'SQLsnake' Worm Blamed For Spike In Port 1433 Scans

[Absolut]

Thought this was interesting as this hole has been known for roughly a week or two, yet almost 2,000 systems are infected. People need to start reading up about security patches and updates and make sure a password is set for EVERY account on the system to prevent stuff like this. It was only a matter of time..

Story that follows is form Newsbytes....

--------------------------------------------------------------------------------

'SQLsnake' Worm Blamed For Spike In Port 1433 Scans

By Brian McWilliams, Newsbytes
SAN MATEO, CALIFORNIA, U.S.A.,
21 May 2002, 11:04 AM CST



A mounting trail of evidence has security experts warning that a new Internet worm targeting Microsoft SQL servers could be on the loose.
Since Monday, a sharp spike in remote probes of TCP port 1433, which commonly is used by Microsoft's SQL database, has been reported by many server administrators, according to SecurityFocus, which operates an incident-reporting system called ARIS.

Officials at the SANS Institute, a computer security education and analysis organization, also reported today that they have received "exploit code" that indicates the increase in port 1433 scans may be due to a self-propagating worm rather than to manual probes by would-be attackers.

According to SANS incident handler Johannes Ullrich, a preliminary analysis shows the code, which has been dubbed "SQLsnake," attempts to log in to the SQL administrator's account on a remote server using a "brute force" password cracker.

Once the worm, which is written in JavaScript, has gained SQL administrator access, its author has the ability to execute SQL commands, which include reading and writing files, as well as executing code, SANS said.

The SQLsnake code also appears to e-mail a list of passwords captured from the victim server to a free e-mail account hosted in Singapore.

As of this morning, more than 1,400 systems appear to have been compromised by the worm and are actively probing other servers, according to statistics compiled by SANS.

Potentially infected hosts are spread geographically, with the majority located in Korea, the United States, Canada, France, Taiwan and China, SecurityFocus reported yesterday.

According to SecurityFocus vice president of engineering Alfred Huger, intrusion detection reports suggest the potential worm is specifically targeting Microsoft SQL systems without proper password protection.

Many Microsoft SQL administrators fail to set a strong password for the system account, which by default has a "null" or non-existent password, SecurityFocus warned yesterday in an alert to ARIS users.

Last month, Microsoft issued a patch for a buffer-overflow flaw in its SQL Server version 7 and version 2000. According to Huger, there is no indication so far that the potential worm is targeting that vulnerability.

Earlier this year, Microsoft advised customers that a worm, which was given the name "Voyager Alpha Force," was scanning the Internet for Microsoft SQL servers and attempting to log into administrator accounts that lacked passwords.

To prevent the spread of SQLsnake, security experts advised system administrators to block traffic to port 1433 at the perimeter of their network, and to ensure that all Microsoft SQL servers are patched and properly password-protected.

Microsoft SQL is the most popular Web database, with 68 percent market share, according to Microsoft.

The SANS analysis of SQLsnake is at http://www.incidents.org/diary/diary.php?id_6 .

SecurityFocus is at http://www.securityfocus.com .

Reported by Newsbytes, http://www.newsbytes.com .

11:04 CST
Reposted 13:01 CST

(20020521/WIRES TOP, ONLINE, TELECOM, BUSINESS, PC/WORM/PHOTO)

[smirc]

More on the worm:

Worm hits SQL servers
Staff writers
MAY 22, 2002

A new worm has infected thousands of servers running Microsoft SQL server.

The worm, known as Spida Worm, js.spida.b.worm, Double Tap and SQLSnake, searches for access the databases via the default system administrator login, and then forwards database configuration information and the password database to an email address.
As well as its security violations, it can create a huge traffic burden by running up to 100 scans simultaneously, for both local and remote hosts.

Security software vendor ISS X-Force, which issued an alert on the worm, said it was responsible for millions of port scans on the internet so far, and incidents.org reports scans of the 1433 port, which the worm probes, had jumped dramatically since Monday.

The worm installs several files, including files named sqlprocess.js, sqlexec.js, and clemail.exe, into the Windowssystem32 directory.

Original article can be found here.

[xmaddness]

A bit more from today's sans update


SANS Alert! A Worm Is Attacking Microsoft SQL Server 7 Users
Microsoft shipped SQL Server 7 so it was automatically configured to
run without an administrator password. If you are running SQL Server
7, and are connected to the Internet, set an administrator password
right away to block the new worm. If the worm infects your system, it
will steal your account and password file, and force your machine to
scan for additional targets using as many as 100 threads. The attacker
can use the stolen account names and passwords to log back in and steal
other private data. Thousands of systems have already been taken over.
http://www.vnunet.com/News/1131940
http://www.reuters.com/news_article....StoryID=991291

[Absolut]

For any machines that get hit with this virus.. they need a new Administrator. I mean the patch was released in late APRIL!!!!.. And even my grandmother knows not to leave an account with a blank password.. It's only asking for trouble.