Lưu Điền Trang
(ZER0)
Điều hành viên
When W32.SQLExp.Worm attacks a vulnerable system, it does the following:
Sends itself to the SQL Server Resolution Service, which listens on UDP port 1434.
Takes advantage of a buffer overflow vulnerability that allows a portion of system memory to be overwritten. When the worm does this, it runs in the same security context as the SQL Server service.
Calls the Windows API function, GetTickCount, and uses the result as a seed to randomly generate IP addresses.
Opens a socket on the infected computer and attempts to repeatedly send itself to UDP port 1434 on the IP addresses it has generated, by using an ephemeral source port. Because the worm does not selectively attack the hosts in the local subnet, large amounts of traffic are the result.
This large amount of traffic basically creates a Denial of Service (DoS) attack. Since this gets distributed rather quickly around a network, it generates so much traffic that normal network connectivity is impaired, denying or reducing your network thoroughput.
Sends itself to the SQL Server Resolution Service, which listens on UDP port 1434.
Takes advantage of a buffer overflow vulnerability that allows a portion of system memory to be overwritten. When the worm does this, it runs in the same security context as the SQL Server service.
Calls the Windows API function, GetTickCount, and uses the result as a seed to randomly generate IP addresses.
Opens a socket on the infected computer and attempts to repeatedly send itself to UDP port 1434 on the IP addresses it has generated, by using an ephemeral source port. Because the worm does not selectively attack the hosts in the local subnet, large amounts of traffic are the result.
This large amount of traffic basically creates a Denial of Service (DoS) attack. Since this gets distributed rather quickly around a network, it generates so much traffic that normal network connectivity is impaired, denying or reducing your network thoroughput.