| |
|
|
 |
 |
5870 West Jefferson Blvd., Suite A
Los Angeles, CA 90016
Tel: 310.815.8855
Fax: 310.815.8808
info@OnlineSecurity.com
© 2010 Online Security
All rights reserved.
|
|
|
SUCCESS STORIES
| Posted: 02/01/2003 | SQL worm exposes significant Microsoft | | While the SQL worm primarily affects the Windows 2000 Server, there are numerous reports of users of Windows XP that are experiencing even more significant problems. As a result of the current global internet attack many users of Windows XP that have had to re-activate their systems as a result of adding new hardware or making changes to the configuration of their systems. On attempting to complete this task with the required 'link up' to the Microsoft servers for the authorization key; reports are that none have been able to successfully complete this task. This has led an unknown number of Microsoft XP users unable to start their machines or conduct any tasks with their computers. For at least the last 12 hours the SQL servers at Microsoft Corporation which manage and control the online "re-activation" hashes (Which Microsoft uses to control pirated or unlicensed copies of their software) have been "not available".
Reports indicate that Microsoft does not have a contingency plan for this type of system failure and is not currently in a position to distribute temporary or new activation keys to the affected customer base. Industry analysts have commented that had the propagators of this worm actually wanted to inflict maximum damage to the computing community or to the world economy that the release would have taken place on a Monday as opposed to a Saturday.
Yet several security professionals have indicated their concern over the Microsoft "weak link" as related to the unavailability of the Microsoft SQL servers or contingency plan during course of the attack and have commented on the potential for financial or infrastructure degradation as a result of Microsoft XP machines not being brought back online immediately.
Details of the SQL Worm
Also known as: Microsoft SQL Spida Worm Propagation, Digispid.B.Worm, and SQLSnake
A new Internet worm is targeting Microsoft SQL servers. Remote probes of TCP port 1433, which is the default port used by Microsoft's SQL database, have been reported. According to the SANS Institute, the worm, which is written in JavaScript, gains SQL administrator access and allows the hacker to execute commands, which include reading and writing files, as well as executing code.
Ports Affected: TCP port 1433 (The SANS Institute lists port 1433 is among the top five ports under attack)
Note
SQL Server 7 is by default, configured to run without an administrator password. Using TCP port 1433 as a gateway, the worm modifies the sa user password, extracts the password file, and forces the machine to scan for additional targets using as many as 100 threads. The SQL worm then e-mails a list of passwords captured from the victim server to a free e-mail account hosted in Singapore.
Primary Charachteristics
1. Changes the sa user password to a random value
2. Runs PWDUMP2 to extract passwords
3. Sends the passwords to an e-mail account
4. Spreads causing significant network traffic
Recommendations:
In order to best counter this threat, Entercept suggests the following:
1. Set your sa SQL Server account password. The worm spreads on computers that have a blank SQL administrator password.
2. Ensure you are running the most current Entercept agent (3/19) to stop:
a. confidential information from being sent to the hacker
b. the spread of the worm
3. Using Entercept, set the User added to administrator Group, security ID=991, to red or protect. This will prevent the infection of an uninfected box.
4. Filter outgoing email messages that have subjects beginning with "SystemData-"
5. Firewall filtering of incoming/outgoing port 1433 requests.
6. Filter e-mail destination address. The worm Emails the password file and SQL server data information to ixltd@postone.com.
Resources:
SANS Institutes Incident Response Center -
An infected computer can be identified by the presence following characteristics:
The presence of some or all of these files:
%System32%DriversServices.exe
%System32%Sqlexec.js
%System32%Clemail.exe
%System32%Sqlprocess.js
%System32%Sqlinstall.bat
%System32%Sqldir.js
%System32%Run.js
%System32%Timer.dll
%System32%Samdump.dll
%System32%Pwdump2.exe
Many outgoing port 1433 requests
Increased internet traffic
Emails the Operating System user password and SQL server data information to "ixltd@postone.com"
SQL server "sa" password will be changed
Technical Details of How the Worm Works
When Digispid.B.Worm is executed on a vulnerable computer, it does the following:
It copies the following files to the hard disk:
System32DriversServices.exe
This is a port scanner that the worm uses to locate vulnerable computers.
System32Sqlexec.js
This is a JavaScript file that the worm uses to execute command-line functions on the remote computer.
System32Clemail.exe
This is a command-line email utility. The worm uses this program to send the IP address and SQL information in email to the virus writer.
System32Sqlprocess.js
This is a JavaScript file which performs the worm functionality. It does the following:
It adds the values
ImagePath %COMSPEC% /c start netdde && sqlprocess init
Start 2
to the registry key
HKEY_LOCAL_MACHINESystemCurrentControlSetServicesNetDDE"
It adds the value
dsquery dbmssocn
to registry key
HKEY_LOCAL_MACHINEsoftwaremicrosoftmssqlserverclientconnectto
It copies the file
%SystemRoot%System32Regedt32.exe
to
%SystemRoot%Regedt32.exe
It deletes the file %SystemRoot%System32Msver241.srq
The JavaScript sends the IP address and SQL table and row information to the virus writer. It also searches for vulnerable computers on networks whose IP addresses do not begin with 10, 127, 172, or 192. When it finds a vulnerable computer, it executes System32Sqlinstall.bat, which installs the worm onto the remote computer.
System32Sqlinstall.bat
This .bat file activates the guest user account, sets the guest user account password to a string of four random characters, and adds the guest account to the Administrators and Domain Admins groups.
It then searches for the presence of System32Cscript.exe. If it finds the file, it then checks whether the worm has already copied the %SystemRoot%System32Regedt32.exe file to %SystemRoot%Regedt32.exe. If so, the .bat file exits. Otherwise it copies the following files to the default system share of the remote computer:
System32DriversServices.exe
System32Sqlexec.js
System32Clemail.exe
System32Sqlprocess.js
System32Sqlinstall.bat
System32Sqldir.js
System32Run.js
System32Timer.dll
System32Samdump.dll
System32Pwdump2.exe
After it copies these files, it changes the remote SQL administrator password to a string of four random characters. It then triggers the remote computer to execute Sqlprocess.js.
System32Sqldir.js
This is a JavaScript file which the worm uses to collect table and row information from the SQL Server.
System32Run.js
This is a JavaScript file which the worm uses to trigger the remote computers to execute the worm.
System32Timer.dll
This is a .dll file which the worm registers on the infected system. It is a simple timer program.
System32Samdump.dll
This is a .dll file that the worm copies to infected computers. It does not appear to perform malicious actions.
System32Pwdump2.exe
This is a file that the worm uses to attempt to steal the infected computer's password.
After the worm copies the preceding files, it changes the SQL administrator password to a string of four random characters.
|
|
|
|
>> Full SUCCESS STORIES Archive
|
