|
Microsoft SQL Server: Spida Worm
To determine if you are vulnerable or have been compromised by this
attack, download AppDetective™ for Microsoft SQL Server from
http://www.appsecinc.com/products/appdetective/mssql
Risk level: High
Summary:
A worm has been found in the wild attacking all versions of Microsoft
SQL Servers on port 1433.
The Spida worm is a self-propagating attack program that discovers SQL
Server on the default port 1433. Once found it attempts to connect to sa
with a blank password. If successful, it takes control of the machine,
collects sensitive information on the local server, and attempts to
propagate to other SQL Servers.
The Spida worm uses Microsoft SQL Server to propagate across a network.
The Spida worm attacks Microsoft SQL Servers on port 1433. The worm
works by connecting to Microsoft SQL Server using the default password
of blank for the sa login id. On SQL Server 7.0, the password was blank
by default.
After connecting to the server using the privileged sa login, the worm
uses the extended stored procedure xp_cmdshell to upload a series of
files to the operating system. Once the files are uploaded, the file
sqlprocess.js is executed. This JavaScript file installs timer.dll to
allow the worm to sleep.
The worm makes a copy of regedt32.exe to mark this server as infected to
prevent other copies of the worm from reinfecting this server. The worm
then saves details of target machines to the file send.txt along with
the output of pwdump2.exe which extracts the Windows password hashes
from the SAM database. The worm also extracts sensitive information from
the database. After extracting the information, send.txt is emailed to
ixldt@postone.com using the file clemail.exe.
The server will appear as infected if one of the following files is
found:
%SYSTEM%\sqlprocess.js
%SYSTEM%\sqlexec.js
%SYSTEM%\sqldir.js
%SYSTEM%\run.js
%SYSTEM%\sqlinstall.bat
%SYSTEM%\clemail.exe
%SYSTEM%\pwdump2.exe
%SYSTEM%\samdump.dll
%SYSTEM%\timer.dll
%SYSTEM%\drivers\services.exe
The worm is not destructive but does consume network resources and
compromise the security of the operating system and SQL Server. SQL
Server administrators that are using strong passwords for the sa login
will not be compromised.
References:
http://www.incidents.org/diary/diary.php?id=157
http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q313418
http://www.incidents.org/diary/diary.php?id=156
Fix:
To disinfect the machine from the Spida worm, take the following steps:
- Disable the Windows account 'guest' using the command "net user guest
/active:no".
- Delete the 'guest' account from the Windows 'Administrators' group
using the command "net localgroup Administrators guest /delete".
- Delete the 'guest' account from the Windows 'Domain Admins' group
using the command "net group "Domain Admins" guest /delete".
- Unregister the file timer.dll using the command "regsvr32 /u
timer.dll".
- Change the following files to not be hidden:
- %SYSTEM%\sqlprocess.js
- %SYSTEM%\sqlexec.js
- %SYSTEM%\sqldir.js
- %SYSTEM%\run.js
- %SYSTEM%\sqlinstall.bat
- %SYSTEM%\clemail.exe
- %SYSTEM%\pwdump2.exe
- %SYSTEM%\samdump.dll
- %SYSTEM%\timer.dll
- %SYSTEM%\drivers\services.exe
- Delete the files listed above.
- It is also recommended that you reboot the operating system to ensure
all programs resident in memory have been removed.
Affected versions:
All versions of Microsoft SQL Server
|
