Slashdot Mirror

← Back to Stories (view on slashdot.org)

New "SQLsnake" Microsoft Worm

Posted by ryuzaki0 on from the beware-the-worm-snake dept.

sevenn writes "A new worm, targeting the Microsoft SQL daemon, has been sweeping the net. It uses massive scanning, default passwords, exploits against vulnerable versions and even attempts to brute force passwords. Here is the (vague) Microsoft bulliten, the SANS analysis, and a securityfocus article" Already over a thousand compromised system- you're apparently only vulnerable if you run MS SQL, but the worm is causing a substantial spike in traffic to port 1433 on the net.

27 of 316 comments (clear)

  1. McAfee by Triskaidekaphobia · · Score: 5, Informative

    McAfee's description. The AV vendors are calling it Spida, instead of snake.

    1. Re:McAfee by morgajel · · Score: 4, Funny

      is that like gangsta?

      "chillin in the hood with the SQLSpida..."

      --
      Looking for Book Reviews? Check out Literary Escapism.
  2. Thousand compromised? by WildBeast · · Score: 3, Informative

    Who needs MS SQL Server? Are you telling me that thousands of companies with a load of data are installing SQL Server without having a database admin to do the work? Sweet, they deserve what they get. What kind of people install SQL Server without putting a password for the SA account? Apparently, plenty :)

    Long live human stupidity.

    1. Re:Thousand compromised? by Foochar · · Score: 4, Informative

      Keep in mind that Access XP includes a desktop version of SQL server that I believe is installed by default. Microsoft is trying to move away from the Jet engine that Access is based on and towards using SQL for all databases, both large and small. I'm sure that some of the thousands of infected systems are desktop systems.

      There are also plenty of business apps that run on top of SQL server. The program's installer takes care of setting up the SQL server with little to no knowledge or intervention required on the users part.

      --
      "You can't fight in here! This is the war room" --Dr. Stra
    2. Re:Thousand compromised? by Lumpy · · Score: 3, Insightful

      Yes it is highly standard practice to have an SQL server and noone in the building that has a clue to run it let alone what it is. The vendor of some "critical" app usually installs it (from a copy the vendor has on hand) and advises the customer.. "you need to buy MS SQL server to be legal".. well we know where that goes.... (50% ignore them and never even think of buying it, the other 50% look for it, see the price and then crap their pants, deciding not to buy the overpriced product)

      so yes, it is very common. and it will remain very common as long as there are software vendors making SQL based apps and NOT including a legal copy of SQL server, and a SQL maintaince contract in the price of the product.

      --
      Do not look at laser with remaining good eye.
    3. Re:Thousand compromised? by sphealey · · Score: 5, Insightful
      Are you telling me that thousands of companies with a load of data are installing SQL Server without having a database admin to do the work? Sweet, they deserve what they get. What kind of people install SQL Server without putting a password for the SA account? Apparently, plenty :)
      This is a typical Slashdot response, but I don't think most businesspeople would agree. Without in any way excusing Microsoft for their security practices, it may occur to you that 90% or more of businesses exist to do something other than IT functions. They need transportation, they go out and buy a truck. They need a machine tool, they go out and buy one. They need a copy machine, they have one installed. Although some of these tools can certainly be dangerous, there is a basic expectation that when buying, say, a machine tool (a) it will more or less do what it says it will do (b) it won't suddenly explode and destroy an entire city block.

      Along comes e-mail, the Internet, databases, web sites, etc. Joe Enthusiastic runs into the President's office and says, "Mr. Smith! I have found a great new way to communicate with our customers!". Mr. Smith, though he is 90 years old, takes a look and says, "Yeah, that looks interesting. Buy one and set it up".

      So the company buys one (database server, e-mail server, web site, etc.) and sets it up according the skimpy directions in the box. It works for a while, then blows up, seriously damaging the business.

      NOW the company is told, oh, you should have known. You should have known the instructions in the box were incomplete and dangerous. You should have known you needed an 80k/year DBA to use that. You should have known the product was dangerous. You should have known...

      Sorry. I am not buying it anymore. And I think the general business world isn't going to buy it much longer. Either the Internet will be abandoned, or there will be heavy, heavy government regulation of who can connect and how. Sort of like the phone company in the 1950's.

      My 0.02 anyway.

      sPh

    4. Re:Thousand compromised? by RocketScientist · · Score: 5, Insightful

      If they need to haul stuff, they buy a truck. If they want to stay in business, they don't leave the keys in it and the windows down while it's parked somewhere in public.

      If they need to make copies, they buy a copy machine. If they need machine tools, they buy them. They also tend to keep these things in locked rooms so joe public can't walk in and trash them.

      If they buy computer systems, they leave the passwords blank and expect people to not use them. That's not bad programming, it's stupid users.

    5. Re:Thousand compromised? by wik · · Score: 5, Interesting
      It's not just stupid users. Maybe they buy a copy machine like the Xerox DocuTech. It's a powerful high-end copier. It's also not just a copy machine. It has an NT box and a Sparc running Solaris built into it. It also comes out of the manufacturer, wide open with security holes, trivial passwords and unpatched software. If you try to patch them and then ever have as service issue (don't tell me that things don't break), Xerox will gladly reinstall all of the loaded software. Bye bye, patches and passwords.

      http://online.securityfocus.com/archive/1/273029

      It's not just stupid users. Somebody chose this machine for the business and it's something that they NEED in order to function. Not only that, they may not have a (practical) way to keep it secure when you look at how the machine is really used. I'd sugggest reading the entire thread, because there are more juicy details into the security problems and politics associated with big machines like these.

      --
      / \
      \ / ASCII ribbon campaign for peace
      x
      / \
    6. Re:Thousand compromised? by BasharTeg · · Score: 3, Insightful

      You know what? Your post was brilliant and absolutely correct every step of that way, until you threw in that conclusion. Geez. What a way to ruin a great post.

      "Either the Internet will be abandoned, or there will be heavy, heavy government regulation of who can connect and how."

      That's just silly.

      The number of businesses that rely on the internet to survive, dollar-wise, now far outweigh the number of businesses who are as fed up as you claim. What will happen is that people will make more solid state type servers. Email servers in firmware style setups will be common. Look at Network Attached Storage. What else is that, except a firmwared File Server? Same thing with JetDirect Print Hubs. Beats having to actually run a print server.

      THAT is how the industry will respond to the problem you so nicely described.

  3. Digispid/SQLsnake by Scoria · · Score: 5, Informative

    Symantec has produced a more informative bulletin; however, they have entitled the worm "Digispid" as opposed to SQLsnake.

    --
    Do you like German cars?
  4. Databases shouldn't be outside the firewall by sheldon · · Score: 5, Insightful

    Perhaps there just isn't good documentation on this, but this issue wouldn't be a problem if the SQL Server databases were properly installed and maintained.

    First of all, a DB should never be outside a firewall. It's not necessary.

    Second of all, this issue is aided by databases installed with blank admin passwords.

    I don't know how you solve this. You can't prevent people from installing software. I guess Microsoft's new MBSA will point out the blank password issue and any patches missing, but...

    1. Re:Databases shouldn't be outside the firewall by ColdCuts · · Score: 5, Informative

      One of the things incidents.org points out (http://www.incidents.org/diary/diary.php?id=156) is that some microsoft products have sql server included as a hidden or optional install. Access 2000, Visio, even Visual Studio 6 had an option for installing MSDE. If installed, no password is set for the account.

  5. Re:Only attacks blank sa passwords by linuxrunner · · Score: 3, Insightful

    I'm sorry.. but according to the topic post it said:

    and even attempts to brute force passwords.

    So either you're telling me, the writer lied... OR... it doesn't just attack blank passwords... so which is it?

    --
    www.slightlycrewed.com - Because aren't we all?
  6. two versions out by martin · · Score: 3, Informative

    According to Sophos (www.sophos.com) there are two vesions out.

    the first one just attempts the 'default' null passwd and 'sa' username (the administrator).

    The second tries a brute force attack on the passwd.

    So no change from trying to telnet into a *nix box as root then....

  7. Re:Another round of M$ bashing by wizkid · · Score: 5, Insightful

    This one isn't $M bashing! It's STUPID SYSTEM ADMINISTRATOR/STUPID DBA bashing.

    Microsoft is semi-innocent on this one.

    NOTE: They make their products so even a stupid administrator can install it, and this worm is proof of that!

    --
    I take no responsibility for what I say. Even though I'm never wrong :)
  8. Microsofted by MongooseCN · · Score: 3, Funny

    I'm waiting for the day when people stop saying "We got another worm." and start saying "We just got Microsofted again".

    --


    Outdoor digital photography, mostly in New Engl
    1. Re:Microsofted by jc42 · · Score: 3, Funny

      I think the term is "Microshafted".

      --
      Those who do study history are doomed to stand helplessly by while everyone else repeats it.
  9. Reflection on Priorities by chill · · Score: 5, Insightful

    Many exploitable holes such as these can be attributed in part to the management mentality that one or two over-worked, under trained "computer people" can handle professional system/network administration.

    Frequently SysAdmins started their jobs in another field, like Engineering, and were sort of migrated over. Little formal training was given, let alone budget for. Most smaller (sub-Fortune 500) operations were more of a congealed mass than a designed network.

    Then, when the LAN wasn't hooked to the Internet, and some poor schmuck install MS BackOffice and wanted to instal SMS Server, it told him he had to install SQL Server. A couple of quick clicks and you're done. Odds are, he clicked thru the admin password not thinking he'd EVER touch MS SQL other than as a backend for SMS.

    Pity the new admin who inherits such a setup. You think a new admin is given time to actually check a network configuration out, much less do a proper security, performance, license audit? Nope. Get in and tell me why Outlook is saying my deleted folder is empty. I haven't emptied it since 1998 and everything was always there before when I needed it!

    Stupid worms/viruses/exploits will prevail until the MENTALITY of management changes. Computers run most modern business, they are not an afterthought. The people that take care of them should be properly trained, with proper budgets. Periodic PM (preventative maintenance) needs to be allowed, scheduled and performed.

    I feel pity for the admins who have to deal with these worms. I feel nothing but contempt for the management process that let them get in this position.

    --
    Learning HOW to think is more important than learning WHAT to think.
  10. Default passwords and servers exposed by rabtech · · Score: 5, Redundant

    First of all, if you attempt to set a blank admin password for SQL Server it gives you a warning that doing so is a very bad idea. None the less, you'd be surprised at how many are blank (or just use sa/sa). The article makes it sound like the default sa password is blank - this is NOT the case. Also, although you cannot disable the sa account, you can rename it during setup.

    Secondly, as has already been pointed out here, your database server should not be exposed to the net in general. There is usually very little reason to do so. If you need to let other machines access the SQL box from abroad, create an IP Security filter that only allows port 1433 for a specific subnet or ip address.

    Don't complain that you got rooted when your login is root/root.

    --
    Natural != (nontoxic || beneficial)
  11. In Other News by Diamon · · Score: 5, Funny

    A massive "unlocked door" worm has been ravaging users of Schlage locks. Aparrently hackers have been breaking into houses with Schlage locks installed. 9 out of 10 users were found to have installed the locks but never engaged the locking mechanism, and many times had left the key in the knob.

    1. Re:In Other News by White+Roses · · Score: 3, Interesting
      Good point. I do actually think that a lot of clueless admins ought to be flogged with cat-5 until they wake up and close the door.

      On the other hand, you know when you've put a Schlage on your door. You can see it, it's "well documented," and it's obvious how you lock it down. Too much MS software isn't well documented, it's not obvious how you lock it down, and the most egregious point is that you might not be able to tell (easily) if it's been installed.

      Both are left unlocked by default after installation, though, so I can't point that out. But I think that MS is more like installing 100 locks on your door, some which are locked and some which aren't, some with keys and some without, and nothing to tell you which is which.

      --
      Do not touch -Willie
  12. Why this one is especially dangerous by Nintendork · · Score: 4, Insightful


    The bulletin MS02-020 was just released about a month ago. Only the admins that place a top priority on patches (such as myself) are safe.

    I supported NT server for MS for over a year and can attest to the number of admins out there that rely too heavily on anti-virus software. When nimda spread and took over a buttload of systems, it was for this very reason. The thing spread before it could be researched and DAT files updated.

    Here's some solid advice for NT/2000/XP/.NET admins:

    Use the hfnetchk tool to monitor all NT based computers on your network for installed patches using the syntax hfnetchk -h host1,hotst2,host3 -v -z -s 1. It will also check for SQL, I.E., and IIS patches. Other products such as Office will have to be checked manually. At least Office has the officeupdate web site for easy installation that the users can do. Block email attachments with extensions that viruses use. Have anti-virus software installed that checks avery 2 or 3 hours for updates. Have a properly configured firewall (Blocks well known attacks) in place that only allows incoming session requests for what services are to be made available to the Internet. Lock down any services that are open to the Internet. Have strong passwords for all admin accounts (At least 10 random characters) and create a new one for each admin account once every few months. Same thing goes for any account that can authenticate in any way from the Internet (8 characters and changing every 6 months or so should be okay). If domain authentication is going to be provided to the Internet for some stupid reason, hack the registry so only NTLM v2 is used. Configure all windows computers to use the Peer-Peer node type 0x2. Use switches instead of hubs to prevent evesdropping and assign MAC addresses to ports for your servers to avoid MAC address spoofing. Most of these things are a one time setup. The ones that require maintenance are worth the trouble.

  13. Re:The Bugtraq article by jamie · · Score: 3, Informative
    "Slashdot's filters SUCK like HELL."

    Maybe you don't really want to post a huge comment that will require readers to click through anyway (it's too big to display at once).

    How about posting a link to the ISS Alert instead? Is that so hard?

  14. another security measure... by quark2universe · · Score: 3, Insightful

    is to put SQL Server on a port other than 1433. Of course for an existing installation, this could be a major change. But if you're setting up a new SQL Server, use another port. This is assuming you are using SQL Server and not another superior database product (like Oracle).

    --

    Believe in things of which no person has ever learned
  15. Re:Lazy admins again. by Error27 · · Score: 3, Informative
    Remember the Red Hat piranah bug a couple years ago where there was a default password?

    That default password existed--in beta software--for two weeks before it was found. Slashdot was up in arms about it. Alan Cox personally appologized for letting the default password slip by his check.

    I believe that slashdot was correct to get upset about piranah. I think any vendor who distributes software with default passwords deserves the same.

  16. Oh yeah... I see that one happening! by tommck · · Score: 3, Funny
    Either the Internet will be abandoned, or ...


    Well, I'll just wait here for that...


    *sharp intake of breath*
    ...
    *fires up his Flux Capacitor-powered Internet Users Counter (tm)*
    [number = 15 bazillion]
    *waits*
    [number = 16 bazillion]
    *waits*
    *getting faint. Can't see very well*
    "don't these people realize ... should ... force ... secure passw... in SQL Server!?"
    [number = 18 bazillion]
    *turns purple*
    "Must... abandon ... Internet!"
    [number = 20 bazillion]
    *passes out*
    [number = 25 bazillion]
    [number = 37 bazillion]
    [number = 46 bazillion]
    ....

    --
    ---- It puts the lotion on its skin or else it gets the hose again. It does this whenever it's told.
  17. Some basic thoughts on securing SQL. by blowdart · · Score: 4, Informative

    I've just mailed this to a couple of security lists I take part in. Posting here seems like a good idea (although now, of course, I am outed as a SQL Server user)

    Please feel free to forward these recommendations to any other lists as you see fit. However, as with all system changes, things can go wrong. Make sure you have backups. I take no responsibility if your SQL server dies. Or if the sun fails to come up :)

    • The automated MS baseline security tool checks for blank sa passwords.
    • You can safely (well ish) drop the xp_cmdshell stored procedure from your servers. There's very little valid use for this (smug mode - I had mentioned this in a presentation to SQL-PASS 2 years ago!) This can kill some things, like BCP. Don't hold me responsible if something stops working :)
      use master
      exec sp_dropextendedproc 'xp_cmdshell'
    • Don't run mixed mode security if you can help it. MSDN has details.
    • You can of course, change the port SQL listens on. Not ideal, but for those that want a wide open to the world SQL database, it's an option. (Run the Server Network Utilities program on the server, and choose properties for TCP/IP - don't forget to tell the client machines the new port)
    • I want to restate - SQL does not log logins (failed or otherwise by default). Turn it on. (Enterprise manager, right click your server, choose Properties, then the security tag. Login events go to the Application log.
    • From what I see the worm adds a password to guest and moves it into the admin groups. It's done using the username, not a SID, so renaming your guest accounts would stop this. Always a good idea to enforce this at a domain policy level.
    • You may also wish to consider dropping the ActiveX stored procedures. Do you want/need sa to be able to create ActiveX objects?

      sp_OACreate sp_OADestroy sp_OAGetErrorInfo sp_OAGetProperty sp_OAMethod sp_OASetProperty sp_OAStop

      The same goes for registry sps

      xp_regaddmultistring xp_regdeletekey xp_regdeletevalue xp_regenumvalues xp_regremovemultistring

    • Check the login tables for null passwords (mixed mode). Run the following SQL

      use master
      select name, Password
      from syslogins
      where password is null
      order by name

    • Use a low access user account for SQL Server service not LocalSystem or Administrator. This account should only have minimal rights (Run as a Service Right IS required). If you use Enterprise Manager to make this change, the ACLs on files, the registry, and user rights are done for you.
    • Check the other extended stored procedures, delete as you see fit.
    • Don't run SQLMail unless you have to.
    • Don't use TCP/IP as a network protocol unless you have to.

    Finally, MS have released a bulletin