|
|
|
|
| |
| ISS X-Force has learned of a worm that is spreading via Microsoft SQL servers. The Spida worm is responsible for large amounts of Internet traffic as well as millions of TCP/IP probes at the time of this alert's publication. This worm attempts to locate and login to MS/SQL servers with the "sa" account and a blank password. Once a vulnerable computer is found, the worm will infect that target, send its configuration and password information to an external host, and begin scanning for new targets. |
| |
Credit:
The information has been provided by X-Force.
|
| |
Impact:
Although the Spida worm is not destructive to the infected host, it may generate a damaging level of network traffic when it scans for additional targets. The scanner bundled with the worm is multi-threaded and is capable of scanning with 100 threads. A large amount of network traffic is created by the worm, which scans both internal and external IP addresses for vulnerable servers.
Description:
The Spida worm propagates via Microsoft SQL installations with administrator accounts that have no passwords defined. Although Microsoft recommends that the "sa" account be set upon installation, many servers are not properly secured. If the worm finds a vulnerable server, it will attempt to execute its startup script by running the "xp_cmdshell" function, which is the SQL call used to execute system commands within SQL queries.
The main function of the Spida worm is to export an infected server's SAM password database and forward information about its network and database configuration.
The worm installs all of its files into the \Windows\system32 directory except for services.exe, which is installed into the \Windows\system32\drivers directory. Each of these files has a distinct function that is outlined below:
sqlprocess.js - This is the worm's main payload. It holds IP address arrays that are later used in the services.exe scanner. It executes "ipconfig /all" and appends this information to send.txt. This script then runs sqldir.js and appends all of the server's database information to send.txt. It then executes pwdump2 and appends the password hashes to send.txt, then runs clemail.exe and mails send.txt to ixltd@postone.com.
After the email is sent, send.txt is destroyed and services.exe is run to scan for other vulnerable servers. This information is appended to rdata.txt, which the worm uses to attempt to propagate with the username "sa" and a null password. The sqlprocess.js file sets the registry value dbmssocn to configure the SQL server to use the Winsock TCP/IP library instead of the default DBNETLIB library: (HKLM\\software\\microsoft\\mssqlserver\\client\\connectto\\dsquery).
It also turns on the NetDDE service, allowing SQL to use the DDE protocol.
sqlexec.js - This is a script used by sqlprocess.js to execute xp_cmdshell. sqlinstall.bat is run within this instance of xp_cmdshell.
sqldir.js - Collects a list of databases on the infected system. Later, sqlprocess.js writes this information in send.txt to send to ixltd@postone.com.
run.js - This script passes time information to and from timer.dll.
sqlinstall.bat - Installs the worm then hides the files.
clemail.exe - Simple mail program used to email out the send.txt file.
services.exe - Scanner used by the worm to scan for other SQL servers on port 1433. This information is appended into the rdata.txt file. This file is multi-threaded and scans internal IP addresses before performing an external IP address sweep.
pwdump2.exe - Injects samdump.dll into lsass.exe (a Windows program that performs the authentication of log-on credentials) in order to grab raw NTpassword hashes.
samdump.dll - Uses the same API that msv1_0.dll uses to capture Windows password hashes.
timer.dll - A counter used for installation and other functionality of the worm.
Recommendations:
Microsoft SQL Server customers should refer to the following address for information and securing Microsoft SQL Server: http://www.microsoft.com/sql/techinfo/administration/2000/security.asp.
|
|
|
|
|
|
|
