[NT] Microsoft SQL Spida Worm Propagation

From: support@securiteam.com
Date: 05/22/02 

From: support@securiteam.com
To: list@securiteam.com
Date: Wed, 22 May 2002 21:58:44 +0200 (CEST)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Microsoft SQL Spida Worm Propagation
------------------------------------------------------------------------

SUMMARY

ISS X-Force has learned of a worm that is spreading via Microsoft SQL
servers. The Spida worm is responsible for large amounts of Internet
traffic as well as millions of TCP/IP probes at the time of this alert's
publication. This worm attempts to locate and login to MS/SQL servers with
the "sa" account and a blank password. Once a vulnerable computer is
found, the worm will infect that target, send its configuration and
password information to an external host, and begin scanning for new
targets.

DETAILS

Impact:
Although the Spida worm is not destructive to the infected host, it may
generate a damaging level of network traffic when it scans for additional
targets. The scanner bundled with the worm is multi-threaded and is
capable of scanning with 100 threads. A large amount of network traffic is
created by the worm, which scans both internal and external IP addresses
for vulnerable servers.

Description:
The Spida worm propagates via Microsoft SQL installations with
administrator accounts that have no passwords defined. Although Microsoft
recommends that the "sa" account be set upon installation, many servers
are not properly secured. If the worm finds a vulnerable server, it will
attempt to execute its startup script by running the "xp_cmdshell"
function, which is the SQL call used to execute system commands within SQL
queries.

The main function of the Spida worm is to export an infected server's SAM
password database and forward information about its network and database
configuration.

The worm installs all of its files into the \Windows\system32 directory
except for services.exe, which is installed into the
\Windows\system32\drivers directory. Each of these files has a distinct
function that is outlined below:

sqlprocess.js - This is the worm's main payload. It holds IP address
arrays that are later used in the services.exe scanner. It executes
"ipconfig /all" and appends this information to send.txt. This script then
runs sqldir.js and appends all of the server's database information to
send.txt. It then executes pwdump2 and appends the password hashes to
send.txt, then runs clemail.exe and mails send.txt to ixltd@postone.com.

After the email is sent, send.txt is destroyed and services.exe is run to
scan for other vulnerable servers. This information is appended to
rdata.txt, which the worm uses to attempt to propagate with the username
"sa" and a null password. The sqlprocess.js file sets the registry value
dbmssocn to configure the SQL server to use the Winsock TCP/IP library
instead of the default DBNETLIB library:
(HKLM\\software\\microsoft\\mssqlserver\\client\\connectto\\dsquery).

It also turns on the NetDDE service, allowing SQL to use the DDE protocol.

sqlexec.js - This is a script used by sqlprocess.js to execute
xp_cmdshell. sqlinstall.bat is run within this instance of xp_cmdshell.

sqldir.js - Collects a list of databases on the infected system. Later,
sqlprocess.js writes this information in send.txt to send to
ixltd@postone.com.

run.js - This script passes time information to and from timer.dll.

sqlinstall.bat - Installs the worm then hides the files.

clemail.exe - Simple mail program used to email out the send.txt file.

services.exe - Scanner used by the worm to scan for other SQL servers on
port 1433. This information is appended into the rdata.txt file. This file
is multi-threaded and scans internal IP addresses before performing an
external IP address sweep.

pwdump2.exe - Injects samdump.dll into lsass.exe (a Windows program that
performs the authentication of log-on credentials) in order to grab raw
NTpassword hashes.

samdump.dll - Uses the same API that msv1_0.dll uses to capture Windows
password hashes.

timer.dll - A counter used for installation and other functionality of the
worm.

Recommendations:
Microsoft SQL Server customers should refer to the following address for
information and securing Microsoft SQL Server:
<http://www.microsoft.com/sql/techinfo/administration/2000/security.asp>
http://www.microsoft.com/sql/techinfo/administration/2000/security.asp.

ADDITIONAL INFORMATION

The information has been provided by <mailto:xforce@iss.net> X-Force.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages