[ISN] 'SQLsnake' Worm Blamed For Spike In Port 1433 Scans

From: InfoSec News (isnat_private)
Date: Wed May 22 2002 - 01:44:41 PDT

  • Next message: InfoSec News: "RE: [ISN] Lets Indict All the Lawyers"

    http://www.newsbytes.com/news/02/176701.html
    
    By Brian McWilliams, Newsbytes
    SAN MATEO, CALIFORNIA, U.S.A.,
    21 May 2002, 11:04 AM CST
     
    A mounting trail of evidence has security experts warning that a new
    Internet worm targeting Microsoft SQL servers could be on the loose.
    
    Since Monday, a sharp spike in remote probes of TCP port 1433, which
    commonly is used by Microsoft's SQL database, has been reported by
    many server administrators, according to SecurityFocus, which operates
    an incident-reporting system called ARIS.
     
    Officials at the SANS Institute, a computer security education and
    analysis organization, also reported today that they have received
    "exploit code" that indicates the increase in port 1433 scans may be
    due to a self-propagating worm rather than to manual probes by
    would-be attackers.
    
    According to SANS incident handler Johannes Ullrich, a preliminary
    analysis shows the code, which has been dubbed "SQLsnake," attempts to
    log in to the SQL administrator's account on a remote server using a
    "brute force" password cracker.
    
    Once the worm, which is written in JavaScript, has gained SQL
    administrator access, its author has the ability to execute SQL
    commands, which include reading and writing files, as well as
    executing code, SANS said.
    
    The SQLsnake code also appears to e-mail a list of passwords captured
    from the victim server to a free e-mail account hosted in Singapore.
    
    As of this morning, more than 1,400 systems appear to have been
    compromised by the worm and are actively probing other servers,
    according to statistics compiled by SANS.
    
    Potentially infected hosts are spread geographically, with the
    majority located in Korea, the United States, Canada, France, Taiwan
    and China, SecurityFocus reported yesterday.
    
    According to SecurityFocus vice president of engineering Alfred Huger,
    intrusion detection reports suggest the potential worm is specifically
    targeting Microsoft SQL systems without proper password protection.
    
    Many Microsoft SQL administrators fail to set a strong password for
    the system account, which by default has a "null" or non-existent
    password, SecurityFocus warned yesterday in an alert to ARIS users.
    
    Last month, Microsoft issued a patch for a buffer-overflow flaw in its
    SQL Server version 7 and version 2000. According to Huger, there is no
    indication so far that the potential worm is targeting that
    vulnerability.
    
    Earlier this year, Microsoft advised customers that a worm, which was
    given the name "Voyager Alpha Force," was scanning the Internet for
    Microsoft SQL servers and attempting to log into administrator
    accounts that lacked passwords.
    
    To prevent the spread of SQLsnake, security experts advised system
    administrators to block traffic to port 1433 at the perimeter of their
    network, and to ensure that all Microsoft SQL servers are patched and
    properly password-protected.
    
    Microsoft SQL is the most popular Web database, with 68 percent market
    share, according to Microsoft.
    
    The SANS analysis of SQLsnake is at
    http://www.incidents.org/diary/diary.php?id_6
    
    SecurityFocus is at http://www.securityfocus.com
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Wed May 22 2002 - 04:19:40 PDT