'SQLsnake' Worm Blamed For Spike In Port 1433 Scans

[InfoSec News <isn () c4i org>]

http://www.newsbytes.com/news/02/176701.html

By Brian McWilliams, Newsbytes
SAN MATEO, CALIFORNIA, U.S.A.,
21 May 2002, 11:04 AM CST
 
A mounting trail of evidence has security experts warning that a new
Internet worm targeting Microsoft SQL servers could be on the loose.

Since Monday, a sharp spike in remote probes of TCP port 1433, which
commonly is used by Microsoft's SQL database, has been reported by
many server administrators, according to SecurityFocus, which operates
an incident-reporting system called ARIS.
 
Officials at the SANS Institute, a computer security education and
analysis organization, also reported today that they have received
"exploit code" that indicates the increase in port 1433 scans may be
due to a self-propagating worm rather than to manual probes by
would-be attackers.

According to SANS incident handler Johannes Ullrich, a preliminary
analysis shows the code, which has been dubbed "SQLsnake," attempts to
log in to the SQL administrator's account on a remote server using a
"brute force" password cracker.

Once the worm, which is written in JavaScript, has gained SQL
administrator access, its author has the ability to execute SQL
commands, which include reading and writing files, as well as
executing code, SANS said.

The SQLsnake code also appears to e-mail a list of passwords captured
from the victim server to a free e-mail account hosted in Singapore.

As of this morning, more than 1,400 systems appear to have been
compromised by the worm and are actively probing other servers,
according to statistics compiled by SANS.

Potentially infected hosts are spread geographically, with the
majority located in Korea, the United States, Canada, France, Taiwan
and China, SecurityFocus reported yesterday.

According to SecurityFocus vice president of engineering Alfred Huger,
intrusion detection reports suggest the potential worm is specifically
targeting Microsoft SQL systems without proper password protection.

Many Microsoft SQL administrators fail to set a strong password for
the system account, which by default has a "null" or non-existent
password, SecurityFocus warned yesterday in an alert to ARIS users.

Last month, Microsoft issued a patch for a buffer-overflow flaw in its
SQL Server version 7 and version 2000. According to Huger, there is no
indication so far that the potential worm is targeting that
vulnerability.

Earlier this year, Microsoft advised customers that a worm, which was
given the name "Voyager Alpha Force," was scanning the Internet for
Microsoft SQL servers and attempting to log into administrator
accounts that lacked passwords.

To prevent the spread of SQLsnake, security experts advised system
administrators to block traffic to port 1433 at the perimeter of their
network, and to ensure that all Microsoft SQL servers are patched and
properly password-protected.

Microsoft SQL is the most popular Web database, with 68 percent market
share, according to Microsoft.

The SANS analysis of SQLsnake is at
http://www.incidents.org/diary/diary.php?id_6

SecurityFocus is at http://www.securityfocus.com



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.