ADVISORY/Entercept Stops the SQL Worm; Also known as: Microsoft SQL Spida Worm Propagation, Digispid.B.Worm, and SQLSnake.Business/News Editors & High-Tech Writers ADVISORY... SAN JOSE San Jose, city, United States San Jose (sănəzā`, săn hōzā`), city (1990 pop. 782,248), seat of Santa Clara co., W central Calif.; founded 1777, inc. 1850. , Calif.--(BUSINESS WIRE)--May 23, 2002 Overview A new Internet See Web 2.0 and Internet2. worm is targeting Microsoft SQL servers. Remote probes of TCP (1) (Transmission Control Protocol) The reliable transport protocol within the TCP/IP protocol suite. TCP ensures that all data arrive accurately and 100% intact at the other end. port 1433, which is the default port used by Microsoft's SQL SQL in full Structured Query Language. Computer programming language used for retrieving records or parts of records in databases and performing various calculations before displaying the results. database, have been reported. According to according to prep. 1. As stated or indicated by; on the authority of: according to historians. 2. In keeping with: according to instructions. 3. the SANS Institute The SANS Institute (SysAdmin, Audit, Networking, and Security) is a trade name owned by the for-profit Escal Institute of Advanced Technologies. SANS provides computer security training, professional certification, and a research archive. , the worm, which is written in JavaScript, gains SQL administrator access and allows the hacker to execute commands, which include reading and writing files, as well as executing code. Microsoft issued a patch for this vulnerability in April 2002. Ports Affected: TCP port 1433 (The SANS Institute lists port 1433 is among the top five ports under attack) Details SQL Server An earlier relational DBMS from Sybase and from Microsoft. Sybase introduced SQL Server in 1988 for various Unix versions. In that same year, with help from IBM, Sybase created an OS/2 version that Microsoft licensed and branded as Microsoft SQL Server. 7 is by default, configured to run without an administrator password. Using TCP port 1433 as a gateway, the worm modifies the "sa" user password, extracts the password file, and forces the machine to scan for additional targets using as many as 100 threads. The SQL worm then e-mails a list of passwords captured from the victim server to a free e-mail See Internet e-mail service. account hosted in Singapore. Major Aspects: 1. Changes the "sa" user password to a random value 2. Runs PWDUMP2 to extract passwords 3. Sends the passwords to an e-mail account e-mail account n → cuenta de correo 4. Spreads causing significant network traffic Best Practices for Protection/Recommendations: In order to best counter this threat, Entercept suggests the following: 1. Set your "sa" SQL Server account password. The worm spreads on computers that have a blank SQL administrator password. 2. Ensure you are running the most current Entercept agent (3/19) to stop -- confidential information from being sent to the hacker -- the spread of the worm 3. Using Entercept, set the "User added to administrator Group," security ID=991, to "red" or protect. This will prevent the infection of an uninfected box. 4. Filter outgoing email messages that have subjects beginning with "SystemData-" 5. Firewall filtering of incoming/outgoing port 1433 requests. 6. Filter e-mail destination address. The worm Emails the password file and SQL server data information to ixltd@postone.com. Information Resources (1) The data and information assets of an organization, department or unit. See data administration. (2) Another name for the Information Systems (IS) or Information Technology (IT) department. See IT. -- SANS Institute's Incident Response Center - http://www.incidents.org/index.php -- MSFT MSFT Microsoft (stock symbol) MSFT Movimento Sociale Fiamma Tricolore (Italy) MSFT Multi-Stage Fitness Test MSFT Master of Science in Family Therapy MSFT Macalester Students for Fair Trade Security Bulletin MS02-020 SQL Extended Procedure Functions Contain Unchecked Buffers (Q319507) http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS02-020.asp (Due to the length of this URL, it may be necessary to copy and paste To copy files from one location to another or to copy text and images from one document to another. All modern operating systems and applications have a copy and paste capability that is typically selected from an Edit menu. See cut and paste and Win Copy between windows. this hyperlink into your Internet browser's URL address field.) DISCLAIMER STATEMENT: The information in this bulletin is provided by Entercept Security Technologies, Inc. ("Entercept") and is intended to provide information on a particular security issue or incident. Given that each exploitation technique is unique, Entercept makes no claim to prevent any specific exploit related to the vulnerability discussed in this bulletin. Entercept expressly disclaims any and all warranties with respect to the information provided in this bulletin, express or implied or otherwise, including, but not limited to, warranty of fitness for a particular purpose. Under no circumstances may this information be used to exploit vulnerabilities in any other environment. About Entercept Security Technologies Entercept Security Technologies is the proven leader in intrusion prevention See IPS and IDS. software. Based on patented technology, Entercept safeguards the entire server by preventing known and unknown malicious attacks. Unlike other security solutions, Entercept uses a combination of behavioral rules and signatures to proactively prevent attacks rather than merely detecting and reporting them after they occur. Strategic partners include Cisco, Check Point, Foundstone and other leading companies. Entercept has received numerous awards and industry recognition, including Network Magazine's 2002 and 2001 Product of the Year, Fortune Small Business Magazine's `65 Big Ideas List', SC Magazine's `Best Pick of the Year 2000 and 2001', InfoWorld magazine's `Business Impact of the Year Award', and InfoWorld magazine's Readers Choice `Security Product of the Year'. www.entercept.com The information provided is identified, assessed and measured by the Entercept Ricochet A wireless Internet service from Ricochet Networks, Inc., Denver, CO (www.ricochet.net). Originally developed by Los Gatos, CA-based Metricom, Inc., Ricochet was the first high-speed, wireless Internet service for commuters. (TM) security research team, a leading group of security experts dedicated to collecting and evaluating intelligence against server threats. About Entercept Ricochet(TM) Entercept's Ricochet team is a specialized group of security researchers dedicated to identifying, assessing, and evaluating intelligence regarding server threats. The Ricochet team researches current and future avenues of attack and builds this knowledge into Entercept's intrusion prevention solution. Ricochet is dedicated to providing critical, viable security content via security advisories and technical briefs. This content is designed to educate organizations and security professionals about the nature and severity of Internet security threats, vulnerabilities and exploits. Ricochet: Matt Conover/Monty Ijzerman (c)Entercept Security Technologies. All rights reserved. Entercept and the Entercept logo are trademarks of Entercept Security Technologies. All other trademarks, trade names or service marks are the property of their respective owners. |
|
||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion