May 21, 2002
Microsoft SQL Spida Worm Propagation
ISS X-Force has learned of a worm that is spreading via Microsoft SQL servers. The Spida worm is responsible for large amounts of Internet traffic as well as millions of TCP/IP probes at the time of this alertís publication. This worm attempts to locate and login to MS/SQL servers with the "sa" account and a blank password. Once a vulnerable computer is found, the worm will infect that target, send its configuration and password information to an external host, and begin scanning for new targets.
Although the Spida worm is not destructive to the infected host, it may generate a damaging level of network traffic when it scans for additional targets. The scanner bundled with the worm is multi-threaded and is capable of scanning with 100 threads. A large amount of network traffic is created by the worm, which scans both internal and external IP addresses for vulnerable servers.
The Spida worm propagates via Microsoft SQL installations with administrator accounts that have no passwords defined. Although Microsoft recommends that the "sa" account be set upon installation, many servers are not properly secured. If the worm finds a vulnerable server, it will attempt to execute its startup script by running the "xp_cmdshell" function, which is the SQL call used to execute system commands within SQL queries.
The main function of the Spida worm is to export an infected serverís SAM password database and forward information about its network and database configuration.
The worm installs all of its files into the Windowssystem32 directory except for services.exe, which is installed into the Windowssystem32drivers directory. Each of these files has a distinct function which is outlined below:
sqlprocess.js - This is the wormís main payload. It holds IP address arrays which are later used in the services.exe scanner. It executes "ipconfig /all" and appends this information to send.txt. This script then runs sqldir.js and appends all of the serverís database information to send.txt. It then executes pwdump2 and appends the password hashes to send.txt, then runs clemail.exe and mails send.txt to email@example.com. After the email is sent, send.txt is destroyed and services.exe is run to scan for other vulnerable servers. This information is appended to rdata.txt, which the worm uses to attempt to propagate with the username "sa" and a null password. The sqlprocess.js file sets the registry value dbmssocn to configure the SQL server to use the Winsock TCP/IP library instead of the default DBNETLIB library:
(HKLM\software\microsoft\mssqlserver\client\connectto\dsquery). It also turns on the NetDDE service, allowing SQL to use the DDE protocol.
sqlexec.js - This is a script used by sqlprocess.js to execute xp_cmdshell. sqlinstall.bat is run within this instance of xp_cmdshell.
sqldir.js - Collects a list of databases on the infected system. Later, sqlprocess.js writes this information in send.txt to send to firstname.lastname@example.org.
run.js - This script passes time information to and from timer.dll.
sqlinstall.bat - Installs the worm then hides the files.
clemail.exe - Simple mail program used to email out the send.txt file.
services.exe - Scanner used by the worm to scan for other SQL servers on port 1433. This information is appended into the rdata.txt file. This file is multi-threaded and scans internal IP addresses before performing an external IP address sweep.
pwdump2.exe - Injects samdump.dll into lsass.exe (a Windows program that performs the authentication of log-on credentials) in order to grab raw NTpassword hashes.
samdump.dll - Uses the same API that msv1_0.dll uses to capture Windows password hashes.
timer.dll - A counter used for installation and other functionality of the worm.
Microsoft SQL Server customers should refer to the following address for information and securing Microsoft SQL Server:
ISS Database Scanner product implemented a check for a blank administrator password in December of 1998. Database Scanner customers are encouraged to enable this check if they have not done so. For more information, refer to:
ISS RealSecure Network Sensor customers may use the following connection event to detect access attempts to the SQL Server port. Follow the instructions below to apply the connection event to your policy. This connection event will detect legitimate connection attempts to MS/SQL servers.
1. Choose a policy you want to use, and click Customize.
2. Select the Connection Events tab.
3. Click Add on the right hand side of the dialog box.
4. Create a Connection Event.
5. Type in a name of the event, such as "MS/SQL Port Probe".
6. In the Response field for the event, select the responses you want to use.
In the Protocol field, select TCP.
In the Dest Port/Type field click the pull down box and create an entry
for TCP port 1433:
a. Click Add.
b. Select TCP Protocol.
c .Name the service "MS/SQL Port Probe".
d. Use 1433 for the port number.
e. Click OK.
f. Select the entry just created.
7. Save changes and close the window.
8. Click Apply to Sensor or Apply to Engine depending on the version of RealSecure.
To create a user-defined event RealSecure Server Sensor:
1. Open the desired policy.
2. Expand the Connections tree on the Protect view.
3. Expand the User Defined Suspect Connections branch.
4. Click Add to add a new User Defined Suspect Connections event
5. Name the event, SQL_Connection.
6. Select the desired responses under the response column.
7. Enter "1433" under the port column.
8. Save the Policy and apply it to the sensor.
ISS BlackICE customers should monitor and/or enable the "SQL Port Probe" event. This event will detect probes by the Spida worm.
ISS X-Force will provide assessment support for this vulnerability in an upcoming X-Press Update for Internet Scanner.
About Internet Security Systems (ISS)
Founded in 1994, Internet Security Systems (ISS) (Nasdaq: ISSX) is a pioneer and world leader in software and services that protect critical online resources from an ever-changing spectrum of threats and misuse. Internet Security Systems is headquartered in Atlanta, GA, with additional operations throughout the Americas, Asia, Australia, Europe and the Middle East.
Copyright (c) 2002 Internet Security Systems, Inc. All rights reserved worldwide.
Permission is hereby granted for the electronic redistribution of this document. It is not to be edited or altered in any way without the express written consent of the Internet Security Systems X-Force. If you wish to reprint the whole or any part of this document in any other medium excluding electronic media, please email email@example.com for permission.
Disclaimer: The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
X-Force PGP Key available on MIT's PGP key server and PGP.com's key server, as well as at http://www.iss.net/security_center/sensitive.php
Please send suggestions, updates, and comments to: X-Force firstname.lastname@example.org of Internet Security Systems, Inc.