Slashdot Mirror

← Back to Stories (view on slashdot.org)

New "SQLsnake" Microsoft Worm

Posted by ryuzaki0 on from the beware-the-worm-snake dept.

sevenn writes "A new worm, targeting the Microsoft SQL daemon, has been sweeping the net. It uses massive scanning, default passwords, exploits against vulnerable versions and even attempts to brute force passwords. Here is the (vague) Microsoft bulliten, the SANS analysis, and a securityfocus article" Already over a thousand compromised system- you're apparently only vulnerable if you run MS SQL, but the worm is causing a substantial spike in traffic to port 1433 on the net.

11 of 316 comments (clear)

  1. McAfee by Triskaidekaphobia · · Score: 5, Informative

    McAfee's description. The AV vendors are calling it Spida, instead of snake.

  2. Digispid/SQLsnake by Scoria · · Score: 5, Informative

    Symantec has produced a more informative bulletin; however, they have entitled the worm "Digispid" as opposed to SQLsnake.

    --
    Do you like German cars?
  3. Databases shouldn't be outside the firewall by sheldon · · Score: 5, Insightful

    Perhaps there just isn't good documentation on this, but this issue wouldn't be a problem if the SQL Server databases were properly installed and maintained.

    First of all, a DB should never be outside a firewall. It's not necessary.

    Second of all, this issue is aided by databases installed with blank admin passwords.

    I don't know how you solve this. You can't prevent people from installing software. I guess Microsoft's new MBSA will point out the blank password issue and any patches missing, but...

    1. Re:Databases shouldn't be outside the firewall by ColdCuts · · Score: 5, Informative

      One of the things incidents.org points out (http://www.incidents.org/diary/diary.php?id=156) is that some microsoft products have sql server included as a hidden or optional install. Access 2000, Visio, even Visual Studio 6 had an option for installing MSDE. If installed, no password is set for the account.

  4. Re:Another round of M$ bashing by wizkid · · Score: 5, Insightful

    This one isn't $M bashing! It's STUPID SYSTEM ADMINISTRATOR/STUPID DBA bashing.

    Microsoft is semi-innocent on this one.

    NOTE: They make their products so even a stupid administrator can install it, and this worm is proof of that!

    --
    I take no responsibility for what I say. Even though I'm never wrong :)
  5. Reflection on Priorities by chill · · Score: 5, Insightful

    Many exploitable holes such as these can be attributed in part to the management mentality that one or two over-worked, under trained "computer people" can handle professional system/network administration.

    Frequently SysAdmins started their jobs in another field, like Engineering, and were sort of migrated over. Little formal training was given, let alone budget for. Most smaller (sub-Fortune 500) operations were more of a congealed mass than a designed network.

    Then, when the LAN wasn't hooked to the Internet, and some poor schmuck install MS BackOffice and wanted to instal SMS Server, it told him he had to install SQL Server. A couple of quick clicks and you're done. Odds are, he clicked thru the admin password not thinking he'd EVER touch MS SQL other than as a backend for SMS.

    Pity the new admin who inherits such a setup. You think a new admin is given time to actually check a network configuration out, much less do a proper security, performance, license audit? Nope. Get in and tell me why Outlook is saying my deleted folder is empty. I haven't emptied it since 1998 and everything was always there before when I needed it!

    Stupid worms/viruses/exploits will prevail until the MENTALITY of management changes. Computers run most modern business, they are not an afterthought. The people that take care of them should be properly trained, with proper budgets. Periodic PM (preventative maintenance) needs to be allowed, scheduled and performed.

    I feel pity for the admins who have to deal with these worms. I feel nothing but contempt for the management process that let them get in this position.

    --
    Learning HOW to think is more important than learning WHAT to think.
  6. Re:Thousand compromised? by sphealey · · Score: 5, Insightful
    Are you telling me that thousands of companies with a load of data are installing SQL Server without having a database admin to do the work? Sweet, they deserve what they get. What kind of people install SQL Server without putting a password for the SA account? Apparently, plenty :)
    This is a typical Slashdot response, but I don't think most businesspeople would agree. Without in any way excusing Microsoft for their security practices, it may occur to you that 90% or more of businesses exist to do something other than IT functions. They need transportation, they go out and buy a truck. They need a machine tool, they go out and buy one. They need a copy machine, they have one installed. Although some of these tools can certainly be dangerous, there is a basic expectation that when buying, say, a machine tool (a) it will more or less do what it says it will do (b) it won't suddenly explode and destroy an entire city block.

    Along comes e-mail, the Internet, databases, web sites, etc. Joe Enthusiastic runs into the President's office and says, "Mr. Smith! I have found a great new way to communicate with our customers!". Mr. Smith, though he is 90 years old, takes a look and says, "Yeah, that looks interesting. Buy one and set it up".

    So the company buys one (database server, e-mail server, web site, etc.) and sets it up according the skimpy directions in the box. It works for a while, then blows up, seriously damaging the business.

    NOW the company is told, oh, you should have known. You should have known the instructions in the box were incomplete and dangerous. You should have known you needed an 80k/year DBA to use that. You should have known the product was dangerous. You should have known...

    Sorry. I am not buying it anymore. And I think the general business world isn't going to buy it much longer. Either the Internet will be abandoned, or there will be heavy, heavy government regulation of who can connect and how. Sort of like the phone company in the 1950's.

    My 0.02 anyway.

    sPh

  7. Default passwords and servers exposed by rabtech · · Score: 5, Redundant

    First of all, if you attempt to set a blank admin password for SQL Server it gives you a warning that doing so is a very bad idea. None the less, you'd be surprised at how many are blank (or just use sa/sa). The article makes it sound like the default sa password is blank - this is NOT the case. Also, although you cannot disable the sa account, you can rename it during setup.

    Secondly, as has already been pointed out here, your database server should not be exposed to the net in general. There is usually very little reason to do so. If you need to let other machines access the SQL box from abroad, create an IP Security filter that only allows port 1433 for a specific subnet or ip address.

    Don't complain that you got rooted when your login is root/root.

    --
    Natural != (nontoxic || beneficial)
  8. In Other News by Diamon · · Score: 5, Funny

    A massive "unlocked door" worm has been ravaging users of Schlage locks. Aparrently hackers have been breaking into houses with Schlage locks installed. 9 out of 10 users were found to have installed the locks but never engaged the locking mechanism, and many times had left the key in the knob.

  9. Re:Thousand compromised? by RocketScientist · · Score: 5, Insightful

    If they need to haul stuff, they buy a truck. If they want to stay in business, they don't leave the keys in it and the windows down while it's parked somewhere in public.

    If they need to make copies, they buy a copy machine. If they need machine tools, they buy them. They also tend to keep these things in locked rooms so joe public can't walk in and trash them.

    If they buy computer systems, they leave the passwords blank and expect people to not use them. That's not bad programming, it's stupid users.

  10. Re:Thousand compromised? by wik · · Score: 5, Interesting
    It's not just stupid users. Maybe they buy a copy machine like the Xerox DocuTech. It's a powerful high-end copier. It's also not just a copy machine. It has an NT box and a Sparc running Solaris built into it. It also comes out of the manufacturer, wide open with security holes, trivial passwords and unpatched software. If you try to patch them and then ever have as service issue (don't tell me that things don't break), Xerox will gladly reinstall all of the loaded software. Bye bye, patches and passwords.

    http://online.securityfocus.com/archive/1/273029

    It's not just stupid users. Somebody chose this machine for the business and it's something that they NEED in order to function. Not only that, they may not have a (practical) way to keep it secure when you look at how the machine is really used. I'd sugggest reading the entire thread, because there are more juicy details into the security problems and politics associated with big machines like these.

    --
    / \
    \ / ASCII ribbon campaign for peace
    x
    / \