NEWS: SQL Worm

hey ive been offline for a few days. so im putting up some News i found

pasted from here:------------
Wednesday 29th May 2002 11:59am from www.silicon.com


Virus warning: SQL worm trumps Nimda and Code Red



An internet worm that attacks Microsoft's SQL Server database has caused more attacks in the past week than last year's most notorious worms, Nimda and Code Red.

Security experts first warned of the problem last week. Since then the worm, also known as Spida, has attacked thousands of machines running Microsoft SQL Server.


The worm attacks port 1433, with more attacks on this port reported over the past week than port 80, which was the focus of athe Nimda and Code Red attacks.
Internet security firm Dshield said port 1433 had received 56 per cent of computer attacks in the last five days compared with 11 per cent of attacks on port 80.

However, it also warned that this could be down to the cyclical nature of Code Red and Nimda which are currently in a dormant stage.


------


preep

is this really up to date info? wasn't ther ea sql worm reported that used the same port a few weeks ago? or this a new updated version.

I believe he/she is talking about the SQLsnake. The same one that was posted about last week...He/She is just a little late.

belive, just read my post i never said snake, i pasted it from a source

I dont know what the hell your attitude is about... Your link goes nowhere. I didnt even read your post because i read all about it last week. Now i skimmed threw it and it said spida wich is another name for the SQLsnake. I was just clerifying for akb that it is the same one that he is thinking about.

Let me refrase my post for you:

he/she is defenatly talking about the SQLsnake (aka JS_SQLSpida.B, Hacktool.IPStealer, JS.Spida.B, JS/SQLSpida.b.worm, SQLSnake, SQLSpida, MS SQL Worm )
The same one that was posted about last week...He/She is just a little late.

Is that better?

k i just felt a little attitude from u, thats all,
sry man

preep

I was just letting the person know that the one he was thinking about and the one that you posted were the same thing. The first thing you said was that you were offline for a few days so you couldnt have known that it was posted allready its probably buried somewhere. Anyways I dont really care. As for you thinking i had an attitude...Its my personality was nothing twards you . I have an attitude twards life i guess ... Now my second post That was defanatly attitude and i take it back now.. My appologies just a minor misunderstanding

hmm as SQL worm never heard of one of those wot exactly does it do?../me wasnt around for that post a few weeks ago oh and i can read i know it attacks ports and **** but wot does it mena by attcking?...like does it flood the port till the pc's crash?...send itself to every1 email it can find on the database?...info like that would be nice :)

lol no prob man, peace :) (im no where near a hippie)

ok emrys ill hunt it out

preep

The SQLSnake worm targets TCP port 1433, the default port used for Microsoft SQL Server traffic. The worm is non-destructive, but once it infects a machine it will e-mail configuration information as well as passwords to [email protected]. The configuration information could be used to stage an attack.

did u give me a red point for posting this?

ok i got the www.cert.org`s results on it, latest and greatest now
http://www.cert.org/incident_notes/IN-2002-04.html

CERT® Incident Note IN-2002-04
The CERT Coordination Center publishes incident notes to provide information about incidents to the Internet community.
Exploitation of Vulnerabilities in Microsoft SQL Server
Release Date: May 22, 2002
Last Updated: May 23, 2002
A complete revision history can be found at the end of this file.

Systems Affected
Systems running Microsoft SQL Server or Microsoft SQL Server 2000 installed with mixed mode security enabled
Systems running Microsoft Data Engine 1.0 (MSDE 1.0) or Microsoft SQL Server 2000 Desktop Engine (MSDE 2000) installed with mixed mode security enabled
Systems running Tumbleweed's Secure Mail (MMS) versions 4.3, 4.5, and 4.6
Overview
The CERT/CC has received reports of systems being compromised through the automated exploitation of null or weak default sa passwords in Microsoft SQL Server and Microsoft Data Engine. This activity is accompanied by high volumes of scanning, and appears to be related to recently discovered self-propagating malicious code, referred to by various sources as Spida, SQLsnake, and Digispid.


I. Description
Reports received by the CERT/CC indicate that the Spida worm scans for systems listening on port 1433/tcp. Once connected, it attempts to use the xp_cmdshell utility to enable and set a password for the guest user.

If successful, the worm then

assigns the guest user to the local Administrator and Domain Admins groups
copies itself to the victim system
disables the guest account
sets the sa password to the same password as the guest account
executes the copy on the victim system

Once the local copy is executing on the victim system, the worm begins scanning for other systems to infect. It also attempts to send a copy of the local password (SAM) database, network configuration information, and other SQL server configuration information to a fixed email address ([email protected]) via email.

The attack used by the Spida worm is similar to that used by the Kaiten malicious code described in IN-2001-13. Additional information on null default sa passwords in Microsoft SQL Server can be found in VU#635463.

II. Impact
The scanning activity of the Spida worm may cause denial-of-service conditions on compromised systems, and it has been reported to cause high traffic volumes even on networks with no compromised hosts.

Information about the victim system's configuration and accounts may be compromised by the email the worm attempts to send.

By leveraging a default null password, an attacker may execute arbitrary commands on the system in the security context in which the Microsoft SQL Server services are running. While site-specific configurations may vary, the SQL Server is typically run with system-level privileges.

III. Solutions
Detection
During the course of the Spida worm's execution, a number of files are created on the victim system. These include

%SystemRoot%\System32\drivers\services.exe
%SystemRoot%\System32\sqlexec.js
%SystemRoot%\System32\clemail.exe
%SystemRoot%\System32\sqlprocess.js
%SystemRoot%\System32\sqlinstall.bat
%SystemRoot%\System32\sqldir.js
%SystemRoot%\System32\run.js
%SystemRoot%\System32\timer.dll
%SystemRoot%\System32\samdump.dll
%SystemRoot%\System32\pwdump2.exe
The presence of any of these files on the system indicates compromise.

Scanning for other systems on port 1433/tcp or attempts to send email to [email protected] may also indicate a compromised system.

Response
If you believe a system under your administrative control may have been compromised, please refer to

Steps for Recovering from a UNIX or NT System Compromise
Protection
Set a password on the sa account
Following best practices, passwords should never be left with a null or easily guessed value. Ensure that a password has been assigned to the sa account on Microsoft SQL Servers under your control.

Note that when installing Microsoft SQL 2000 Server, the application prompts for an sa password. If a null password is entered, a warning will be displayed, but the application will permit a null password to be used.

Instructions to change the SQL Server password are located at


http://msdn.microsoft.com/library/de...library/en-us/ modadmin/html/deconchangingsqlserveradministratorlogin.asp


http://msdn.microsoft.com/library/de...library/en-us/ adminsql/ad_1_server_5un8.asp
Instructions to change the MSDE password can be found at

http://support.microsoft.com/default...;en-us;Q322336
Additional information on securing Microsoft SQL Server can be found at


http://www.microsoft.com/sql/techinf...0/security.asp
Limit access to the SQL Server port
Packet filtering should be performed at network borders to prohibit externally initiated inbound connections to non-authorized services. With regards to SQL Server, ingress filtering of port 1433/tcp could prevent attackers outside of your network from scanning or infecting vulnerable Microsoft SQL servers in the local network that are not explicitly authorized to provide public SQL services.
Filtering packets destined for other services that are not explicitly required can also prevent intruders from connecting to backdoors on compromised systems.

Egress filtering
Egress filtering manages the flow of traffic as it leaves a network under your administrative control. There is typically limited need for machines providing public services to initiate outbound connections to the Internet. In the case of the Spida worm, employing egress filtering to disallow outbound connections to port 1433/tcp at your network border can help prevent systems on your network from attacking systems elsewhere. This is only effective against systems that are already infected with the Spida worm.
Block outgoing email to [email protected]
As mentioned in the Description section above, the worm attempts to send configuration information and the local password database to [email protected]. Blocking email to this address can reduce the risk of confidential information being exposed by the Spida worm. However, as with the egress filtering recommendation above, this only blocks systems that are already infected, so it is not sufficient to block the email without taking other precautionary steps as described above.

IV. Additional protection
Apply a patch from Microsoft
Microsoft Corporation has released Microsoft Security Bulletin MS02-020, which announces the availability of a cumulative patch to address a variety of problems. While this patch does not address null sa passwords, it does fix a number of serious security issues. We strongly encourage you to read this bulletin and take the appropriate corrective measures. MS02-020 is available at

http://www.microsoft.com/technet/ treeview/default.asp?url=/technet/security/bulletin/MS02-020.asp
Reporting
The CERT/CC is interested in receiving reports of this activity. If machines under your administrative control are compromised, please send mail to [email protected] with the following text included in the subject line: "[CERT#38873]".



--------------------------------------------------------------------------------
Author(s): Chad Dougherty and Allen Householder

--------------------------------------------------------------------------------
This document is available from: http://www.cert.org/incident_notes/IN-2002-04.html
--------------------------------------------------------------------------------

eulcid thx....well maybe the worm is only for info gathering perposes since it is not destructive :).../me is a positive thinker