IWS - The Information Warfare Site
News Watch Make a  donation to IWS - The Information Warfare Site Use it for navigation in case java scripts are disabled

Advisory 02-003

Microsoft SQL Worm Spida
May 22, 2002

Summary:

The National Infrastructure Protection Center (NIPC) is monitoring an Internet worm called "Spida", also known as SQLSnake. This worm takes advantage of default settings within Microsoft's SQL Server (MSSQL) when there is a system administrator user name of "sa" and no password. The danger in this worm is that it copies the password file and the network configuration of the infected machine and sends the information elsewhere via e-mail. This worm can evolve into a Denial of Service (DoS) attack against the infected machine and others on the same network because of the voluminous scanning traffic the worm initiates once inside the infected machine.

Description:

The Spida worm searches for MSSQL servers that have been set up with the default system administrator account with user name of "sa" and a blank password field that was not changed after installation. Once inside, Spida sends the Internet Protocol (IP) configuration of the machine and the domain password file as well as a variety of machine-specific information to a temporary file. The temporary file that contains the IP and password files is then sent to a collection point from a fully privileged "guest" account that Spida sets up.

MSSQL servers installed with "integrated security mode" settings are not at risk. Those servers installed with "mixed mode" security settings, without a password for the "sa" account, are at risk. To set the password after installation, see: http://www.microsoft.com/sql

The success of this worm highlights shortfalls in basic configuration management and system security. Once software is installed, default user names and passwords that can be changed, should be changed. Note that user name "sa" cannot be changed. All passwords should be under the system administrator's control, with strict adherence to security conventions for all user accounts.

Recommendations:

Change any editable default user names and passwords on MSSQL and all other software as soon as the software is installed. Change the default "null" password on the "sa" account in accordance with strict adherence to security conventions.

Consider restricting port 1433 access on the MSSQL server to only those machines that require connection to the database(s).

Microsoft SQL Server customers should refer to the following address for information on securing Microsoft SQL Server:

http://www.microsoft.com/sql/techinfo/administration/2000/security.asp.

The anti-virus community and security community are aware of this worm, and there are virus definitions for this worm. As it primarily affects servers, vigilance, basic security practices and security measures are the best defense against this worm. Additional information on this worm, can be found at the following sites:

Incidents.org:
http://www.incidents.org/diary/diary.php?id=157

Internet Security Systems:
http://www.iss.net/security_center/alerts/advise118.php

For basic tips and suggestions on password creation, see: http://www.nipc.gov/publications/nipcpub/password.htm.

Recipients of this advisory are encouraged to report computer crime to federal, state, or local law enforcement and other appropriate authorities. Incidents may be reported online at http://www.nipc.gov/incident/cirr.htm.

The NIPC Watch and Warning Unit can be reached at (202) 323-3204/3205/3206 or nipc.watch@fbi.gov.