May 21, 2002 5:15 PM PDT
SQL Server worm taking off
The worm, which started spreading Monday, has caused traffic to the server port--a channel for data--used by Microsoft SQL Server to jump by a factor of 40 in some reported cases.
SQL Server is the third most widely used database software package, with more than 16 percent of the overall market, according to a recent survey by Gartner Dataquest.
In an e-mail Tuesday, Keith Morgan, chief of information security for Web technology maker Terradon Communications Group, said the company saw 30 port scans in 10 days prior to the worm and logged about 700 on Monday and another 1,300 on Tuesday.
Others have reported similar data.
Incidents.org, the incident response Web site for the Security Administration Networking and Security (SANS) Institute, reported that more than 8,700 servers were targeted by the worm on Monday and nearly 74,000 on Tuesday.
In total, 2,450 servers have apparently been infected by the SQL worm, which Incidents.org has labeled SQLSnake.
The self-propagating program has also been named Spida.a.worm by antivirus companies Symantec and Network Associates, and DoubleTap by vulnerability-information company SecurityFocus.
The worm infects computers running Microsoft SQL Server, the company's software for managing information. If the software hasn't been patched with a fix released by Microsoft in late April and has no password on the administrator account, then the server is vulnerable.
Such a worm is not new. Code Red spread through Web servers in late July of last year, following a security hole in Microsoft Internet Information Server, the company's Web server software. In January, another worm, known as the Voyager Alpha Force worm, took advantage of the same set of exploits.
"We hope that people have taken measures after the Voyager Alpha worm," said Mark Miller, security specialist for Microsoft's product support service.
The worm affects only Microsoft SQL Server version 7.0. By default, SQL Server 2000 requires the administrator enter a password, so it's not vulnerable, Miller said.
Terradon's Morgan couldn't believe that administrators would let both those events occur. "It's shocking to me that there are systems administrators who would 1) place a Microsoft SQL Server on a direct connection to the Internet, and 2) do so with a blank (SQL administrator) password," Morgan said. "Simply astonishing."
Despite the speedy attack, Elias Levy, chief technology officer for SecurityFocus, added that the double criteria should limit the number of computers vulnerable to the worm, thus curtailing its spread.
"If you follow standard practices (and change the password), then you should be golden," Levy said.
The effects of the worm could be magnified by the fact that Microsoft's SQL Server software is included as part of other software packages, such as e-commerce suites and Web site development bundles, Levy said.
Systems administrators and security experts first detected the worm because of the abnormal number of attempts to connect to port 1433, which is used by servers running Microsoft's SQL Server.