- A new worm that targets Microsoft's SQL Server database is making the rounds on the internet, security experts have warned.
Riptech, a security services company in Alexandria, Virginia, that monitors companies' IT systems, says it detected a 100-fold increase on Monday in the number of unique IP addresses targeting its customers that use SQL Server. Several analysts were alerted to the worm by the huge increase in scanning activity for Port 1433, which is commonly used by Microsoft's SQL Server.
Based on the increase, Riptech advised customers that a SQLServer worm was spreading, says Tim Belcher, Riptech's chief technology officer.
"We're detecting thousands of new compromised systems per hour as this propagates," he said yesterday.
Symantec, Network Associates and SecurityFocus also are reporting proliferation of the worm, variously being referred to as SQLSnake, DoubleTap and DigiSpid.B.Worm. Despite the ominous-sounding names, experts say the worm is unlikely to cause widespread damage.
A Microsoft spokesman says the worm affects only systems running SQL Server Version 7.0 in which the system administrator password is blank, which is the default setting for that release. SQL Server 2000 does not default to a blank password, which means those systems are not affected, says Mark Miller, a Microsoft security specialist.
Microsoft issued a bulletin to enterprise customers yesterday after it, too, noted an increase in the number of attempts to access SQL Servers that have blank passwords, he says. It recommended a series of steps they should take, the first being to make sure no system administrator passwords remain blank.
"I don't think we're looking at a fast-spreading worm, because most (SQL Server) administrators are taking the necessary steps," he says.
When a system becomes infected, the worm copies a series of files to the hard disk, including an executable that scans for other vulnerable servers to infect, experts say. Another executable locates user passwords on the system and sends them to an external email address set up by the hacker.
Microsoft's Miller says those and other vulnerabilities would have been eliminated if customers had installed a patch issued April 17 and available on Microsoft's website. "It's not a new vulnerability," he says. "It's a case of not following best practices."
The worm is unlikely to spread itself widely enough to compromise internet performance, Belcher says, calling the worm less severe than two of its predecessors, Nimda and Code Red. That's partly because SQL Server isn't as widely used as Microsoft's Internet Information Server, which was targeted by those worms.
"There's likely no internet threat here, but it may have the unintended effect of going after financial firms, transaction-based websites and e-commerce sites" because many of them use SQL Server, Belcher says.
Microsoft's bulletin about the worm is here.
Meanwhile, Riptech advised its customers to review the configuration of all their systems and disable any that may be running SQL Server inadvertently. It also advised them to forbid remote access to the MSSQL daemon, saying only web servers, internal applications and other trusted systems should be permitted to interact directly with the server.