[ISN] New Worm Targets Microsoft SQL Servers

From: InfoSec News (isnat_private)
Date: Wed Nov 21 2001 - 02:26:58 PST

Next message: InfoSec News: "[ISN] ACSAC Registration Extended at Early Registration Prices"

Previous message: InfoSec News: "[ISN] Attrition up!"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

http://www.newsbytes.com/news/01/172321.html

By Brian McWilliams, Newsbytes
PHILADELPHIA, PENNSYLVANIA, U.S.A.,
20 Nov 2001, 3:37 PM CST
 
A new Internet worm that targets poorly secured systems running
Microsoft's SQL Server software is on the loose but unlikely to spread
widely, security experts reported today.

The worm, which has not yet been named, appears to target Microsoft
SQL servers which have no password on the system administrator
account, according to a preliminary analysis of the code by
participants on Incidents, a mailing list for tracking computer
intrusions.
 
When it finds a vulnerable system, the worm appears to install two
Trojan horse programs that may be used by the worm's creator to
control the server.

The programs are downloaded by the worm to the victim server from an
apparently compromised system registered to the Philadelphia Museum of
Art. By this afternoon, the two files had been removed from the
server, essentially sterilizing the worm, experts said.

The worm also attempts to make a connection to an Internet relay chat
server at Case Western Reserve University in Cleveland, to which it
appears to send the address of the compromised machine as well as what
may be a password.

In addition to modifying the victim server's system registry to load
the Trojan horse programs at boot-up, the worm appears to contain code
that scans the Internet for other vulnerable servers on port 1433.

The SQL worm's dependence on one site for obtaining files gives it a
single point of failure, according to Marc Maiffret, chief hacking
officer for eEye Digital Security.

"It looks like it was rather poorly developed and therefore it will be
rather trivial to stop this worm and track down whomever developed
it," said Maiffret, who noted that the weak default password
protection on Microsoft SQL Server 7.0 results in many system
compromises.

"I am surprised there has not been a worm that exploits this until
now," he said.

Microsoft officials were not immediately available for comment.

Microsoft SQL Server is a relational database management system.
According to Microsoft, the product is the most popular Web database,
with a 68 percent market share.

The Incidents list discussion of the SQL worm is at
http://archives.neohapsis.com/archives/incidents/2001-11/0102.html



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
of the mail.

Next message: InfoSec News: "[ISN] ACSAC Registration Extended at Early Registration Prices"
Previous message: InfoSec News: "[ISN] Attrition up!"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Nov 28 2001 - 15:29:13 PST