A known vulnerability in Microsoft SQL server systems is being targeted by a hybrid worm that combines a distributed denial of service attack (DDoS) with the automated propagation techniques used by worms such as Code Red.
U.S.-based security company SecurityFocus noticed a rapidly growing network of controlled agents known as bots on Tuesday, which reportedly increased by 600 percent in the space of six hours. The bots were being used to launch DDoS attacks on systems wrongly configured with Microsoft SQL Server software.
Mark Read, security analyst at MIS Corporate Defence Solutions, said, "When you install SQL, at no point does it ask you for an administrator username and password -- this is installed as standard, and once it is up and running the password still remains blank." He added, "If the SQL server is accessible from the Internet, people can log in using a blank password and have full access to the database, as well as the underlying operating system." [Cheekymonkey says: But surely any admin worth their salt knew this and set up a password??]
SecurityFocus said the hybrid tool has been named "Voyager Alpha Force", and is human controlled through Internet Relay Chat (IRC) communications. The bots are set up on a password-protected IRC channel, where they monitor any conversations taking place. A DDoS attack is launched when an attacker logs onto the channel and types in a command, which is then recognised and acted upon by the bots. Affected servers will then scan netblocks for other vulnerable SQL servers on port 1433, and will try to log on and run the malicious code.