Worm targets SQL server software

Security analysts are warning of a self-propagating worm targeting Microsoft Corp.’s SQL Server software.

The worm scans for and attacks Internet-connected SQL server accounts that aren’t protected by administrative passwords. Once it infects such a server, it exports all user passwords on that server to an external e-mail account, said Elias Levy, chief technology officer at SecurityFocus in San Mateo, Calif.

The worm, called the SQLSnake, also uses the compromised machine to similarly infect other vulnerable SQL servers, Levy said.

“It is not exploiting any new vulnerability. It is just looking for administrative accounts with no passwords,” he said.

Once it gets into a system it does a few things, Levy added. “It gives administrative privileges to the guest account. It also dumps the password files from the registry and mails it to an e-mail address and it scans for new systems to infect,” he said.

Analysts were first alerted to the worm yesterday by a huge increase in scanning activity for Port 1433, which is commonly used by Microsoft’s SQL Server.

“We’ve been watching reconnaissance activity against Microsoft’s SQL server for the past nine months,” said Tim Belcher, chief technology officer at Riptech Inc., an Alexandria, Va.-based managed service provider.

But the scanning activity increased by 90 per cent over the weekend, and a further 100-fold between yesterday and today, Belcher said.

SecurityFocus has received reports of about 1,600 systems that have been infected by the worm, with the number growing by about 100 every hour, Levy said.

“This is a potent worm, and it’s propagating with impressive speed. If you are running a misconfigured SQL server, you are likely to be compromised very shortly,” Belcher said.

But at the same time, “it is not as critical to the Internet infrastructure as Code Red and Nimda were, simply because there are a lot fewer SQL servers on the Internet compared to Microsoft IIS servers,” which were targeted by the previous worms, Belcher said.

Users can mitigate their exposure by blocking Internet access to port T1433, according to an alert posted by Russ Cooper, moderator of the NTBugTraq mailing list.

It’s also important to ensure that the administrator account has a password and to disable TCP/IP Network Libraries if you’re not using them, Cooper added.

Also, review the configuration and installation of all systems that may be inadvertently running SQL server and disable unnecessary deployment, Riptech said in its advisory. And use strong authentication for access control, the company added.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Featured Articles

Cybersecurity in 2024: Priorities and challenges for Canadian organizations 

By Derek Manky As predictions for 2024 point to the continued expansion...

Survey shows generative AI is a top priority for Canadian corporate leaders.

Leaders are devoting significant budget to generative AI for 2024 Canadian corporate...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now