Once the local copy is executing on the victim system, the worm
begins scanning for other systems to infect. It also attempts to send
a copy of the local password (SAM) database, network configuration
information, and other SQL server configuration information to a fixed
email address (ixtld@postone.com) via email.
The attack used by the Spida worm is similar to that used by the
Kaiten malicious code described in IN-2001-13.
Additional information on null default sa passwords in
Microsoft SQL Server can be found in VU#635463.
II. Impact
The scanning activity of the Spida worm may cause denial-of-service
conditions on compromised systems, and it has been reported to cause high
traffic volumes even on networks with no compromised hosts.
Information about the victim system's configuration and accounts
may be compromised by the email the worm attempts to send.
By leveraging a default null password, an attacker may execute
arbitrary commands on the system in the security context in which the
Microsoft SQL Server services are running. While site-specific
configurations may vary, the SQL Server is typically run with
system-level privileges.
III. Solutions
Detection
During the course of the Spida worm's execution, a number of files
are created on the victim system. These include
- %SystemRoot%\System32\drivers\services.exe
- %SystemRoot%\System32\sqlexec.js
- %SystemRoot%\System32\clemail.exe
- %SystemRoot%\System32\sqlprocess.js
- %SystemRoot%\System32\sqlinstall.bat
- %SystemRoot%\System32\sqldir.js
- %SystemRoot%\System32\run.js
- %SystemRoot%\System32\timer.dll
- %SystemRoot%\System32\samdump.dll
- %SystemRoot%\System32\pwdump2.exe
The presence of any of these files on the system indicates compromise.
Scanning for other systems on port 1433/tcp or attempts to send
email to ixtld@postone.com may also indicate a compromised system.
Response
If you believe a system under your administrative control
may have been compromised, please refer to
- Steps
for Recovering from a UNIX or NT System Compromise
Protection
Set a password on the sa account
Following best practices, passwords should never be left with a
null or easily guessed value. Ensure that a password has been
assigned to the sa account on Microsoft SQL Servers under your
control.
Note that when installing Microsoft SQL 2000 Server, the
application prompts for an sa password. If a null password is
entered, a warning will be displayed, but the application will permit a
null password to be used.
Instructions to change the SQL Server password are located at
-
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ modadmin/html/deconchangingsqlserveradministratorlogin.asp
-
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ adminsql/ad_1_server_5un8.asp
Instructions to change the MSDE password can be found at
- http://support.microsoft.com/default.aspx?scid=kb;en-us;Q322336
Additional information on securing Microsoft SQL Server can be found at
- http://www.microsoft.com/sql/techinfo/administration/2000/security.asp
Limit access to the SQL Server port
Packet filtering should be performed at network borders to prohibit
externally initiated inbound connections to non-authorized services.
With regards to SQL Server, ingress filtering of port 1433/tcp could
prevent attackers outside of your network from scanning or infecting
vulnerable Microsoft SQL servers in the local network that are not explicitly
authorized to provide public SQL services.
Filtering packets destined for other services that are not
explicitly required can also prevent intruders from connecting to
backdoors on compromised systems.
Egress filtering
Egress filtering manages the flow of traffic as it leaves a network
under your administrative control. There is typically limited need
for machines providing public services to initiate outbound
connections to the Internet. In the case of the Spida worm, employing egress
filtering to disallow outbound connections to port 1433/tcp at your network
border can help prevent systems on your network from attacking systems elsewhere.
This is only effective against systems that are already infected with the Spida worm.
Block outgoing email to ixtld@postone.com
As mentioned in the Description section
above, the worm attempts to send configuration information and the
local password database to ixtld@postone.com. Blocking email to this
address can reduce the risk of confidential information being exposed
by the Spida worm. However, as with the egress filtering
recommendation above, this only blocks systems that are already
infected, so it is not sufficient to block the email without taking
other precautionary steps as described above.
IV. Additional protection
Apply a patch from Microsoft
Microsoft Corporation has released Microsoft Security Bulletin
MS02-020, which announces the availability of a cumulative patch to
address a variety of problems. While this patch does not address null
sa passwords, it does fix a number of serious security issues.
We strongly encourage you to read this bulletin and take the
appropriate corrective measures. MS02-020 is available at
-
http://www.microsoft.com/technet/ treeview/default.asp?url=/technet/security/bulletin/MS02-020.asp
Reporting
The CERT/CC is interested in receiving reports of this activity.
If machines under your administrative control are compromised, please
send mail to cert@cert.org
with the following text included in the subject line:
"[CERT#38873]".
Author(s): Chad Dougherty and Allen Householder
This document is available from:
CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4)
Monday through Friday; they are on call for emergencies during other
hours, on U.S. holidays, and on weekends.
We strongly urge you to encrypt sensitive information sent by
email. Our public PGP key is available from
CERT publications and other security information are available from
our web site
* "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office.
Copyright 2002 Carnegie Mellon University.
