SecurityFocus has identified a new hybrid tool that combines distributed denial of service (DDoS) tools, with the automated propagation techniques previously seen only in worms.
SecurityFocus ARIS Incident Analysts identified a rapidly growing network of controlled agents or "bots", increasing 600% in the last 6 hours, which can be used to launch a DDoS attack. The tool is propagated through incorrectly configured Microsoft SQL server systems (plus servers that have not been patched with the "Extended Stored Procedure Parameter Parsing" vulnerability discussed in Microsoft Security Bulletin MS00-092) by scanning the System Administrator accounts that contain a password specified by the attacker.
SecurityFocus recommendations:
- Verify that the System Administrator "sa" account does not have a blank password if running Microsoft SQL server
- Use a firewall to block port 1433
Additionally, the SQL Worm reportedly propagates itself by scanning for systems that have opened port 1433. When it finds a system that has the port open, it downloads the files dnsservice.exe,win 32mon.exe, and win32bnc.exe from foo.com (IP Address 207.29.192.160) and starts them.
News source: SecurityFocus Announcement