Slashdot Mirror

← Back to Stories (view on slashdot.org)

New "SQLsnake" Microsoft Worm

Posted by ryuzaki0 on from the beware-the-worm-snake dept.

sevenn writes "A new worm, targeting the Microsoft SQL daemon, has been sweeping the net. It uses massive scanning, default passwords, exploits against vulnerable versions and even attempts to brute force passwords. Here is the (vague) Microsoft bulliten, the SANS analysis, and a securityfocus article" Already over a thousand compromised system- you're apparently only vulnerable if you run MS SQL, but the worm is causing a substantial spike in traffic to port 1433 on the net.

4 of 316 comments (clear)

  1. Nothing new by LohRhyda · · Score: 0, Redundant

    Same ball game, different inning.

    --
    EOU
  2. Massive scanning! by MrFredBloggs · · Score: 0, Redundant

    (adopts Chris Morris voice) "Using a *special tool*"

  3. Default passwords and servers exposed by rabtech · · Score: 5, Redundant

    First of all, if you attempt to set a blank admin password for SQL Server it gives you a warning that doing so is a very bad idea. None the less, you'd be surprised at how many are blank (or just use sa/sa). The article makes it sound like the default sa password is blank - this is NOT the case. Also, although you cannot disable the sa account, you can rename it during setup.

    Secondly, as has already been pointed out here, your database server should not be exposed to the net in general. There is usually very little reason to do so. If you need to let other machines access the SQL box from abroad, create an IP Security filter that only allows port 1433 for a specific subnet or ip address.

    Don't complain that you got rooted when your login is root/root.

    --
    Natural != (nontoxic || beneficial)
  4. The Bugtraq article by metlin · · Score: 1, Redundant

    Slashdot's filters SUCK like HELL.

    I've been trying to post the Bugtraq's version of this bug, and all I keep getting is Your comment has too few characters per line.

    Internet Security Systems Security Alert May 21, 2002 - Microsoft SQL Spida Worm Propagation
    Synopsis:
    ISS X-Force has learned of a worm that is spreading via Microsoft SQL
    servers. The Spida worm is responsible for large amounts of Internet traffic as well as millions of TCP/IP probes at the time of this alert's publication. This worm attempts to locate and login to MS/SQL servers with the "sa" account and a blank password. Once a vulnerable computer is found, the worm will infect that target, send its configuration and password information to an external host, and begin scanning for new targets.

    Impact:
    Although the Spida worm is not destructive to the infected host, it may generate a damaging level of network traffic when it scans for additional targets. The scanner bundled with the worm is multi-threaded and is capable of scanning with 100 threads. A large amount of network traffic is created by the worm, which scans both internal and external IP addresses for vulnerable servers.

    Description:
    The Spida worm propagates via Microsoft SQL installations with administrator accounts that have no passwords defined. Although Microsoft recommends that the "sa" account be set upon installation, many servers are not properly secured. If the worm finds a vulnerable
    server, it will attempt to execute its startup script by running the "xp_cmdshell" function, which is the SQL call used to execute system
    commands within SQL queries.

    The main function of the Spida worm is to export an infected server's SAM password database and forward information about its network and
    database configuration.

    The worm installs all of its files into the \Windows\system32 directory except for services.exe, which is installed into the
    \Windows\system32\drivers directory. Each of these files has a distinct function which is outlined below:

    sqlprocess.js - This is the worm's main payload. It holds IP address arrays which are later used in the services.exe scanner. It executes
    "ipconfig /all" and appends this information to send.txt. This script then runs sqldir.js and appends all of the server's database
    information to send.txt. It then executes pwdump2 and appends the password hashes to send.txt, then runs clemail.exe and mails send.txt to ixltd@postone.com.
    After the email is sent, send.txt is destroyed and services.exe is run to scan for other vulnerable servers. This information is appended to rdata.txt, which the worm uses to attempt to propagate with the username "sa" and a null password. The sqlprocess.js file sets the registry value dbmssocn to configure the SQL server to use the Winsock TCP/IP library
    instead of the default DBNETLIB library:
    (HKLM\\software\\microsoft\\mssqlserver\ \client\\c onnectto\\dsquery).
    It also turns on the NetDDE service, allowing SQL to use the DDE protocol.

    sqlexec.js - This is a script used by sqlprocess.js to execute xp_cmdshell. sqlinstall.bat is run within this instance of xp_cmdshell.

    sqldir.js - Collects a list of databases on the infected system. Later, sqlprocess.js writes this information in send.txt to send to ixltd@postone.com.

    run.js - This script passes time information to and from timer.dll.

    sqlinstall.bat - Installs the worm then hides the files.

    clemail.exe - Simple mail program used to email out the send.txt file.

    services.exe - Scanner used by the worm to scan for other SQL servers
    on
    port 1433. This information is appended into the rdata.txt file. This file is multi-threaded and scans internal IP addresses before performing
    an external IP address sweep.

    pwdump2.exe - Injects samdump.dll into lsass.exe (a Windows program
    that
    performs the authentication of log-on credentials) in order to grab raw NTpassword hashes.

    samdump.dll - Uses the same API that msv1_0.dll uses to capture Windows password hashes.

    timer.dll - A counter used for installation and other functionality of the worm.

    Recommendations:

    Microsoft SQL Server customers should refer to the following address for information and securing Microsoft SQL Server:
    http://www.microsoft.com/sql/techinfo/adm inistrati on/2000/security.asp.

    ISS Database Scanner product implemented a check for a blank administrator password in December of 1998. Database Scanner customers are encouraged to enable this check if they have not done so. For more information, refer to:
    http://www.iss.net/products_services/enterpri se_pr otection/vulnerability
    _assessment/scanner_databa se.php

    ISS RealSecure Network Sensor customers may use the following connection event to detect access attempts to the SQL Server port. Follow the
    instructions below to apply the connection event to your policy. This connection event will detect legitimate connection attempts to MS/SQL
    servers.
    1. Choose a policy you want to use, and click Customize.
    2. Select the Connection Events tab.
    3. Click Add on the right hand side of the dialog box.
    4. Create a Connection Event.
    5. Type in a name of the event, such as "MS/SQL Port Probe".
    6. In the Response field for the event, select the responses you want
    to
    use.
    In the Protocol field, select TCP.
    In the Dest Port/Type field click the pull down box and create an entry
    for TCP port 1433:
    a. Click Add.
    b. Select TCP Protocol.
    c .Name the service "MS/SQL Port Probe".
    d. Use 1433 for the port number.
    e. Click OK.
    f. Select the entry just created.
    7. Save changes and close the window.
    8. Click Apply to Sensor or Apply to Engine depending on the version of
    RealSecure.

    To create a user-defined event RealSecure Server Sensor:
    1. Open the desired policy.
    2. Expand the Connections tree on the Protect view.
    3. Expand the User Defined Suspect Connections branch.
    4. Click Add to add a new User Defined Suspect Connections event
    5. Name the event, SQL_Connection.
    6. Select the desired responses under the response column.
    7. Enter "1433" under the port column.
    8. Save the Policy and apply it to the sensor.

    ISS BlackICE customers should monitor and/or enable the "SQL Port
    Probe"
    event. This event will detect probes by the Spida worm.

    ISS X-Force will provide assessment support for this vulnerability in
    an
    upcoming X-Press Update for Internet Scanner.

    ______

    About Internet Security Systems (ISS)
    Founded in 1994, Internet Security Systems (ISS) (Nasdaq: ISSX) is a
    pioneer and world leader in software and services that protect critical
    online resources from an ever-changing spectrum of threats and misuse.
    Internet Security Systems is headquartered in Atlanta, GA, with
    additional operations throughout the Americas, Asia, Australia, Europe
    and the Middle East.

    Copyright (c) 2002 Internet Security Systems, Inc. All rights reserved
    worldwide.

    Permission is hereby granted for the electronic redistribution of this
    document. It is not to be edited or altered in any way without the
    express written consent of the Internet Security Systems X-Force. If
    you
    wish to reprint the whole or any part of this document in any other
    medium excluding electronic media, please email xforce@iss.net for
    permission.

    Disclaimer: The information within this paper may change without notice.
    Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard
    to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Internet
    Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

    Please send suggestions, updates, and comments to: X-Force
    xforce@iss.net of Internet Security Systems, Inc.