SQL worm: Servers may be off the hook

The infectious program has co-opted more than 6,600 machines, but its insistent attempts to spread make it easy to identify and exterminate.

Robert Lemos Staff Writer, CNET News.com
Robert Lemos
covers viruses, worms and other security threats.
Robert Lemos
2 min read
A worm that attacks computers running Microsoft's SQL Server software has co-opted more than 6,600 servers, but its insistent attempts to spread have made it easy to identify and exterminate, experts said Wednesday.

Known as DoubleTap, SQLSnake and Spida.A.Worm, depending on the security organization one talks with, the infectious program is not expected to claim many more servers, said Johannes Ullrich, chief technology officer for the System Administration Networking and Security (SANS) Institute's Internet Storm Center.

"The worm probably won't reach (the same number of infections) that it got up to yesterday," Ullrich said. "But you will see the probes for quite a while."

Hampered by several drawbacks--only very insecure servers can be compromised, for example, and the worm's numerous scans are easy to detect--the SQL bug has not reached anywhere near the level of the Code Red worm, which claimed more than 364,000 servers last summer.

Incidents.org has labeled the worm SQLSnake, while vulnerability-information company SecurityFocus dubbed the worm DoubleTap. Several antivirus companies have used variations on the name "Spida."

The worm infects computers running Microsoft SQL Server, the company's software for managing information. If the software hasn't been patched with a fix, released by Microsoft in late April, and has no password on the administrator account, then the server is vulnerable. The worm mainly affects Microsoft SQL Server version 7.0, as SQL Server 2000 requires the administrator to enter a password by default, so it's not vulnerable unless the administrator has used a blank password intentionally.

The worm is written in JavaScript and also includes several executable components and a batch file. Once it gets onto a system, it adds the guest account to the administrator group, giving the worm control of the system. It also changes the password of the SQL Server administrator so multiple infections won't occur.

Since Monday, the SQL worm has hammered parts of the Internet with a sharp increase in scans for vulnerable servers. For example, Tuesday's 6,600 infected servers sent almost 600,00 individual scans at nearly 83,000 targets, according to data from the Internet Storm Center's Incidents.org site.

Elias Levy, chief technology officer for vulnerability information company SecurityFocus, believes the worm hasn't yet peaked.

"The thing is fairly stable and doesn't show signs of leveling off quite yet," Levy said. SecurityFocus has detected nearly 3,500 infected servers, with 60 to 80 new victims found every hour.