CRIME SQLSnake

From: brvarin@private
Date: Tue May 21 2002 - 07:25:16 PDT

  • Next message: Heidi Henry: "CRIME Korean spam & Klez"

    Looks like my paranoia was right!
    
    Just pulled from SANS/Incidents.org
    
    http://www.incidents.org/diary/diary.php?id=156
    
    MSSQL Worm (sqlsnake) on the rise
    ================================================================
    (Preliminary)
    
    Starting yesterday, the Internet Storm Center detected a sudden
    increase in hosts scanning for port 1433, which is commonly used by
    Microsoft's SQL Server. A number of exploits are known for this
    service. It is also known that many administrators do not set a
    password for the 'SA' account. This administrator account can be used
    to log on to the SQL server, execute arbitrary SQL commands. Using
    these commands, the user can read and write files, as well as execute
    code.
    
    While we are still collecting all the pieces, some exploit code has
    been captured indicating that this is a self propagating worm.
    
    Aside from a number of other functions, the worm will email a password
    list to ixltd@private As of this morning, the quota of this
    account is exceeded.
    
    Current graph of port 1433 activity:
    
    http://isc.incidents.org/port_details.html?port=1433&tarax=1
    (important line is the red one. It shows the number of sources)
    
    Basic Protection
    ================
    
    (1) block traffic to port 1433 tcp at your perimeter.
    (2) ensure all Microsoft SQL servers are patched and a password
        is setup for the SA account.
    (3) block all email to ixltd@private
    
    It has been reported that some software packages include a version of
    SQL server (Visio Enterprise Edition?). A portscan for machines listening
    on port 1433 may help.
    
    Detection
    =========
    
    multiple outbound connection attempts to port 1433 should give away
    infected machines. We are working on more detailed signatures.
    
    Some Functionality
    ==================
    
    A quick rundown of functions this worm may perform
    
    This is VERY PRELIMINARY
    
    - add guest user
    - email password list
    - self propagation (search for other vulnerable hosts)
    -
    
    ... more to come...
    
    Relevant Links
    ==============
    
    Microsoft KB regarding SA password
    http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q313418
    



    This archive was generated by hypermail 2b30 : Sun May 26 2002 - 11:43:17 PDT