SQLSnake Worm Spreads Like Crazy off of SQL Server Vulnerability

Apparently there's a new worm on the loose that targets SQL servers, specifically searching for servers that have blank administator passwords to exploit. Internet Security Systems Security Alert, May 21, 2002, says that this worm is "responsible for large amounts of Internet traffic as well as millions of TCP/IP probes at the time of this alert's publication. This worm attempts to locate and login to MS/SQL servers with the "sa" account and a blank password. Once a vulnerable computer is found, the worm will infect that target, send its configuration and password information to an external host, and begin scanning for new targets."

What is the worm's impact? The ISS alert warns, "Although the Spida worm is not destructive to the infected host, it may generate a damaging level of network traffic when it scans for additional targets. The scanner bundled with the worm is multi-threaded and is capable of scanning with 100 threads. A large amount of network traffic is created by the worm, which scans both internal and external IP addresses for vulnerable servers."

I know that many of our readers may be running Microsoft SQL servers, and it is very important that you protect your systems and your networks and keep from getting infected by this worm. For more information on how the worm works, and what to look for, I've provided you with several links:

Microsoft SQL Spida Worm Propagation

Product Support Services Informational Alert on SQL Server (Microsoft.com, May 21, 2002)

SQLSnake Code Analysis (Incidents.org, report by George Bakos and Guofei Jiang, Institute for Security Technology Studies, Dartmouth College)

'SQLsnake' Worm Blamed For Spike In Port 1433 Scans

• Subscribe
• RSS

• Editorial
• Specials
• Community
• News
• Tech and Tags
• Views
• Reviews
• Techniques
• Security
• Best of ColdFusion Talk
• Knowledge Base
• Blog Watch

• Tipical Charlie