, Newsbytes 2002-05-28
An Internet worm that targets insecure Microsoft databases has quickly displaced forerunners Code Red and Nimda as the top source of computer attacks, experts said.
Since May 20, the SQLsnake worm, also known as Spida and Digispid, has been probing port 1433 on thousands of Internet-connected systems in an attempt to locate machines running Microsoft SQL without proper password protection on the system administrator account.The probes to port 1433 have pushed port 80, the computer service targeted by the notorious Code Red and Nimda worms, out of the top spot on Dshield.org's "Most Attacked Port" list for the first time in many months.
According to Dshield statistics for North American sites, port 1443 received 56 percent of computer attacks in the past five days, while port 80 came in a distant second with 11 percent. In Asia, the spread was even wider, with port 1433 receiving 66 percent of probes and port 80 trailing with 12 percent.
The Dshield statistics are corroborated by those compiled by MyNetWatchman.com. According to the intrusion reporting service, port 1433 has born the brunt of attacks in recent days, with a 41 percent share versus 23 percent for port 80.
The Code Red worm first stormed the Internet last July, with its relative Nimda following in September. Both worms frantically probe port 80 in nearby Internet address space for Web servers running unpatched versions of Microsoft's Internet Information Server (IIS) software.
But while SQLsnake may be the biggest worm threat currently on the Net, expert say the malicious code's moment in the sun may be brief.
According to Johannes Ullrich, operator of the Dshield intrusion reporting service, SQLsnake's sudden rise to the top of the attack charts is due in part to the cyclical nature of both Code Red and Nimda.
Both port-80 worms enter a 10-day period of "sleep" commencing around the 19th of every month, during which their scan rate drops sharply, Ullrich noted. As a result, SQLsnake may slip from the top-attacker spot once Code Red and Nimda re-awaken next month, he said.
In the meantime, the Microsoft SQL worm is causing concerns for computer security experts. The Computer Emergency Response Team (CERT), a federally funded computer security information clearinghouse, has warned that the worm is designed to capture password databases from vulnerable systems and forward them by e-mail presumably to the worm's authors.
As a result, administrators are advised to change all passwords on infected machines, not simply that of the system administrator account, Ullrich said.
To assist administrators in locating vulnerable Microsoft SQL installations on their networks, Eeye Digital Security has released a free software scanner. While the tool can identify systems with "null" or non-existent passwords on the SA account, it cannot test whether a particular machine is already infected, according to Laurentiu Nicula, the scanner's author.
Dshield is at http://www.dshield.org .
MyNetWatchman is at http://www.mynetwatchman.com .
Eeye's MS-SQL scanner is available from http://www.eeye.com/html/Research/Tools/sqlworm.html .
CERT's description of SQLsnake is at http://www.cert.org/incident_notes/IN-2002-04.html .
Reported by Newsbytes, http://www.newsbytes.com .