New worm DDoS tool making the rounds

SecurityFocus has identified a new hybrid tool that combines distributed denial of service (DDoS) tools, with the automated propagation techniques previously seen only in worms.

SecurityFocus ARIS Incident Analysts identified a rapidly growing network of controlled agents or "bots", increasing 600% in the last 6 hours, which can be used to launch a DDoS attack. The tool is propagated through incorrectly configured Microsoft™ SQL server systems (plus servers that have not been patched with the "Extended Stored Procedure Parameter Parsing" vulnerability discussed in Microsoft Security Bulletin MS00-092) by scanning the System Administrator accounts that contain a password specified by the attacker.

SecurityFocus recommendations:

• Verify that the System Administrator "sa" account does not have a blank password if running Microsoft SQL server
• Use a firewall to block port 1433

The tool named "Voyager Alpha Force," a modified and enhanced version of the DDoS tool, Kaiten, is human controlled through Internet Relay Chat (IRC) communications by connecting to an IRC server (bots.kujikiri.net, on port 6669), joining a password-protected channel and starts scanning for other vulnerable systems. An attacker is effectively able to control a large number of agents residing on compromised hosts, by issuing commands that would initiate a DDoS attack or cause the program to continue propagating.

Additionally, the SQL Worm reportedly propagates itself by scanning for systems that have opened port 1433. When it finds a system that has the port open, it downloads the files dnsservice.exe,win 32mon.exe, and win32bnc.exe from foo.com (IP Address 207.29.192.160) and starts them.

News source: SecurityFocus Announcement