Application Security Inc. - Securing Business by Securing Enterprise Applications

home

client login

partner login

purchasing info

search:

add this

1.	Top Database Security Threats
2.	Database Security Best Practices for Federal Agencies
3.	PCI Compliance at the Database Level
4.	Forrester WAVE Summary Scorecard
5.	SOX Compliance and Database Security

Microsoft SQL Server: Spida Worm

To determine if you are vulnerable or have been compromised by this attack, download AppDetective™ for Microsoft SQL Server from http://www.appsecinc.com/products/appdetective/mssql

Risk level: High

Summary: A worm has been found in the wild attacking all versions of Microsoft SQL Servers on port 1433.

The Spida worm is a self-propagating attack program that discovers SQL Server on the default port 1433. Once found it attempts to connect to sa with a blank password. If successful, it takes control of the machine, collects sensitive information on the local server, and attempts to propagate to other SQL Servers.

The Spida worm uses Microsoft SQL Server to propagate across a network. The Spida worm attacks Microsoft SQL Servers on port 1433. The worm works by connecting to Microsoft SQL Server using the default password of blank for the sa login id. On SQL Server 7.0, the password was blank by default.

After connecting to the server using the privileged sa login, the worm uses the extended stored procedure xp_cmdshell to upload a series of files to the operating system. Once the files are uploaded, the file sqlprocess.js is executed. This JavaScript file installs timer.dll to allow the worm to sleep.

The worm makes a copy of regedt32.exe to mark this server as infected to prevent other copies of the worm from reinfecting this server. The worm then saves details of target machines to the file send.txt along with the output of pwdump2.exe which extracts the Windows password hashes from the SAM database. The worm also extracts sensitive information from the database. After extracting the information, send.txt is emailed to ixldt@postone.com using the file clemail.exe.

The server will appear as infected if one of the following files is found:

%SYSTEM%\sqlprocess.js
%SYSTEM%\sqlexec.js
%SYSTEM%\sqldir.js
%SYSTEM%\run.js
%SYSTEM%\sqlinstall.bat
%SYSTEM%\clemail.exe
%SYSTEM%\pwdump2.exe
%SYSTEM%\samdump.dll
%SYSTEM%\timer.dll
%SYSTEM%\drivers\services.exe

The worm is not destructive but does consume network resources and compromise the security of the operating system and SQL Server. SQL Server administrators that are using strong passwords for the sa login will not be compromised.

References:
http://www.incidents.org/diary/diary.php?id=157
http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q313418
http://www.incidents.org/diary/diary.php?id=156

Fix: To disinfect the machine from the Spida worm, take the following steps:

Disable the Windows account 'guest' using the command "net user guest /active:no".
Delete the 'guest' account from the Windows 'Administrators' group using the command "net localgroup Administrators guest /delete".
Delete the 'guest' account from the Windows 'Domain Admins' group using the command "net group "Domain Admins" guest /delete".
Unregister the file timer.dll using the command "regsvr32 /u timer.dll".
Change the following files to not be hidden:
- %SYSTEM%\sqlprocess.js
- %SYSTEM%\sqlexec.js
- %SYSTEM%\sqldir.js
- %SYSTEM%\run.js
- %SYSTEM%\sqlinstall.bat
- %SYSTEM%\clemail.exe
- %SYSTEM%\pwdump2.exe
- %SYSTEM%\samdump.dll
- %SYSTEM%\timer.dll
- %SYSTEM%\drivers\services.exe
Delete the files listed above.
It is also recommended that you reboot the operating system to ensure all programs resident in memory have been removed.

Affected versions: All versions of Microsoft SQL Server