Home & Office

Hybrid DDoS worm strikes Microsoft SQL Server

A tool that attacks an old exploit in Microsoft SQL servers and uses a combination of methods to spread is causing concern in the US
Written by Wendy McAuliffe, Contributor

Update 26 Jan 2003: Microsoft SQL Server has been hit by a new worm, called SQL Slammer, that has wreaked havoc across the Internet. Full story.

A known vulnerability in Microsoft SQL server systems is being targeted by a hybrid worm that combines a distributed denial of service attack (DDoS) with the automated propagation techniques used by worms such as Code Red.

US-based security company SecurityFocus noticed a rapidly growing network of controlled agents known as bots on Tuesday, which reportedly increased by 600 percent in the space of six hours. The bots were being used to launch DDoS attacks on systems wrongly configured with Microsoft SQL Server software.

Mark Read, security analyst at MIS Corporate Defence Solutions, said, "When you install SQL, at no point does it ask you for an administrator username and password -- this is installed as standard, and once it is up and running the password still remains blank." He added, "If the SQL server is accessible from the Internet, people can log in using a blank password and have full access to the database, as well as the underlying operating system."

SecurityFocus said the hybrid tool has been named "Voyager Alpha Force", and is human controlled through Internet Relay Chat (IRC) communications. The bots are set up on a password-protected IRC channel, where they monitor any conversations taking place. A DDoS attack is launched when an attacker logs onto the channel and types in a command, which is then recognised and acted upon by the bots. Affected servers will then scan netblocks for other vulnerable SQL servers on port 1433, and will try to log on and run the malicious code.

Voyager Alpha Force is unlikely to cause the same scale of damage as inflicted by Code Red and Nimda, because SQL Server is not as widely used as Microsoft IIS Server, which those worms used to propogate. "The issue with the IIS exploit that affected Code Red is that it was an unpatched service and went through a normal HTTP Web port, allowing normal Internet traffic through," said Read. "The SQL vulnerability is not as bad, as providing that it is correctly configured, it shouldn't allow traffic through to the server directly."

SecurityFocus is recommending that companies running SQL Server check that their account does not have a blank password, and use a firewall to block port 1433.

See the Viruses and Hacking News Section for the latest headlines.

See the Net Crime News Section for the latest on hacking, fraud, viruses and related issues.

Have your say instantly, and see what others have said. Click on the TalkBack button and go to the Security forum.

Let the editors know what you think in the Mailroom. And read other letters.

Editorial standards