-----Original Message----- From: Nipcwatch [mailto:nipc.watch@private] Sent: Wednesday, May 22, 2002 3:08 PM To: daily Subject: NIPC Advisory 02-003 "Microsoft SQL Worm Spida" National Infrastructure Protection Center "Microsoft SQL Worm Spida" Advisory 02 003 22 May 2002 Summary: The National Infrastructure Protection Center (NIPC) is monitoring an Internet worm called "Spida", also known as SQLSnake. This worm takes advantage of default settings within Microsoft's SQL Server (MSSQL) when there is a system administrator username of "sa" and no password. The danger in this worm is that it copies the password file and the network configuration of the infected machine and sends the information elsewhere via email. This worm can evolve into a Denial of Service (DoS) attack against the infected machine and others on the same network because of the voluminous email traffic the worm initiates once inside the infected machine. Description: The Spida worm searches for MSSQL servers that have been set up with the default system administrator account with username of "sa" and a blank password field that was not changed after installation. Once inside, Spida sends the Internet Protocol (IP) configuration of the machine and the domain password file as well as a variety of machine-specific information to a temporary file. The temporary file that contains the IP and password files is then sent to a collection point from a fully privileged "guest" account that Spida sets up. MSSQL servers installed with "integrated security mode" settings are not at risk. Those servers installed with "mixed mode" security settings, without a password for the "sa" account, are at risk. To set the password after installation, see: http://www.microsoft.com/sql The success of this worm highlights shortfalls in basic configuration management and system security. Once software is installed, default usernames and passwords that can be changed, should be changed. Note that username "sa" cannot be changed. All passwords should be under the system administrator's control, with strict adherence to security conventions for all user accounts. Recommendations: Change any editable default usernames and passwords on MSSQL and all other software as soon as the software is installed. Change the default "null" password on the "sa" account in accordance with strict adherence to security conventions. Consider restricting port 1433 access on the MSSQL server to only those machines that require connection to the database(s). Microsoft SQL Server customers should refer to the following address for information on securing Microsoft SQL Server: http://www.microsoft.com/sql/techinfo/administration/2000/security.asp. The anti-virus community and security community are aware of this worm, and there are virus definitions for this worm. As it primarily affects servers, vigilance, basic security practices and security measures are the best defense against this worm. Additional information on this worm, can be found at the following sites: Incidents.org: http://www.incidents.org/diary/diary.php?id=157 Internet Security Systems: http://www.iss.net/security_center/alerts/advise118.php For basic tips and suggestions on password creation, see: http://www.nipc.gov/publications/nipcpub/password.htm. Recipients of this advisory are encouraged to report computer crime to federal, state, or local law enforcement and other appropriate authorities. Incidents may be reported online at http://www.nipc.gov/incident/cirr.htm. The NIPC Watch and Warning Unit can be reached at (202) 323-3204/3205/3206 or nipc.watch@private
This archive was generated by hypermail 2b30 : Sun May 26 2002 - 11:43:33 PDT