Spida bites Microsoft SQL servers
Published: 22 May 2002 10:02 BST
A new worm that targets Microsoft SQL Server software has begun squirming through the Internet, according to experts.
Called DoubleTap by vulnerability analysis firm SecurityFocus, the worm has already managed to infect 1,600 servers that run the software, said Elias Levy, chief technology officer for the company. Despite the spread, Levy added that the virus shouldn't pose too much of an overall threat.
"We don't expect it to become widespread," he said.
The self-propagating program has also been named Spida.a.worm by antivirus firms Symantec and Network Associates and has been labelled SQLSnake by the Systems Administration Networking and Security (SANS) Institute. It has been infecting servers since Monday.
Even though SecurityFocus is currently tracking almost 100 infections per hour, the worm's only way to infect a system is if the Microsoft SQL Server system administrator password is left blank -- which is the default setting.
"If you follow standard practices (and change the password), then you should be golden," Levy said. Microsoft could not immediately comment on the worm or why a blank default password could be left on software that was newly installed.
Systems administrator and security experts first detected the worm because of the abnormal number of attempts to connect to port 1433, which is used by servers running Microsoft's SQL Server. Servers that haven't had a recent Microsoft bug fix applied could have their security cracked by the worm.
The DoubleTap worm is written in JavaScript, has two executable components and a batch file. Once it gets onto a system, it adds the guest account to the administrator group, giving the worm control of the system. It also changes the password of the SQL administrator so multiple infections won't occur.
The effects of the worm could be magnified by the fact that Microsoft's SQL Server software is included in many other complete software packages, such as e-commerce suites and Web site development bundles, Levy said.
"There are a lot of products that install (Microsoft) SQL as a component," he said, "and if the administrator does not know it, then that server is open."
Have your say instantly, and see what others have said. Go to the Security forum.
Let the editors know what you think in the Mailroom.
Did you find this article useful?
50 out of 86 people found this useful
Digg
Slashdot
Del.ici.ous
Stumble
Reddit
