SecurityFocus has identified a new hybrid tool that combines distributed denial of service (DDoS) tools, with the automated propagation techniques previously seen only in worms.
SecurityFocus ARIS Incident Analysts identified a rapidly growing network of controlled agents or "bots", increasing 600% in the last 6 hours, which can be used to launch a DDoS attack. The tool is propagated through incorrectly configured Microsoft™ SQL server systems (plus servers that have not been patched with the "Extended Stored Procedure Parameter Parsing" vulnerability discussed in Microsoft Security Bulletin MS00-092) by scanning the System Administrator accounts that contain a password specified by the attacker.
SecurityFocus recommendations:
- Verify that the System Administrator "sa" account does not have a blank password if running Microsoft SQL server
- Use a firewall to block port 1433
Additionally, the SQL Worm reportedly propagates itself by scanning for systems that have opened port 1433. When it finds a system that has the port open, it downloads the files dnsservice.exe,win 32mon.exe, and win32bnc.exe from foo.com (IP Address 207.29.192.160) and starts them.