ISS Alert: Microsoft SQL Spida Worm Propagation

From: X-Force (xforce@iss.net)
Date: 05/21/02


Date: Tue, 21 May 2002 17:31:24 -0400 (EDT)
To: bugtraq@securityfocus.com
From: X-Force <xforce@iss.net>


-----BEGIN PGP SIGNED MESSAGE-----

Internet Security Systems Security Alert
May 21, 2002

Microsoft SQL Spida Worm Propagation

Synopsis:

ISS X-Force has learned of a worm that is spreading via Microsoft SQL
servers. The Spida worm is responsible for large amounts of Internet
traffic as well as millions of TCP/IP probes at the time of this alertís
publication. This worm attempts to locate and login to MS/SQL servers
with the "sa" account and a blank password. Once a vulnerable computer
is found, the worm will infect that target, send its configuration and
password information to an external host, and begin scanning for new
targets.

Impact:

Although the Spida worm is not destructive to the infected host, it may
generate a damaging level of network traffic when it scans for
additional targets. The scanner bundled with the worm is multi-threaded
and is capable of scanning with 100 threads. A large amount of network
traffic is created by the worm, which scans both internal and external
IP addresses for vulnerable servers.

Description:

The Spida worm propagates via Microsoft SQL installations with
administrator accounts that have no passwords defined. Although
Microsoft recommends that the "sa" account be set upon installation,
many servers are not properly secured. If the worm finds a vulnerable
server, it will attempt to execute its startup script by running the
"xp_cmdshell" function, which is the SQL call used to execute system
commands within SQL queries.

The main function of the Spida worm is to export an infected serverís
SAM password database and forward information about its network and
database configuration.

The worm installs all of its files into the \Windows\system32 directory
except for services.exe, which is installed into the
\Windows\system32\drivers directory. Each of these files has a distinct
function which is outlined below:

sqlprocess.js - This is the wormís main payload. It holds IP address
arrays which are later used in the services.exe scanner. It executes
"ipconfig /all" and appends this information to send.txt. This script
then runs sqldir.js and appends all of the serverís database information
to send.txt. It then executes pwdump2 and appends the password hashes to
send.txt, then runs clemail.exe and mails send.txt to ixltd@postone.com.
After the email is sent, send.txt is destroyed and services.exe is run
to scan for other vulnerable servers. This information is appended to
rdata.txt, which the worm uses to attempt to propagate with the username
"sa" and a null password. The sqlprocess.js file sets the registry value
dbmssocn to configure the SQL server to use the Winsock TCP/IP library
instead of the default DBNETLIB library:
(HKLM\\software\\microsoft\\mssqlserver\\client\\connectto\\dsquery).
It also turns on the NetDDE service, allowing SQL to use the DDE
protocol.

sqlexec.js - This is a script used by sqlprocess.js to execute
xp_cmdshell. sqlinstall.bat is run within this instance of xp_cmdshell.

sqldir.js - Collects a list of databases on the infected system. Later,
sqlprocess.js writes this information in send.txt to send to
ixltd@postone.com.

run.js - This script passes time information to and from timer.dll.

sqlinstall.bat - Installs the worm then hides the files.

clemail.exe - Simple mail program used to email out the send.txt file.

services.exe - Scanner used by the worm to scan for other SQL servers on
port 1433. This information is appended into the rdata.txt file. This
file is multi-threaded and scans internal IP addresses before performing
an external IP address sweep.

pwdump2.exe - Injects samdump.dll into lsass.exe (a Windows program that
performs the authentication of log-on credentials) in order to grab raw
NTpassword hashes.

samdump.dll - Uses the same API that msv1_0.dll uses to capture Windows
password hashes.

timer.dll - A counter used for installation and other functionality of
the worm.

Recommendations:

Microsoft SQL Server customers should refer to the following address for
information and securing Microsoft SQL Server:
http://www.microsoft.com/sql/techinfo/administration/2000/security.asp.

ISS Database Scanner product implemented a check for a blank
administrator password in December of 1998. Database Scanner customers
are encouraged to enable this check if they have not done so. For more
information, refer to:
http://www.iss.net/products_services/enterprise_protection/vulnerability
_assessment/scanner_database.php

ISS RealSecure Network Sensor customers may use the following connection
event to detect access attempts to the SQL Server port. Follow the
instructions below to apply the connection event to your policy. This
connection event will detect legitimate connection attempts to MS/SQL
servers.
1. Choose a policy you want to use, and click Customize.
2. Select the Connection Events tab.
3. Click Add on the right hand side of the dialog box.
4. Create a Connection Event.
5. Type in a name of the event, such as "MS/SQL Port Probe".
6. In the Response field for the event, select the responses you want to
use.
In the Protocol field, select TCP.
In the Dest Port/Type field click the pull down box and create an entry
for TCP port 1433:
a. Click Add.
b. Select TCP Protocol.
c .Name the service "MS/SQL Port Probe".
d. Use 1433 for the port number.
e. Click OK.
f. Select the entry just created.
7. Save changes and close the window.
8. Click Apply to Sensor or Apply to Engine depending on the version of
RealSecure.

To create a user-defined event RealSecure Server Sensor:
1. Open the desired policy.
2. Expand the Connections tree on the Protect view.
3. Expand the User Defined Suspect Connections branch.
4. Click Add to add a new User Defined Suspect Connections event
5. Name the event, SQL_Connection.
6. Select the desired responses under the response column.
7. Enter "1433" under the port column.
8. Save the Policy and apply it to the sensor.

ISS BlackICE customers should monitor and/or enable the "SQL Port Probe"
event. This event will detect probes by the Spida worm.

ISS X-Force will provide assessment support for this vulnerability in an
upcoming X-Press Update for Internet Scanner.

______

About Internet Security Systems (ISS)
Founded in 1994, Internet Security Systems (ISS) (Nasdaq: ISSX) is a
pioneer and world leader in software and services that protect critical
online resources from an ever-changing spectrum of threats and misuse.
Internet Security Systems is headquartered in Atlanta, GA, with
additional operations throughout the Americas, Asia, Australia, Europe
and the Middle East.

Copyright (c) 2002 Internet Security Systems, Inc. All rights reserved
worldwide.

Permission is hereby granted for the electronic redistribution of this
document. It is not to be edited or altered in any way without the
express written consent of the Internet Security Systems X-Force. If you
wish to reprint the whole or any part of this document in any other
medium excluding electronic media, please email xforce@iss.net for
permission.

Disclaimer: The information within this paper may change without notice.
Use of this information constitutes acceptance for use in an AS IS
condition. There are NO warranties, implied or otherwise, with regard to
this information or its use. Any use of this information is at the
user's risk. In no event shall the author/distributor (Internet Security
Systems X-Force) be held liable for any damages whatsoever arising out
of or in connection with the use or spread of this information.

X-Force PGP Key available on MIT's PGP key server and PGP.com's key
server, as well as at http://www.iss.net/security_center/sensitive.php

Please send suggestions, updates, and comments to: X-Force
xforce@iss.net of Internet Security Systems, Inc.

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBPOq7ZTRfJiV99eG9AQHQjgP7B1CsdiUQmlyzBZyN3pVPkDde8z8yFZOl
pI6aD/YKH3d+Ru6uWeYjSB2X3cHJZU7hJphu83LPVTCbcuCkzlmLUOtu8mcZgomS
m41G/8e976UvALAR81RTB6VaprQ2zahxQzEkN4TeC2d8YEPMtJH/YowN6nprFsB7
hfrZt/2ggoA=
=8g1x
-----END PGP SIGNATURE-----