Worm targets SQL server software

Security analysts are warning of a self-propagating worm targeting Microsoft Corp.’s SQL Server software.

The worm scans for and attacks Internet-connected SQL server accounts that aren’t protected by administrative passwords. Once it infects such a server, it exports all user passwords on that server to an external e-mail account, said Elias Levy, chief technology officer at SecurityFocus in San Mateo, Calif.

The worm, called the SQLSnake, also uses the compromised machine to similarly infect other vulnerable SQL servers, Levy said.

“It is not exploiting any new vulnerability. It is just looking for administrative accounts with no passwords,” he said.

Once it gets into a system it does a few things, Levy added. “It gives administrative privileges to the guest account. It also dumps the password files from the registry and mails it to an e-mail address and it scans for new systems to infect,” he said.

Analysts were first alerted to the worm yesterday by a huge increase in scanning activity for Port 1433, which is commonly used by Microsoft’s SQL Server.

“We’ve been watching reconnaissance activity against Microsoft’s SQL server for the past nine months,” said Tim Belcher, chief technology officer at Riptech Inc., an Alexandria, Va.-based managed service provider.

But the scanning activity increased by 90 per cent over the weekend, and a further 100-fold between yesterday and today, Belcher said.

SecurityFocus has received reports of about 1,600 systems that have been infected by the worm, with the number growing by about 100 every hour, Levy said.

“This is a potent worm, and it’s propagating with impressive speed. If you are running a misconfigured SQL server, you are likely to be compromised very shortly,” Belcher said.

But at the same time, “it is not as critical to the Internet infrastructure as Code Red and Nimda were, simply because there are a lot fewer SQL servers on the Internet compared to Microsoft IIS servers,” which were targeted by the previous worms, Belcher said.

Users can mitigate their exposure by blocking Internet access to port T1433, according to an alert posted by Russ Cooper, moderator of the NTBugTraq mailing list.

It’s also important to ensure that the administrator account has a password and to disable TCP/IP Network Libraries if you’re not using them, Cooper added.

Also, review the configuration and installation of all systems that may be inadvertently running SQL server and disable unnecessary deployment, Riptech said in its advisory. And use strong authentication for access control, the company added.