FYI

  • From: "Kingery, Mark" <Mark.Kingery@xxxxxxxxxxxxxx>
  • To: "'isalist@xxxxxxxxxxxxx'" <isalist@xxxxxxxxxxxxx>
  • Date: Mon, 26 Nov 2001 12:54:59 -0600

A known vulnerability in Microsoft SQL server systems is being targeted by a
hybrid worm that combines a distributed denial of service attack (DDoS) with
the automated propagation techniques used by worms such as Code Red. 
U.S.-based security company SecurityFocus noticed a rapidly growing network
of controlled agents known as bots on Tuesday, which reportedly increased by
600 percent in the space of six hours. The bots were being used to launch
DDoS attacks on systems wrongly configured with Microsoft SQL Server
software. 
        
        

Mark Read, security analyst at MIS Corporate Defence Solutions, said, "When
you install SQL, at no point does it ask you for an administrator username
and password -- this is installed as standard, and once it is up and running
the password still remains blank." He added, "If the SQL server is
accessible from the Internet, people can log in using a blank password and
have full access to the database, as well as the underlying operating
system." 
SecurityFocus said the hybrid tool has been named "Voyager Alpha Force", and
is human controlled through Internet Relay Chat (IRC) communications. The
bots are set up on a password-protected IRC channel, where they monitor any
conversations taking place. A DDoS attack is launched when an attacker logs
onto the channel and types in a command, which is then recognised and acted
upon by the bots. Affected servers will then scan netblocks for other
vulnerable SQL servers on port 1433, and will try to log on and run the
malicious code. 
Voyager Alpha Force is unlikely to cause the same scale of damage as
inflicted by Code Red and Nimda, because SQL Server is not as widely used as
Microsoft IIS Server, which those worms used to propogate. "The issue with
the IIS exploit that affected Code Red is that it was an unpatched service
and went through a normal HTTP Web port, allowing normal Internet traffic
through," said Read. "The SQL vulnerability is not as bad, as providing that
it is correctly configured, it shouldn't allow traffic through to the server
directly." 
SecurityFocus is recommending that companies running SQL Server check that
their account does not have a blank password, and use a firewall to block
port 1433. 

Other related posts: