CRIME SQLSnake

From: brvarin@private
Date: Tue May 21 2002 - 07:25:16 PDT

Next message: Heidi Henry: "CRIME Korean spam & Klez"

Previous message: brvarin@private: "CRIME SQL Probes on the upswing"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Looks like my paranoia was right!

Just pulled from SANS/Incidents.org

http://www.incidents.org/diary/diary.php?id=156

MSSQL Worm (sqlsnake) on the rise
================================================================
(Preliminary)

Starting yesterday, the Internet Storm Center detected a sudden
increase in hosts scanning for port 1433, which is commonly used by
Microsoft's SQL Server. A number of exploits are known for this
service. It is also known that many administrators do not set a
password for the 'SA' account. This administrator account can be used
to log on to the SQL server, execute arbitrary SQL commands. Using
these commands, the user can read and write files, as well as execute
code.

While we are still collecting all the pieces, some exploit code has
been captured indicating that this is a self propagating worm.

Aside from a number of other functions, the worm will email a password
list to ixltd@private As of this morning, the quota of this
account is exceeded.

Current graph of port 1433 activity:

http://isc.incidents.org/port_details.html?port=1433&tarax=1
(important line is the red one. It shows the number of sources)

Basic Protection
================

(1) block traffic to port 1433 tcp at your perimeter.
(2) ensure all Microsoft SQL servers are patched and a password
    is setup for the SA account.
(3) block all email to ixltd@private

It has been reported that some software packages include a version of
SQL server (Visio Enterprise Edition?). A portscan for machines listening
on port 1433 may help.

Detection
=========

multiple outbound connection attempts to port 1433 should give away
infected machines. We are working on more detailed signatures.

Some Functionality
==================

A quick rundown of functions this worm may perform

This is VERY PRELIMINARY

- add guest user
- email password list
- self propagation (search for other vulnerable hosts)
-

... more to come...

Relevant Links
==============

Microsoft KB regarding SA password
http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q313418

Next message: Heidi Henry: "CRIME Korean spam & Klez"
Previous message: brvarin@private: "CRIME SQL Probes on the upswing"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sun May 26 2002 - 11:43:17 PDT