News

SQL Worm Circulating

• By Scott Bekker
• 05/22/2002

The worm is known in some places as SQL Snake and in others as SQL Spida. It scans Port 1433, which is used by SQL Server, for Microsoft databases with null passwords. It infects those systems, e-mails password and configuration information to an external address and uses the infected system as a host to scan for more systems. While no damaging payload is apparently associated with the worm, it can create a denial of service scenario by overwhelming networks with scanning traffic.

"The scanner bundled with the worm is multi-threaded and is capable of scanning with 100 threads. A large amount of network traffic is created by the worm, which scans both internal and external IP addresses for vulnerable servers," ISS' X-Force noted in a post to the Bugtraq security mailing list.

Although the vulnerability is similar in some ways to Code Red and Nimda, the potential for mass havoc is considerably less given that there are far fewer SQL Server systems exposed to the Web than Internet Information Server/Services systems.

Microsoft posted a page with information to help SQL Server administrators prevent the problem at http://www.microsoft.com/security/security_bulletins/ms02020_sql.asp.

Microsoft pointed out that it recommends that users immediately change the "SA" password in SQL Server when they configure the database, although the problem emphasizes the need for more secure default configurations such as those planned for IIS 6.0 when Windows .NET Server ships.

Microsoft took the opportunity to remind SQL Server administrators to install a SQL Server patch the software company issued last month, although some security experts say there is little evidence the current problem exploits the patched vulnerability.

The SANS Institute's Internet Storm Center reported an explosion in the number of hosts scanning Port 1433 starting Monday and multiplying on Tuesday. Microsoft's recommendations include shutting down the port if possible.