisement to any mobile phone users through SMS service operators, but because there are not much Destructive it does not cause too much attention. There are 6 viruses that have appeared on the market. They are: The first is "EPOC_Alarm", which always continues to warn the sound, although there is no harm, but it is also quite annoying; the second is "EPOC_BANDINFO.A ", It will change user information to" SomefoolownThis "when it seizes, and the third is" ePoc_fake.a ", which will display the formatted built-in hard disk on the phone screen, no need to panic, because the phone does not Perform formatting operation; the fourth is "EPOC_GHOST.A", which will display "Everyone HateSyou" on the screen; the fifth is "EPOC_Lights.a", which will make the background light backlight to flash; the sixth is "EPOC_ALONE.A", it can make keyboard operations; etc.. The top five hazards in these six viruses are not very big, and there is also a flavor of the prank, but the sixth "epoc_alone.a" is a malignant virus. When the computer performs a toxic program, the screen displayed when the infrared communication receives the file, and the virus is quietly hidden in memory at this time. When the virus is in the memory of Zhazhan, the "Warning-Virus" message will be displayed on the computer screen, and the mobile phone does not accept any keyboard operation. When you find later, you can enter "LeaveMealone" to relieve the virus. Spain's mobile phone virus is not a large-scale episode is mainly because of its technical limitations and physical limitations. In the technical limitations, many mobile phones have not yet WAP functions, and these mobile phones have independent software systems that cannot be compatible with each other. Many people do not understand WAP programming technology, which causes the buffer period on mobile phone virus episode; and physical limitations are mainly reflected in user group information in different regions, such as European mobile phones cannot send text messages. Regional physical limitations, there is no large amount of common system and software between different phones. We also forgotten the killer behind technology while enjoying technology. However, with the development of technology, the viral pattern will continue to refurbish, and today's digital devices such as data communication, such as pictorial delivery, internet, etc. They really bring us convenience, just log in to the relevant website, then press a few simple buttons, we can replace the personalized mobile phone logo, download your favorite ringtones. Perhaps one day your mobile phone SIM card will be hacked in a few minutes, and those hackers can use this cloned SIM card, and your mobile phone not only does not use it normally, but also pays high calls. These operations are changed in one way that some instructions that can be written to the system or memory are performed on the phone. And some instructions are even open to develop new services.
On January 17, 2001, the Netherlands Safety Company ITSX researchers found that Nokia's pop numbers of mobile phones have a bug, hackers can use this security vulnerability to send a 160 characters to the phone below a malformation electronic text short. Information to make the operating system crash. This harmful SMS short message virus mainly destroys Nokia 3310, 3330 and 6210 mobile phones. Nokia confirmed the existence of the above security vulnerabilities and said that last year The company has repaired this vulnerability, and the new mobile phones produced will not be affected by such harmful short information. However, many olders produced before last year are still very easy to attack. In order to solve the problem of mobile phone software upgrades, mobile phone software is equipped with interface lines connected to the computer in a new generation. I hope that users can update their mobile phone software to make up for vulnerabilities, and more and more as mobile phone application functions. Manufacturers provide some entertainment and multimedia software for mobile phone users to download, this is now an important object that WAP mobile phone will become a hacker attack now. Because it is easier to attack the WAP mobile phone directly over the network than the GSM mobile phone. However, some experts have pointed out that such technical difficulties are very difficult, and most of the mobile network operators have set a security system in the WAP server and "Gateway" parts, and general users don't have to worry. Of course, mobile phone manufacturers said their mobile phone system security, but where is the 100% security system? The destroyer uses a short message carrying malicious code to change the short message carrying malicious code, and the system of Machine Code (microprocessor, memory and other electronic parts) is changed in Assembly programming. Mechanical code, more than hexadecimal (HEX), the average person cannot easily solve its number's meaning), hide the instructions in memory, and then turn on other mobile phone contacts, you can spread viruses. However, with 3G, the mobile phone tends to be a small computer, MMS, digital camera and other functions, and the mobile phone has software processing capabilities. In addition, the computer is connected to the computer, and the improvement of these commonherent, making mobile viruses have become the outbreak of mobile phones. Time problem. Based on WAP "gateway" anti-virus product demand has been generated, related mobile phone manufacturers, telecommunications companies should mention this issue in the agenda. For WAP mobile phone users, I should pay attention to new information at any time to prevent it. The US war hitly, and the soldiers reached 74% for high-tech dependence. In the US military, each soldier is equipped with a GPS navigation system, and GPS can download to the US Operations of the United States for the latest Iraqi military map provided by the Soldiers. The soldiers can also report to the command center in real time through the Communications equipment such as GPS. These GPS positioner use the same software operating system, and there is internal structure of writable data, hackers can use these deadly weaknesses, send fake information or viruses to GPS, turn the US military into a deaf and blind, and eliminate In the battlefield. This is not a simple imagination, and the precedent has been broken by one. Complex features and networks will completely annihilate the pure in the past, and the non-toxic safety islands of digital devices will also suffer from Pearl Port.
Since 2002, the first batch of Palmos Trojm Horse (Phage and Vapor), the security issues of the handheld computer have become more concerned, and the PDA suffers from hackers when they keep synchronous data with the Internet. The chance of attacking and infectious viruses is higher than any other digital device. In addition, many users don't realize that the information stored in its PDA will be disclosed in front of the unauthorized user, so they will not pay attention to the security issues of these data information like using PC. Although PDA has been equipped with safety protection procedures by various companies and government structures, such as one-time generation password, storage check record, confidential directory, but some additional wireless features in PDA also add security hazards, such as infrared and wireless Function of spectrum connection. In addition, there is no component of anti-viruses and other malicious code in the current portable device. In addition, the PDA uses large-scale defense software because this will consume limited and expensive resources in PDA, while virus manufacturers can easily manufacture nearly 10,000 viruses with small volumes and contagious viruses. Therefore, digital devices such as PDA face the most severe problem is "difficult to defend". Today, the wireless network has become more and more popular, but the strong contrast is that the wireless device has a gas procedure but less than 5%, this To a certain extent, a more open potential market is also available for anti-virus manufacturers. Kill viruses on digital devices. There are two main technical measures that currently deal with digital equipment viruses: one is to kill the digital devices through wireless websites; the second is to kill viruses through the IC access or infrared transport port of digital devices. Of course, most digital equipment viruses have not yet reached the terrible point. Taking the mobile phone as an example, the current digital processing capacity (capacity and operation) is not strong enough to process viruses independently. Therefore, the virus can only harass the mobile phone through the computer, WAP server, WAP gateway, and is very difficult to understand the substantial damage of the mobile phone itself (destroying smart card, charter, etc.). This is a war that will never stop. The new virus is born with 200 speeds per day. Although we are happy to see the rapid development of anti-virus technology, never forget, constrain the virus is often not technically, but our Safety concept, keep a vigilant heart, always prepare the challenge of the virus! W32.SQLEXP.WORM Data W32.SQLEXP.Worm is also known as: SQL Slammer Worm [ISS], DDoS.SQLP1434.A [TREND], W32 / SQLSLAMMER [McAfee], SLammer [F-Secure], SAPPHIRE [EEYE] , W32 / SQLSLAM-A [Sophos] type: WORM infection length: 376 Bytes affected system: Windows 95, Windows 98, Windows NT, Windows 2000, Windows XP, Windows ME unaffected system: Windows 3.x, Microsoft IIS, Macintosh, OS / 2, UNIX, Linux CVE Reference: CAN-2002-0649
Worm gets a random IP address: the algorithm of the nth IP address is as follows: 107005 ^ n * [Current time - boot time (unit: milliseconds)] N * c Nth IP address = (107005 N times With the time value passed by the boot, the product of N and a constant C depends on Windows Service Pack number, C = (0x77E89B18 and 0xFFD9613C) threat evaluation in Win2K SP3: Port: udp port 1434. The worm continuously sends traffic to randomly generated IP addresses, attempting to send itself to hosts that are running the Microsoft SQL Server Resolution Service, and that are therefore listening on that port. for Microsoft SQL Server 2000 and Microsoft Desktop Engine (MSDE) 2000 vulnerabilities attack. The worm has a length of 376 bytes to a Pack UDP 1434 port, an resolution service port of a SQL server. Because of a large amount of packets, the worm also causes an attack with the "Deny Service" (DOS) effect. W32.SQLEXP.Worm will perform the following when you have a secure vulnerability system: Send yourself to the SQL server resolution service responsible for the UDP 1434 port listener (SQL Server Resolution Service). This security vulnerability is covered by "cache spillage." In this way, the worm can have safety privileges owned by a general SQL server service. Call the API function of Windows GetTickCount randomly generates an IP address. To create a "socket" on the infected machine, use a temporary port to repeat himself to the UDP 1434 port from the randomly generated IP address. Because worms do not choose to attack specific hosts in the network, the direct consequences of it run is huge communication traffic. Viral string feature: * H.dllhel32hkernqhouneickchgettf * hws2 * QHSOCKF * TOQHSEND suggestion: Turns the 1434 port for unknown machines. The UDP package that does not send at 1434 ports as destination. All users and administrators adhere to the following basic security habits: close or delete unwanted services. By default, many operating systems are unhanectile auxiliary services, such as FTP clients, Telnet, and web servers. These services provide a convenient door for attacks. If you delete them, reduce the way the hybrid threat is used to attack, and the service to be maintained is also reduced when the patch is updated. If the hybrid threat uses one or more network services, disable or disable access to these services before applying the patch. Implement the latest patches, especially on computers running public services and accessible through firewalls, such as HTTP, FTP, Mail, and DNS services. Enforce password strategy. Using complex passwords, even if it is also difficult to crack the password files on a threatened computer. This helps prevent or limit greater damage when the computer is threatened. Configure your mail server to disable or delete an email containing accessories that are often used to propagate viruses (such as .s, .bat, .exe, .pif, and.scr). Quickly isolate infected computers to prevent your organization from being threatened. Execute an attack analysis and recover your computer with a reliable media. Educational employees do not open an unknown attachment.
