New Microsoft SQL Server Worm

Ian Bell writes: "A new unnamed worm has been released and, once again, Microsoft software is the target. More specifically, this new worm targets Microsoft SQL servers with no administrator passwords set. Once the server is infected, it logs onto Internet Relay Chat (IRC) servers and is ready to receive commands and act accordingly. Although this can be a fairly malicious worm, it is very unlikely to infect many servers due to the fact that majority of Microsoft SQL servers have administrator passwords."

Password

[LinuxOnHal]

I think if someone got this one, they probably deserve it. If it attacks computers that don't have passwords, they could have prevented it. NetBIOS shares are a big hole too, without a password. Its a given.

Re:Microsoft always a target

[Osty]

Of course, their situation would be a lot simpler if they released source so that these things could be fixed by anyone as soon as a problem pops up

Who says you need source to fix problems? In this case, it's as simple as setting a password for th sa user. Anyway, the point is moot because this only affects SQL Server 7 and older. SQL Server 2000 makes you jump through hoops if you want to leave the sa password blank (as well, SQL auth isn't even the default. Instead, Windows domain auth is the default). Anyway, the point here is that source is absolutely not required to fix this problem. Just a small amount of brainpower, that's all.

Too bad but we can't blame MS on this one..

[Guillaume Ross]

I mean, any software listening to the internet for administrating purpose without a password should buy the admin a nice warm place between cardboard boxes and the joys of unemployement.

Too Incompetent To Keep Their Job

[Carnage4Life]

IMHO, anybody who

1. installs database software without setting the password (Heck, installs any software that has passwords without changing the default) and
   
   
2. exposes their corporate database to the web

is too incompetent to keep their job. I seriously believe that infections like this should start becoming yardsticks that system administrators are hired and fired against. Seriously, if your corporate network gets infected by Code Red, Sircam or this new SQL server worm it is a sign that somebody somewhere is not doing their job. This goes for UNIX boxen as well, if you're hit by a BIND, sendmail or wu-ftpd exploit then your sys admin is a waste of money and you are better off hiring some college kid who needs the experience. It'll be cheaper and you probably will get better service anyway.

Re:Stupid....Marketing Department

[Soko]

No, it's not hard for the coders - but it would make life difficult for the support people. How many of them would get the inevitable "Ah installed yer ESS-Queuu-Elll thingy, and now it's buggin' me fer a paisswerd. What's wit thet?" from thier targeted users? The Marketing Department at Microsoft would be up in arms, saying "Why did you make this hard for people to install?!!? FIX IT NOW!!!

MS has always played to the LCD in computerdom - there are relatively few who have the wherewithall and curiosity to know exactly what they're doing with the tools Microsoft gives them. It's been the job of Marketing to educate the users the product has been sold to. When they can't handle it properly, it's then dumped on to the Support people. No wonder Microsoft foists it's support on it's vendors - saves them a bundle.

Example: Joe CFO wants the website up and running now, and gives the job to New Intern who doesn't have a clue. If New Intern can't get it running now, he blames his tools - namely MS, who hear about it from Joe CFO. So, figuring this out beforehand, Microsoft make it as easy as possible to get a SQL server running now - security be damned. New Intern has no authority to spend US$ 100 per call (or whatever it is) in order to contact someone who actually knows the scoop, and just blithely continues on. Microsoft make a sale, trap another customer, and get $ from supporting thier insecure product - as well as upgrades in order to get more security.

Critisize them as you want - but Microsoft has a good business model in getting everyone and thier puppy into what should be advanced products. Then they try to educate thier users as to why security is important. Backwards as it is, it seems to be working for them, too.

Not so, not so...

[trilucid]

"Although this can be a fairly malicious worm, it is very unlikely to infect many servers due to the fact that majority of Microsoft SQL servers have administrator passwords."

Not in my experience, sadly. In most of the corporate environments I've seen MS-SQL Server installed, the sa account has had no password. You may wonder what their logic was... "nobody would know how to hack it, and it's just a development server anyhow."

Yeah, right... a development server exposed to the net. That's not the worst of it, though. I've seen shops where the sa account was kept blank so ASP "programmers" wouldn't have to bother with remembering a password. This shitty practice is amazingly common.

It's usually very difficult to reason with the management types on this sort of thing. Most of these people view the database server as a magic box where their information is kept, not as a system that needs to be properly secured. By and large, most corporate types I've talked to actually believed you'd have to have physical access to the machine. I can't say how many times I've heard them say things like "oh, that's what the Administrator logon password in NT is for, right?". Uh, no try again...

It would probably be impossible to accurately say how many people are running with open sa accounts, because to stand up and admit it would be career suicide for any "database admin". Then again, given the lack of knowlege concerning this among the management types, maybe they wouldn't take so much flack after all. In the end, they could always blame Microsoft for letting them set up the account with a blank password to begin with (dumb, but I can see them saying that).

Web hosting by geeks, for geeks. Now starting at $4/month (USD)! [trilucid.com]
If you're gonna email, use the public key!

Re:Hey Maybe These Admins...

[Wonko42]

Ever installed MySQL? It comes configured by default with no root password, just like MSSQL. If someone wrote a worm that took advantage of improperly-secured MySQL servers, that worm would do just as much damage (if not more, considering how widespread MySQL is) as this MSSQL worm. It's the administrator's problem, not the software's.

Coincidentally, when you run the installer for MSSQL 2000, it prompts you to change the administrator password. Anyone who doesn't is an ignorant fool.

Re:Password

[leucadiadude]

Nobody deserves to be hacked. I found it quite sad that this story has no posts (so far) commenting that the person(s) who created and released a malicious piece of software are a**holes. hopefully it's that this goes without saying.

Yes, I agree with the sentiment that if you do not secure your boxen, you are an idiot. But if you don't, you do not deserve to be victimised.

If I accidentally leave my front door unlocked, do I deserve to be robbed/vandalised?

Re:Not so, not so...

[Lumpy]

uhh simple....
dont let any ASp program or programmer have sa access.
if you cant write your app to use a regular SQL account then get the hell out of the business.

It is amazing how many "programmers" require administrative access to databases or resources for no reason whatsoever. give them a user account, if they forget their password, publically humiliate them by yelling "what? are you so stupid that you cant remember a password? why did they hire you if your that stupid?" This is reserved for programmers only... sales people and marketing are allowed to forget their password daily, we know they are that stupid, but a programmer has ZERO excuse.

First, if the programmer asks for admin access, laugh them out of the office. if they ask again tell them to do it at home on their own time (Unpaid). if they ask a third time start back at the top.

Re:Password

[CaNuK]

If you always leave your front door unlocked, you can expect to be robbed/vandalised, whether you deserve it or not. The perpetrators of the crime likely do not consider how deserving their victims are. All they need is opportunity. I think that we realize that this type of threat is a fact of life, and the idea should be to safeguard against it, since we are not going to snuff out this type criminal activity any time soon.

If you are responsible for a house, you should know well enough to lock it.

Maybe the problem is that MS software often ends up in uncapable or unaware hands.

Lets not forget about home users with it installed

[RodeoBoy]

I just recently installed a sample web application from M$, yes it was .Net, and it came with one of these MSDE databases. When I opened up the server manager I was suprise to see several ip addresses in it. There are severaly @home user with SQL Server installed and many with no sa password, don't ask me how I know that. Many of these boxes also have infected IIS installs too. As if I don't get enough code red/ namba hits as it is. I glad I uninstall that thing, because I am sure it didn't have a password and I am not sure how I could set it. Does anyone know about the functionality of the little engines and are they effected by this worm. LT

Re:Why Microsoft is being targeted

[Chris Johnson]

Microsoft are traditionally NOT the majority in SERVERS.

The reason all these worms target Microsoft is not because they hold the majority, it's because it's like shooting fish in a barrel...