CRIME FW: NIPC Advisory 02-003 "Microsoft SQL Worm Spida"

From: George Heuston (GeorgeH@private)
Date: Wed May 22 2002 - 15:38:23 PDT

  • Next message: John E Jewkes-AAA0OR-AAA0ID: "Re: CRIME Korean spam & Klez"

    -----Original Message-----
    From: Nipcwatch [mailto:nipc.watch@private] 
    Sent: Wednesday, May 22, 2002 3:08 PM
    To: daily
    Subject: NIPC Advisory 02-003 "Microsoft SQL Worm Spida"
    
    
    National Infrastructure Protection Center
    "Microsoft SQL Worm Spida"
    Advisory 02 003
    22 May 2002
    
    
    
    Summary:
    
    The National Infrastructure Protection Center (NIPC) is monitoring an 
    Internet worm called "Spida", also known as SQLSnake. This worm takes 
    advantage of default settings within Microsoft's SQL Server (MSSQL) when 
    there is a system administrator username of "sa" and no password. The 
    danger in this worm is that it copies the password file and the network 
    configuration of the infected machine and sends the information 
    elsewhere via email. This worm can evolve into a Denial of Service (DoS) 
    attack against the infected machine and others on the same network 
    because of the voluminous email traffic the worm initiates once inside 
    the infected machine.
    
    Description:
    
    The Spida worm searches for MSSQL servers that have been set up with the 
    default system administrator account with username of "sa" and a blank 
    password field that was not changed after installation. Once inside, 
    Spida sends the Internet Protocol (IP) configuration of the machine and 
    the domain password file as well as a variety of machine-specific 
    information to a temporary file. The temporary file that contains the IP 
    and password files is then sent to a collection point from a fully 
    privileged "guest" account that Spida sets up.
    
    MSSQL servers installed with "integrated security mode" settings are not 
    at risk. Those servers installed with "mixed mode" security settings, 
    without a password for the "sa" account, are at risk. To set the 
    password after installation, see:
    http://www.microsoft.com/sql
    
    The success of this worm highlights shortfalls in basic configuration 
    management and system security. Once software is installed, default 
    usernames and passwords that can be changed, should be changed. Note 
    that username "sa" cannot be changed. All passwords should be under the 
    system administrator's control, with strict adherence to security 
    conventions for all user accounts.
    Recommendations:
    
    Change any editable default usernames and passwords on MSSQL and all 
    other software as soon as the software is installed. Change the default 
    "null" password on the "sa" account in accordance with strict adherence 
    to security conventions.
    
    Consider restricting port 1433 access on the MSSQL server to only those 
    machines that require connection to the database(s).
    
    Microsoft SQL Server customers should refer to the following address for 
    information on securing Microsoft SQL Server:
    http://www.microsoft.com/sql/techinfo/administration/2000/security.asp.
    
    The anti-virus community and security community are aware of this worm, 
    and there are virus definitions for this worm. As it primarily affects 
    servers, vigilance, basic security practices and security measures are 
    the best defense against this worm. Additional information on this worm, 
    can be found at the following sites:
    
    Incidents.org:
    http://www.incidents.org/diary/diary.php?id=157
    
    Internet Security Systems:
    http://www.iss.net/security_center/alerts/advise118.php
    
    For basic tips and suggestions on password creation, see:
    http://www.nipc.gov/publications/nipcpub/password.htm.
    
    Recipients of this advisory are encouraged to report computer crime to 
    federal, state, or local law enforcement and other appropriate 
    authorities. Incidents may be reported online at 
    http://www.nipc.gov/incident/cirr.htm.
    
    The NIPC Watch and Warning Unit can be reached at (202) 
    323-3204/3205/3206 or nipc.watch@private
    



    This archive was generated by hypermail 2b30 : Sun May 26 2002 - 11:43:33 PDT